-
Notifications
You must be signed in to change notification settings - Fork 4.9k
/
changelog.xml
5067 lines (5058 loc) · 196 KB
/
changelog.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
<?xml version="1.0" encoding="UTF-8"?>
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<!DOCTYPE document [
<!ENTITY project SYSTEM "project.xml">
]>
<?xml-stylesheet type="text/xsl" href="tomcat-docs.xsl"?>
<document url="changelog.html">
&project;
<properties>
<title>Changelog</title>
<no-comments />
</properties>
<body>
<!--
Subsection ordering:
General, Catalina, Coyote, Jasper, Cluster, WebSocket, Web applications,
Extras, Tribes, jdbc-pool, Other
Item Ordering:
Fixes having an issue number are sorted by their number, ascending.
There is no ordering by add/update/fix/scode.
Other fixed issues are added to the end of the list, chronologically.
They eventually become mixed with the numbered issues. (I.e., numbered
issues do not "pop up" wrt. others).
-->
<section name="Tomcat 8.5.32 (markt)" rtext="in development">
<subsection name="Catalina">
<changelog>
<fix>
Treat the <code><mapped-name></code> element of a
<code><env-entry></code> in web.xml in the same way as the
<code>mappedName</code> element of the equivalent <code>@Resource</code>
annotation. Both now attempt to set the <code>mappedName</code> property
of the resource. (markt)
</fix>
<fix>
Correct the processing of resources with
<code><injection-target></code>s defined in web.xml. First look
for a match using JavaBean property names and then, only if a match is
not found, look for a match using fields. (markt)
</fix>
<fix>
When restoring a saved request with a request body after FORM
authentication, ensure that calls to the <code>HttpServletRequest</code>
methods <code>getRequestURI()</code>, <code>getQueryString()</code> and
<code>getProtocol()</code> are not corrupted by the processing of the
saved request body. (markt)
</fix>
<fix>
JNDI resources that are defined with injection targets but no value are
now treated as if the resource is not defined. (markt)
</fix>
<fix>
Ensure that JNDI names used for <code><lookup-name></code> entries
in web.xml and for <code>lookup</code> elements of
<code>@Resource</code> annotations specify a name with an explicit
<code>java:</code> namespace. (markt)
</fix>
<scode>
Refactor the <code>org.apache.naming</code> package to reduce duplicate
code. Duplicate code identified by the Simian tool. (markt)
</scode>
<fix>
<bug>50019</bug>: Add support for <code><lookup-name></code>.
Based on a patch by Gurkan Erdogdu. (markt)
</fix>
<fix>
<bug>62343</bug>: Make CORS filter defaults more secure. This is the fix
for CVE-2018-8014. (markt)
</fix>
</changelog>
</subsection>
<subsection name="Coyote">
<changelog>
<fix>
Consistent exception propagation for NIO2 SSL close. (remm)
</fix>
<fix>
Log an error message if the AJP connector detects the the reverse proxy
is sending AJP messages that are too large for the configured
<code>packetSize</code>. (markt)
</fix>
<fix>
Relax Host validation by removing the requirement that the final
component of a FQDN must be alphabetic. (markt)
</fix>
<fix>
<bug>62371</bug>: Improve logging of Host validation failures. (markt)
</fix>
</changelog>
</subsection>
<subsection name="Jasper">
<changelog>
<add>
<bug>50234</bug>: Add the capability to generate a web-fragment.xml file
to JspC. (markt)
</add>
<fix>
<bug>62350</bug>: Refactor
<code>org.apache.jasper.runtime.BodyContentImpl</code> so a
<code>SecurityException</code> is not thrown when running under a
SecurityManger and additional permissions are not required in the
<code>catalina.policy</code> file. This is a follow-up to the fix for
<bug>43925</bug>. (kkolinko/markt)
</fix>
</changelog>
</subsection>
<subsection name="Cluster">
<changelog>
<fix>
Remove duplicate calls when creating a replicated session to reduce the
time taken to create the session and thereby reduce the chances of a
subsequent session update message being ignored because the session does
not yet exist. (markt)
</fix>
</changelog>
</subsection>
<subsection name="Tribes">
<changelog>
<fix>
Ensure that the correct default value is returned when retrieve unset
properties in <code>McastService</code>. (kfujino)
</fix>
</changelog>
</subsection>
</section>
<section name="Tomcat 8.5.31 (markt)" rtext="2018-05-03">
<subsection name="Catalina">
<changelog>
<fix>
<bug>62263</bug>: Avoid a <code>NullPointerException</code> when the
<code>RemoteIpValve</code> processes a request for which no Context can
be found. (markt)
</fix>
<fix>
Fix a rare edge case that is unlikely to occur in real usage. This edge
case meant that writing long streams of UTF-8 characters to the HTTP
response that consisted almost entirely of surrogate pairs could result
in one surrogate pair being dropped. (markt)
</fix>
<fix>
Register MBean when DataSource Resource <code>
type="javax.sql.XADataSource"</code>. Patch provided by Masafumi Miura.
