changelog.xml

<?xml version="1.0" encoding="UTF-8"?>
<!--
  Licensed to the Apache Software Foundation (ASF) under one or more
  contributor license agreements.  See the NOTICE file distributed with
  this work for additional information regarding copyright ownership.
  The ASF licenses this file to You under the Apache License, Version 2.0
  (the "License"); you may not use this file except in compliance with
  the License.  You may obtain a copy of the License at

      http://www.apache.org/licenses/LICENSE-2.0

  Unless required by applicable law or agreed to in writing, software
  distributed under the License is distributed on an "AS IS" BASIS,
  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  See the License for the specific language governing permissions and
  limitations under the License.
-->
<!DOCTYPE document [
  <!ENTITY project SYSTEM "project.xml">

  <!-- DTD is used to validate changelog structure at build time. BZ 64931. -->

  <!ELEMENT document (project?, properties, body)>
  <!ATTLIST document url CDATA #REQUIRED>

  <!-- body and title are used both in project.xml and in this document -->
  <!ELEMENT body ANY>
  <!ELEMENT title (#PCDATA)>

  <!-- Elements of project.xml -->
  <!ELEMENT project (title, logo, body)>
  <!ATTLIST project name CDATA #REQUIRED>
  <!ATTLIST project href CDATA #REQUIRED>

  <!ELEMENT logo (#PCDATA)>
  <!ATTLIST logo href CDATA #REQUIRED>

  <!ELEMENT menu (item+)>
  <!ATTLIST menu name CDATA #REQUIRED>

  <!ELEMENT item EMPTY>
  <!ATTLIST item name CDATA #REQUIRED>
  <!ATTLIST item href CDATA #REQUIRED>

  <!-- Elements of this document -->
  <!ELEMENT properties (author*, title, no-comments) >
  <!ELEMENT author (#PCDATA)>
  <!ATTLIST author email CDATA #IMPLIED>
  <!ELEMENT no-comments EMPTY>

  <!ELEMENT section (subsection)*>
  <!ATTLIST section name CDATA #REQUIRED>
  <!ATTLIST section rtext CDATA #IMPLIED>

  <!ELEMENT subsection (changelog+)>
  <!ATTLIST subsection name CDATA #REQUIRED>

  <!ELEMENT changelog (add|update|fix|scode|docs|design)*>
  <!ELEMENT add ANY>
  <!ELEMENT update ANY>
  <!ELEMENT fix ANY>
  <!ELEMENT scode ANY>
  <!ELEMENT docs ANY>
  <!ELEMENT design ANY>

  <!ELEMENT bug (#PCDATA)>
  <!ELEMENT rev (#PCDATA)>
  <!ELEMENT pr (#PCDATA)>

  <!-- Random HTML markup tags. Add more here as needed. -->
  <!ELEMENT a (#PCDATA)>
  <!ATTLIST a href CDATA #REQUIRED>
  <!ATTLIST a rel CDATA #IMPLIED>

  <!ELEMENT b (#PCDATA)>
  <!ELEMENT code (#PCDATA)>
  <!ELEMENT em (#PCDATA)>
  <!ELEMENT strong (#PCDATA)>
  <!ELEMENT tt (#PCDATA)>
]>
<?xml-stylesheet type="text/xsl" href="tomcat-docs.xsl"?>
<document url="changelog.html">

  &project;

  <properties>
    <title>Changelog</title>
    <no-comments />
  </properties>

<body>
<!--
  Subsection ordering:
  General, Catalina, Coyote, Jasper, Cluster, WebSocket, Web applications,
  Extras, Tribes, jdbc-pool, Other

  Item Ordering:

  Fixes having an issue number are sorted by their number, ascending.

  There is no ordering by add/update/fix/scode/docs/design.