(csutherl)
</fix>
<add>
Update the internal fork of Apache Commons BCEL to r1829827 to add early
access Java 11 support to the annotation scanning code. (markt)
</add>
<fix>
<bug>62297</bug>: Enable the <code>CrawlerSessionManagerValve</code> to
correctly handle bots that crawl multiple hosts and/or web applications
when the Valve is configured on a Host or an Engine. (fschumacher)
</fix>
<fix>
<bug>62309</bug>: Fix a <code>SecurityException</code> when using JASPIC
under a <code>SecurityManager</code> when authentication is not
mandatory. (markt)
</fix>
<fix>
<bug>62329</bug>: Correctly list resources in JAR files when directories
do not have dedicated entries. Patch provided by Meelis Müür. (markt)
</fix>
<add>
Collapse multiple leading <code>/</code> characters to a single
<code>/</code> in the return value of
<code>HttpServletRequest#getContextPath()</code> to avoid issues if the
value is used with <code>HttpServletResponse#sendRedirect()</code>. This
behaviour is enabled by default and configurable via the new Context
attribute <code>allowMultipleLeadingForwardSlashInPath</code>. (markt)
</add>
<fix>
Improve handing of overflow in the UTF-8 decoder with supplementary
characters. (markt)
</fix>
</changelog>
</subsection>
<subsection name="Coyote">
<changelog>
<fix>
Correct off-by-one error in thread pool that allowed thread pools to
increase in size to one more than the configured limit. Patch provided
by usc. (markt)
</fix>
<fix>
Prevent unexpected TLS handshake failures caused by errors during a
previous handshake that were not correctly cleaned-up when using the NIO
or NIO2 connector with the <code>OpenSSLImplementation</code>. (markt)
</fix>
<add>
Enable strict validation of the provided host name and port for all
connectors. Requests with invalid host names and/or ports will be
rejected with a 400 response. (markt)
</add>
<add>
<bug>62273</bug>: Implement configuration options to work-around
specification non-compliant user agents (including all the major
browsers) that do not correctly %nn encode URI paths and query strings
as required by RFC 7230 and RFC 3986. (markt)
</add>
</changelog>
</subsection>
<subsection name="Jasper">
<changelog>
<fix>
Enable ECJ version 4.7 and later to be used as a drop in replacement for
the ECJ version that ships with Apache Tomcat. (markt)
</fix>
<fix>
Enable Java 10 to be specified as a JSP source and/or target if a newer
ECJ version is used. (markt)
</fix>
<fix>
<bug>62287</bug>: Do not rely on hash codes to test instances of
<code>ValueExpressionImpl</code> for equality. Patch provided by Mark
Struberg. (markt)
</fix>
</changelog>
</subsection>
<subsection name="WebSocket">
<changelog>
<fix>
<bug>62301</bug>: Correct a regression in the fix for <bug>61491</bug>
that didn't correctly handle a final empty message part in all
circumstances when using <code>PerMessageDeflate</code>. (markt)
</fix>
<fix>
<bug>62332</bug>: Ensure WebSocket connections are closed after an I/O
error is experienced reading from the client. (markt)
</fix>
</changelog>
</subsection>
<subsection name="Other">
<changelog>
<fix>
Avoid warning when running under Cygwin when the
<code>JAVA_ENDORSED_DIRS</code> environment variable is not set. Patch
provided by Zemian Deng. (markt)
</fix>
</changelog>
</subsection>
</section>
<section name="Tomcat 8.5.30 (markt)" rtext="2018-04-07">
<subsection name="Catalina">
<changelog>
<fix>
<bug>51195</bug>: Avoid a false positive report of a web application
memory leak by clearing <code>ObjectStreamClass$Caches</code> of classes
loaded by the web application when the web application is stopped.
(markt)
</fix>
<fix>
<bug>52688</bug>: Add support for the <code>maxDays</code> attribute to
the <code>AccessLogValve</code> and <code>ExtendedAccessLogValve</code>.
This allows the maximum number of days for which rotated access logs
should be retained before deletion to be defined. (markt)
</fix>
<fix>
Ensure the MBean names for the <code>SSLHostConfig</code> and
<code>SSLHostConfigCertificate</code> are correctly formed when the
<code>Connector</code> is bound to a specific IP address. (markt)
</fix>
<fix>
<bug>62168</bug>: When using the <code>PersistentManager</code> honor a
value of <code>-1</code> for <code>minIdleSwap</code> and do not swap
out sessions to keep the number of active sessions under
<code>maxActive</code>. Patch provided by Holger Sunke. (markt)
</fix>
<fix>
<bug>62172</bug>: Improve Javadoc for
<code>org.apache.catalina.startup.Constants</code> and ensure that the
constants are correctly used. (markt)
</fix>
<fix>
<bug>62175</bug>: Avoid infinite recursion, when trying to validate
a session while loading it with <code>PersistentManager</code>.
(fschumacher)
</fix>
<fix>
Ensure that <code>NamingContextListener</code> instances are only
notified once of property changes on the associated naming resources.
(markt)
</fix>
<add>
Add LoadBalancerDrainingValve, a Valve designed to reduce the amount of
time required for a node to drain its authenticated users. (schultz)
</add>
<add>
<bug>62224</bug>: Disable the <code>forkJoinCommonPoolProtection</code>
of the <code>JreMemoryLeakPreventionListener</code> when running on Java
9 and above since the underlying JRE bug has been fixed. (markt)
</add>
</changelog>
</subsection>
<subsection name="Coyote">
<changelog>
<fix>
Avoid potential loop in APR/Native poller. (markt)
</fix>
<fix>
Ensure streams that are received but not processed are excluded from the
tracking of maximum ID of processed streams. (markt)
</fix>
<fix>
Refactor the check for a paused connector to consistently prevent new
streams from being created after the connector has been paused. (markt)
</fix>
<fix>
Improve debug logging for HTTP/2 pushed streams. (markt)
</fix>
<fix>
The OpenSSL engine SSL session will now ignore invalid accesses. (remm)
</fix>
<fix>
<bug>62177</bug>: Correct two protocol errors with HTTP/2
<code>PUSH_PROMISE</code> frames. Firstly, the HTTP/2 protocol only
permits pushes to be sent on peer initiated requests. Secondly, pushes
must be sent in order of increasing stream ID. These restriction were
not being enforced leading to protocol errors at the client. (markt)
</fix>
</changelog>
</subsection>
<subsection name="Web applications">
<changelog>
<add>
Add document for <code>FragmentationInterceptor</code>. (kfujino)
</add>
<add>
Document how the roles for an authenticated user are determined when the
<code>CombinedRealm</code> is used. (markt)
</add>
</changelog>
</subsection>
<subsection name="Tribes">
<changelog>
<fix>
Add JMX support for <code>FragmentationInterceptor</code> in order to
prevent warning of startup. (kfujino)
</fix>
</changelog>
</subsection>
<subsection name="jdbc-pool">
<changelog>
<fix>
Ensure that <code>SQLWarning</code> has been cleared when connection
returns to the pool. (kfujino)
</fix>
<add>
Enable clearing of <code>SQLWarning</code> via JMX. (kfujino)
</add>
<fix>
Ensure that parameters have been cleared when
<code>PreparedStatement</code> and/or <code>CallableStatement</code> are
cached. (kfujino)
</fix>
<fix>
Enable PoolCleaner to be started even if <code>validationQuery</code>
is not set. (kfujino)
</fix>
</changelog>
</subsection>
<subsection name="Other">
<changelog>
<fix>
<bug>62164</bug>: Switch the build script to use TLS for downloads from
SourceForge and Maven Central to avoid failures due to HTTP to HTTPS
redirects. (markt)
</fix>
<add>
Always report the OS's umask when launching the JVM. (schultz)
</add>
</changelog>
</subsection>
</section>
<section name="Tomcat 8.5.29 (markt)" rtext="2018-03-08">
<subsection name="Catalina">
<changelog>
<fix>
Minor optimization when calling class transformers. (rjung)
</fix>
<fix>
Prevent Tomcat from applying gzip compression to content that is already
compressed with brotli compression. Based on a patch provided by burka.