  Other fixed issues are added to the end of the list, chronologically.
  They eventually become mixed with the numbered issues (i.e., numbered
  issues do not "pop up" wrt. others).
-->
<section name="Tomcat 10.1.14 (schultz)" rtext="in development">
  <subsection name="Catalina">
    <changelog>
      <add>
        <bug>65770</bug>: Provide a lifecycle listener that will automatically
        reload TLS configurations a set time before the certificate is due to
        expire. This is intended to be used with third-party tools that
        regularly renew TLS certificates. (markt)
      </add>
      <fix>
        Fix handling of an error reading a context descriptor on deployment.
        (remm)
      </fix>
      <fix>
        Fix rewrite rule qsd (query string discard) being ignored if qsa was
        also use, while it should instead take precedence. (remm)
      </fix>
      <fix>
        <bug>67472</bug>: Send fewer CORS-related headers when CORS is not
        actually being engaged. (schultz)
      </fix>
      <add>
        Improve handling of failures within <code>recycle()</code> methods.
        (markt)
      </add>
    </changelog>
  </subsection>
  <subsection name="Coyote">
    <changelog>
      <fix>
        <bug>67198</bug>: Ensure that the AJP connector attribute
        <code>tomcatAuthorization</code> takes precedence over the
        <code>tomcatAuthentication</code> attribute when processing an
        <code>auth_type</code> attribute received from a proxy server. (markt)
      </fix>
      <fix>
        <bug>67235</bug>: Fix a <code>NullPointerException</code> when an
        <code>AsyncListener</code> handles an error with a dispatch rather than
        a complete. (markt)
      </fix>
      <fix>
        When an error occurs during asynchronous processing, ensure that the
        error handling process is only triggered once per asynchronous cycle.
        (markt)
      </fix>
      <fix>
        Fix logic issue trying to match no argument method in IntropectionUtil.
        (remm)
      </fix>
      <fix>
        Improve thread safety around readNotify and writeNotify in the NIO2
        endpoint. (remm)
      </fix>
      <fix>
        Avoid rare thread safety issue accessing message digest map. (remm)
      </fix>
      <fix>
        Improve statistics collection for upgraded connections under load.
        (remm)
      </fix>
      <fix>
        Align validation of HTTP trailer fields with standard fields. (markt)
      </fix>
      <fix>
        Improvements to HTTP/2 overhead protection. (markt)
      </fix>
    </changelog>
  </subsection>
  <subsection name="Jasper">
    <changelog>
      <fix>
        <bug>67080</bug>: Improve performance of EL expressions in JSPs that use
        implicit objects. Based on suggestions by John Engebretson, Anurag Dubey
        and Christopher Schultz. (markt)
      </fix>
    </changelog>
  </subsection>
  <subsection name="Other">
    <changelog>
      <update>
        Update the internal fork of Apache Commons FileUpload to 7a8c324
        (2023-09-16, 1.x-SNAPSHOT). Due to significant refactoring in the 2.x
        branch requiring additional Commons IO dependencies, Tomcat has switched
        to tracking the 1.x branch. (markt)
      </update>
      <add>
        Add the <code>Bundle-License</code> header to the JAR manifest for all
        Tomcat JARs. (markt)
      </add>
      <update>
        Update UnboundID to 6.0.9. (markt)
      </update>
      <update>
        Update Checkstyle to 10.12.3. (markt)
      </update>
      <update>
        Update Tomcat Native to 2.0.6. (markt)
      </update>
      <update>
        Update Commons Pool to 2.12.0. (markt)
      </update>
      <fix>
        <bug>67611</bug>: Correct the download link in BUILDING.txt. (lihan)
      </fix>
      <add>
        Improvements to French translations. (remm)
      </add>
      <add>
        Improvements to Japanese translations by tak7iji. (markt)
      </add>
      <add>
        Improvements to Russian translations by usmazat. (markt)
      </add>
    </changelog>
  </subsection>
</section>
<section name="Tomcat 10.1.13 (markt)" rtext="2023-08-25">
  <subsection name="Catalina">
    <changelog>
      <fix>
        If an application or library sets both a non-500 error code and the
        <code>jakarta.servlet.error.exception</code> request attribute, use the
        provided error code during error page processing rather than assuming an
        error code of 500. (markt)
      </fix>
      <fix>
        Update code comments and Tomcat output to use MiB for 1024 * 1024 bytes
        and KiB for 1024 bytes rather than MB and kB. (martk)
      </fix>
      <fix>
        Avoid protocol relative redirects in FORM authentication. (markt)
      </fix>
    </changelog>
  </subsection>
  <subsection name="Web applications">
    <changelog>
      <fix>
        Documentation. Update documentation to use MiB for 1024 * 1024 bytes and
        KiB for 1024 bytes rather than MB and kB. (martk)
      </fix>
    </changelog>
  </subsection>
  <subsection name="Other">
    <changelog>
      <add>
        Improvements to Chinese translations. (lihan)
      </add>
      <add>
        Improvements to French translations. (remm)
      </add>
      <add>
        Improvements to Japanese translations by tak7iji. (markt)
      </add>
    </changelog>
  </subsection>
</section>
<section name="Tomcat 10.1.12 (markt)" rtext="2023-08-14">
  <subsection name="Catalina">
    <changelog>
      <fix>
        <bug>66680</bug>: When serializing a session during the session
        presistence process, do not log a warning that null Principals are not
        serializable. Pull request <pr>638</pr> provided by tsryo. (markt)
      </fix>
      <fix>
        Catch <code>NamingException</code> in <code>JNDIRealm#getPrincipal</code>.