(markt)
</fix>
<fix>
<bug>62090</bug>: Null container names are not allowed. (remm)
</fix>
<fix>
<bug>62104</bug>: Fix programmatic login regression as the
NonLoginAuthenticator has to be set for it to work (if no login method
is specified). (remm)
</fix>
<fix>
<bug>62117</bug>: Improve error message in <code>catalina.sh</code> when
calling <code>kill -0 <pid></code> fails. Based on a suggestion
from Mark Morschhaeuser. (markt)
</fix>
<fix>
<bug>62118</bug>: Correctly create a JNDI <code>ServiceRef</code> using
the specified interface rather than the concrete type. Based on a
suggestion by Ángel Álvarez Páscua. (markt)
</fix>
<fix>
Fix for <code>RequestDumperFilter</code> log attribute. Patch provided
by Kirill Romanov via Github. (violetagg)
</fix>
<fix>
<bug>62123</bug>: Avoid <code>ConcurrentModificationException</code>
when attempting to clean up application triggered RMI memory leaks on
web application stop. (markt)
</fix>
<fix>
Correct a regression in the fix for <bug>60276</bug> that meant that
compression was applied to all MIME types. Patch provided by Stefan
Knoblich. (markt)
</fix>
</changelog>
</subsection>
<subsection name="Coyote">
<changelog>
<fix>
Add minor HPACK fixes, based on fixes by Stuart Douglas. (remm)
</fix>
<fix>
<bug>61751</bug>: Follow up fix so that OpenSSL engine returns
underflow when unwrapping if no bytes were produced and the input is
empty. (remm)
</fix>
<fix>
Minor OpenSSL engine cleanups. (remm)
</fix>
<fix>
NIO SSL handshake should throw an exception on overflow status, like
NIO2 SSL. (remm)
</fix>
</changelog>
</subsection>
<subsection name="Web applications">
<changelog>
<add>
<bug>48672</bug>: Add documentation for the Host Manager web
application. Patch provided by Marek Czernek. (markt)
</add>
<add>
Work-around a known, non-specification compliant behaviour in some
versions of IE that can allow XSS when the Manager application generates
a plain text response. Based on a suggestion from Muthukumar Marikani.
(markt)
</add>
</changelog>
</subsection>
<subsection name="Other">
<changelog>
<update>
Update the build script so MD5 hashes are no longer generated for
releases as per the change in the ASF distribution policy. (markt)
</update>
</changelog>
</subsection>
</section>
<section name="Tomcat 8.5.28 (markt)" rtext="2018-02-11">
<subsection name="Catalina">
<changelog>
<fix>
Prevent a stack trace being written to standard out when running on Java
10 due to changes in the <code>LogManager</code> implementation. (markt)
</fix>
<fix>
<bug>62000</bug>: When a JNDI reference cannot be resolved, ensure that
the root cause exception is reported rather than swallowed. (markt)
</fix>
<fix>
<bug>62036</bug>: When caching an authenticated user Principal in the
session when the web application is configured with the
<code>NonLoginAuthenticator</code>, cache the internal Principal object
rather than the user facing Principal object as Tomcat requires the
internal object to correctly process later authorization checks. (markt)
</fix>
<fix>
Avoid duplicate load attempts if one has been made already. (remm)
</fix>
<fix>
Avoid NPE in ThreadLocalLeakPreventionListener if there is no Engine.
(remm)
</fix>
<fix>
<bug>62067</bug>: Correctly apply security constraints mapped to the
context root using a URL pattern of <code>""</code>. (markt)
</fix>
<fix>
When using Tomcat embedded, only perform Authenticator configuration
once during web application start. (markt)
</fix>
<fix>
Process all <code>ServletSecurity</code> annotations at web application
start rather than at servlet load time to ensure constraints are applied
consistently. (markt)
</fix>
</changelog>
</subsection>
<subsection name="Coyote">
<changelog>
<fix>
<bug>61751</bug>: Fix truncated request input streams when using NIO2
with TLS. (markt)
</fix>
<fix>
<bug>62023</bug>: Log error reporting multiple SSLHostConfig elements
when using the APR Connector instead of crashing Tomcat. (csutherl)
</fix>
<fix>
<bug>62032</bug>: Fix NullPointerException when certificateFile is not
defined on an SSLHostConfig and unify the behavior when a
certificateFile is defined but the file does not exist for both
JKS and PEM file types. (csutherl)
</fix>
</changelog>
</subsection>
<subsection name="WebSocket">
<changelog>
<fix>
<bug>62024</bug>: When closing a connection with an abnormal close,
close the socket immediately rather than waiting for a close message
from the client that may never arrive. (markt)
</fix>
</changelog>
</subsection>
<subsection name="Webapps">
<changelog>
<fix>
<bug>62049</bug>: Fix missing class from manager 404 JSP error page.
(remm)
</fix>
</changelog>
</subsection>
<subsection name="jdbc-pool">
<changelog>
<add>
Enhance the JMX support for jdbc-pool in order to expose
<code>PooledConnection</code> and <code>JdbcInterceptors</code>.
(kfujino)
</add>
<add>
Add MBean for <code>PooledConnection</code>. (kfujino)
</add>
<add>
<bug>62011</bug>: Add MBean for <code>StatementCache</code>. (kfujino)
</add>
<add>
Expose the cache size for each connection via JMX in
<code>StatementCache</code>. (kfujino)
</add>
<add>
Add MBean for <code>ResetAbandonedTimer</code>. (kfujino)
</add>
</changelog>
</subsection>
<subsection name="Other">
<changelog>
<update>
Update the NSIS Installer used to build the Windows installer to version
3.03. (kkolinko)
</update>
</changelog>
</subsection>
</section>
<section name="Tomcat 8.5.27 (markt)" rtext="2018-01-22">
<subsection name="Catalina">
<changelog>
<fix>
Correct a regression in the previous fix for <bug>61916</bug> that meant
that any call to <code>addHeader()</code> would have been replaced with
a call to <code>setHeader()</code> for all requests mapped to the
<code>AddDefaultCharsetFilter</code>. (markt)
</fix>
</changelog>
</subsection>
<subsection name="Coyote">
<changelog>
<fix>
<bug>61993</bug>: Improve handling for <code>ByteChunk</code> and
<code>CharChunk</code> instances that grow close to the maximum size
allowed by the JRE. (markt)
</fix>
</changelog>
</subsection>
<subsection name="Jasper">
<changelog>
<add>
<bug>43925</bug>: Add a new system property
(<code>org.apache.jasper.runtime.BodyContentImpl.BUFFER_SIZE</code>) to
control the size of the buffer used by Jasper when buffering tag bodies.
(markt)
</add>
</changelog>
</subsection>
<subsection name="Web applications">
<changelog>
<fix>
<bug>62006</bug>: Document the new <code>JvmOptions9</code> command line
parameter for <code>tomcat8.exe</code>. (markt)
</fix>
</changelog>
</subsection>
</section>
<section name="Tomcat 8.5.26 (markt)" rtext="not released">
<subsection name="Catalina">
<changelog>
<fix>
Correct Javadoc errors in release build.
</fix>
</changelog>
</subsection>
</section>
<section name="Tomcat 8.5.25 (markt)" rtext="not released">
<subsection name="Catalina">
<changelog>
<fix>
<bug>47214</bug>: Use a loop to preload anonymous inner classes
when running under a <code>SecurityManager</code>, to be safe for
future changes in the code or using a different compiler. (kkolinko)
</fix>
<add>
<bug>57619</bug>: Implement a small optimisation to how JAR URLs are
processed to reduce the storage of duplicate String objects in memory.
Patch provided by Dmitri Blinov. (markt)
</add>
<fix>
Add some missing NPEs to ServletContext. (remm)
</fix>
<fix>
<bug>61916</bug>: Extend the <code>AddDefaultCharsetFilter</code> to add
a character set when the content type is set via
<code>setHeader()</code> or <code>addHeader()</code> as well as when it
is set via <code>setContentType()</code>. (markt)
</fix>
<fix>
<bug>61999</bug>: maxSavePostSize set to 0 should disable saving POST
data during authentication. (remm)
</fix>
</changelog>
</subsection>
<subsection name="Coyote">
<changelog>
<add>
<bug>60276</bug>: Implement GZIP compression support for responses
served over HTTP/2. (markt)
</add>
<fix>
Do not call onDataAvailable without any data to read. (remm)
</fix>
<fix>
<bug>61886</bug>: Log errors on non-container threads at
<code>DEBUG</code> rather than <code>INFO</code>. The exception will be
made available to the application via the asynchronous error handling
mechanism. (markt)
</fix>
<fix>
<bug>61914</bug>: Possible NPE with Java 9 when creating a SSL engine.
Patch submitted by Evgenij Ryazanov. (remm)
</fix>
<fix>
<bug>61918</bug>: Fix connectionLimitLatch counting when closing an
already closed socket. Based on a patch by Ryan Fong. (remm)
</fix>
<add>
Add support for the OpenSSL ARIA ciphers to the OpenSSL to JSSE
cipher mapping. (markt)
</add>
<fix>
<bug>61932</bug>: Allow a call to <code>AsyncContext.dispatch()</code>
to terminate non-blocking I/O. (markt)
</fix>
<fix>
<bug>61948</bug>: Improve the handling of malformed ClientHello messages
in the code that extracts the SNI information from a TLS handshake for
the JSSE based NIO and NIO2 connectors. (markt)
</fix>
<fix>
Fix NIO2 handshaking with a full input buffer. (remm)
</fix>
<add>
Return a simple, plain text error message if a client attempts to make a
plain text HTTP connection to a TLS enabled NIO or NIO2 Connector.
(markt)
</add>
<fix>
Correctly handle EOF when <code>ServletInputStream.isReady()</code> is
called. (markt)
</fix>
</changelog>
</subsection>
<subsection name="Jasper">
<changelog>
<fix>
<bug>61854</bug>: When using sets and/or maps in EL expressions, ensure
that Jasper correctly parses the expression. Patch provided by Ricardo
Martin Camarero. (markt)
</fix>
<fix>
Improve the handling of methods with varargs in EL expressions. In
particular, the calling of a varargs method with no parameters now works
correctly. Based on a patch by Nitkalya (Ing) Wiriyanuparb. (markt)
</fix>
</changelog>
</subsection>
<subsection name="Web applications">
<changelog>
<fix>
Remove the Servlet 4.0 early preview example from the examples web
application as the early preview is now deprecated in favour of Tomcat
9 which provides a full Servlet 4.0 implementation. (markt)
</fix>
<add>
<bug>61223</bug>: Add the mbeans-descriptors.dtd file to the custom
MBean documentation so users have a reference to use when constructing
mbeans-descriptors.xml files for custom components. (markt)
</add>
<add>
<bug>61566</bug>: Expose the currently in use certificate chain and list
of trusted certificates for all virtual hosts configured using the JSSE
style (keystore) TLS configuration via the Manager web application.
(markt)
</add>
<fix>
Partial fix for <bug>61886</bug>. Ensure that multiple threads do not
attempt to complete the <code>AsyncContext</code> if an I/O error occurs
in the stock ticker example Servlet. (markt)
</fix>
<fix>
<bug>61886</bug>: Prevent <code>ConcurrentModificationException</code>
when running the asynchronous stock ticker in the examples web
application. (markt)
</fix>
<fix>
<bug>61886</bug>: Prevent <code>NullPointerException</code> and other
errors if the stock ticker example is running when the examples web
application is stopped. (markt)
</fix>
<fix>
<bug>61910</bug>: Clarify the meaning of the <code>allowLinking</code>
option in the documentation web application. (markt)
</fix>
<add>
Add OCSP configuration information to the SSL How-To. Patch provided by
Marek Czernek. (markt)
</add>
</changelog>
</subsection>
<subsection name="jdbc-pool">
<changelog>
<fix>
<bug>61312</bug>: Prevent <code>NullPointerException</code> when using
the statement cache of connection that has been closed. (kfujino)
</fix>
</changelog>
</subsection>
<subsection name="Other">
<changelog>
<fix>
Add an additional system property for the system property replacement.
(remm)
</fix>
<fix>
Add missing SHA-512 hash for release artifacts to the build script.
(markt)
</fix>
<update>
Update the internal fork of Commons Pool 2 to 2.4.3. (markt)
</update>
<update>
Update the internal fork of Commons DBCP 2 to 8a71764 (2017-10-18) to
pick up some bug fixes and enhancements. (markt)
</update>
<update>
Update the internal fork of Commons FileUpload to 6c00d57 (2017-11-23)
to pick up some code clean-up. (markt)
</update>
<update>
Update the internal fork of Commons Codec to r1817136 to pick up some
code clean-up. (markt)
</update>
<fix>
The native source bundles (for Commons Daemon and Tomcat Native) are no
longer copied to the bin directory for the deploy target. They are now
only copied to the bin directory for the release target. (markt)
</fix>
</changelog>
</subsection>
</section>
<section name="Tomcat 8.5.24 (markt)" rtext="2017-11-30">
<subsection name="Catalina">
<changelog>
<add>
When running under Java 9 or later, and the
<code>urlCacheProtection</code> option of the
<code>JreMemoryLeakPreventionListener</code> is enabled, use the API
added in Java 9 to only disable the caching for JAR URL connections.
(markt)
</add>
<fix>
Fix possible <code>SecurityException</code> when using TLS related
request attributes. (markt)
</fix>
<fix>
<bug>61597</bug>: Extend the <code>StandardJarScanner</code> to scan
JARs on the module path when running on Java 9 and class path scanning
is enabled. (markt)
</fix>
<fix>
<bug>61601</bug>: Add support for multi-release JARs in JAR scanning and
web application class loading. (markt)
</fix>
<fix>
<bug>61681</bug>: Allow HTTP/2 push when using request wrapping. (remm)
</fix>
<add>
Provide the <code>SessionInitializerFilter</code> that can be used to
ensure that an HTTP session exists when initiating a WebSocket
connection. Patch provided by isapir. (markt)
</add>
<fix>
<bug>61682</bug>: When re-prioritising HTTP/2 streams, ensure that both
parent and children fields are correctly updated to avoid a possible
<code>StackOverflowError</code>. (markt)
</fix>
<fix>
Improve concurrency by reducing the scope of the synchronisation for
<code>javax.security.auth.message.config.AuthConfigFactory</code> in the
JASPIC API implementation. Based on a patch by Pavan Kumar. (markt)
</fix>
<fix>
Avoid a possible <code>NullPointerException</code> when timing out
<code>AsyncContext</code> instances during shut down. (markt)
</fix>
<fix>
<bug>61777</bug>: Avoid a <code>NullPointerException</code> when
detaching a JASPIC <code>RegistrationListener</code>. Patch provided by
Lazar. (markt)
</fix>
<fix>
<bug>61778</bug>: Correct the return value when detaching a JASPIC
<code>RegistrationListener</code>. Patch provided by Lazar. (markt)
</fix>
<fix>
<bug>61779</bug>: Avoid a <code>NullPointerException</code> when a
<code>null</code> <code>RegistrationListener</code> is passed to
<code>AuthConfigFactory.getConfigProvider()</code>. Patch provided by
Lazar. (markt)
</fix>
<fix>
<bug>61780</bug>: Only include the default JASPIC registration ID in the
return value for a call to
<code>AuthConfigFactory.getRegistrationIDs()</code> if a
<code>RegistrationContext</code> has been registered using the default
registration ID. Patch provided by Lazar. (markt)
</fix>
<fix>
<bug>61781</bug>: Enable JASPIC provider registrations to be persisted
when the layer and/or application context are <code>null</code>. Patch
provided by Lazar. (markt)
</fix>
<fix>
<bug>61782</bug>: When calling
<code>AuthConfigFactory.doRegisterConfigProvider()</code> and the
requested JASPIC config provider class is found by the web application
class loader, do not attempt to load the class with the class loader
that loaded the JASPIC API. Patch provided by Lazar. (markt)
</fix>
<fix>
<bug>61783</bug>: When calling
<code>AuthConfigFactory.removeRegistration()</code> and the registration
is persistent, it should be removed from the persistent store. Patch
provided by Lazar. (markt)
</fix>
<fix>
<bug>61784</bug>: Correctly handle the case when
<code>AuthConfigFactoryImpl.registerConfigProvider()</code> is called
with a provider name of <code>null</code>. Patch provided by Lazar.
(markt)
</fix>
<add>
<bug>61795</bug>: Add a property to the <code>Authenticator</code>
implementations to enable a custom JASPIC <code>CallbackHandler</code>
to be specified. Patch provided by Lazar. (markt)
</add>
</changelog>
</subsection>
<subsection name="Coyote">
<changelog>
<add>
Enable ALPN and also, therefore, HTTP/2 for the NIO and NIO2 HTTP
connectors when using the JSSE implementation for TLS when running on
Java 9. (markt)
</add>
<add>
<bug>60762</bug>: Add the ability to make changes to the TLS
configuration of a connector at runtime without having to restart the
Connector. (markt)
</add>
<fix>
<bug>61568</bug>: Avoid a potential <code>SecurityException</code> when
using the NIO2 connector and a new thread is added to the pool. (markt)
</fix>
<fix>
<bug>61583</bug>: Correct a further regression in the fix to enable the
use of Java key stores that contained multiple keys that did not all
have the same password. This fixes PKCS11 key store handling with
multiple keys selected with an alias. (markt)
</fix>
<fix>
Reduce default HTTP/2 stream concurrent execution within a connection
from 200 to 20. (remm)
</fix>
<fix>
<bug>61668</bug>: Avoid a possible NPE when calling
<code>AbstractHttp11Protocol.getSSLProtocol()</code>. (markt)
</fix>
<fix>
<bug>61673</bug>: Avoid a possible
<code>ConcurrentModificationException</code> when working with the
streams associated with a connection. (markt)
</fix>
<fix>
<bug>61719</bug>: Avoid possible NPE calling
InputStream.setReadListener with HTTP/2. (remm)
</fix>
<fix>
<bug>61736</bug>: Improve performance of NIO connector when clients
leave large time gaps between network packets. Patch provided by Zilong
Song. (markt)
</fix>
<fix>
<bug>61740</bug>: Correct an off-by-one error in the Hpack header index
validation that caused intermittent request failures when using HTTP/2.
(markt)
</fix>
</changelog>
</subsection>
<subsection name="Jasper">
<changelog>
<fix>
<bug>61816</bug>: Invalid expressions in attribute values or template
text should trigger a translation (compile time) error, not a run time
error. (markt)
</fix>
</changelog>
</subsection>
<subsection name="WebSocket">
<changelog>
<fix>
<bug>61604</bug>: Add support for authentication in the websocket
client. Patch submitted by J Fernandez. (remm)
</fix>
</changelog>
</subsection>
<subsection name="Web applications">
<changelog>
<fix>
Enable Javadoc to be built with Java 9. (markt)
</fix>
<fix>
<bug>61603</bug>: Add XML filtering for the status servlet output where
needed. (remm)
</fix>
<fix>
Correct the description of how the CGI servlet maps a request to a
script in the CGI How-To. (markt)
</fix>
</changelog>
</subsection>
<subsection name="Tribes">
<changelog>
<fix>
Fix incorrect behavior that attempts to resend channel messages more
than the actual setting value of <code>maxRetryAttempts</code>.
(kfujino)
</fix>