        It is used in Java up to 17 to signal closed connections. (fschumacher)
      </fix>
      <fix>
        <bug>66822</bug>: Use the same naming format in log messages for
        Connector instances as the associated ProtocolHandler instance. (markt)
      </fix>
      <fix>
        The parts count should also lower the actual
        <code>maxParameterCount</code> used for parsing parameters if parts are
        parsed first. (remm)
      </fix>
    </changelog>
  </subsection>
  <subsection name="Coyote">
    <changelog>
      <fix>
        Correct a regression introduced in 10.1.11 and use the correct
        constant when constructing the default value for the
        <code>certificateKeystoreFile</code> attribute of an
        <code>SSLHostConfigCertificate</code> instance. (markt)
      </fix>
      <scode>
        Refactor HTTP/2 implementation to reduce pinning when using virtual
        threads. (markt)
      </scode>
      <fix>
        Pass through ciphers referring to an OpenSSL profile, such as
        <code>PROFILE=SYSTEM</code> instead of producing an error trying to
        parse it. (remm)
      </fix>
      <fix>
        <bug>66841</bug>: Ensure that <code>AsyncListener.onError()</code> is
        called after an error during asynchronous processing with HTTP/2.
        (markt)
      </fix>
      <fix>
        <bug>66842</bug>: When using asynchronous I/O (the default), include
        DATA frames when calculating the HTTP/2 overhead count to ensure that
        connections are not prematurely terminated. (markt)
      </fix>
      <fix>
        Correct a race condition that could cause spurious RST messages to be
        sent after the response had been written to an HTTP/2 stream. (markt)
      </fix>
    </changelog>
  </subsection>
  <subsection name="WebSocket">
    <changelog>
      <fix>
        <bug>66681</bug>: Fix a <code>NullPointerException</code> when flushing
        batched messages with compression enabled using
        <code>permessage-deflate</code>. (markt)
      </fix>
    </changelog>
  </subsection>
  <subsection name="jdbc-pool">
    <changelog>
      <fix>
        Fix the <code>releaseIdleCounter</code> does not increment when testAllIdle
        releases them. Pull request <pr>241</pr> provided by Arun Chaitanya Miriappalli
        (lihan)
      </fix>
      <fix>
        Fix the <code>ConnectionState</code> state will be inconsistent with actual
        state on the connection when an exception occurs while writing. Pull request
        <pr>643</pr> provided by Wenjun Xiao. (lihan)
      </fix>
    </changelog>
  </subsection>
  <subsection name="Other">
    <changelog>
      <update>
        Update NSIS to 3.0.9. (markt)
      </update>
      <update>
        Update Checkstyle to 10.12.2. (markt)
      </update>
      <add>
        Improvements to French translations. (remm)
      </add>
      <add>
        Improvements to Japanese translations. Contributed by tak7iji and
        Shirayuking. (markt)
      </add>
      <fix>
        <bug>66829</bug>: Fix quoting so users can use the <code>_RUNJAVA</code>
        environment variable as intended on Windows when the path to the Java
        executable contains spaces. (markt)
      </fix>
      <fix>
        <bug>66834</bug>: Correct the OSGi contract references in the manifest
        files to refer to the Jakarta EE contract names rather than the Java EE
        contract names. (markt)
      </fix>
      <update>
        Update Tomcat Native to 2.0.5. (markt)
      </update>
    </changelog>
  </subsection>
</section>
<section name="Tomcat 10.1.11 (schultz)" rtext="2023-07-10">
  <subsection name="Catalina">
    <changelog>
      <add>
        <bug>59232</bug>: Add
        <code>org.apache.catalina.core.ContextNamingInfoListener</code>,
        a listener which creates context naming information environment entries.
        (michaelo)
      </add>
      <add>
        <bug>66665</bug>: Add
        <code>org.apache.catalina.core.PropertiesRoleMappingListener</code>,
        a listener which populates the context's role mapping from a properties
        file. (michaelo)
      </add>
      <fix>
        Fix an edge case where intra-web application symlinks would be followed
        if the web applications were deliberately crafted to allow it even when
        <code>allowLinking</code> was set to <code>false</code>. (markt)
      </fix>
      <update>
        Add utlity config file resource lookup on <code>Context</code> to allow
        looking up resources from the webapp (prefixed with
        <code>webapp:</code>) and make the resource lookup API more visible.
        (remm)
      </update>
      <fix>
        Fix potential database connection leaks in
        <code>DataSourceUserDatabase</code> identified by Coverity Scan. (markt)
      </fix>
      <fix>
        Make parsing of <code>ExtendedAccessLogValve</code> patterns more
        robust. (markt)
      </fix>
    </changelog>
  </subsection>
  <subsection name="Coyote">
    <changelog>
      <fix>
        <bug>66627</bug>: Restore the documented behaviour of
        <code>MessageBytes.getType()</code> that it returns the type of the
        original content rather than reflecting the most recent conversion.
        (markt)
      </fix>
      <fix>
        <bug>66635</bug>: Correct certificate logging on start-up so it
        differentiates between keystore based keys/certificates and PEM file
        based keys/certificates and logs the relevant information for each.
        (markt)
      </fix>
      <fix>
        Refactor blocking reads and writes for the NIO connector to remove
        code paths that could allow a notification from the Poller to be missed
        resuting in a timeout rather than the expected read or write. (markt)
      </fix>
      <fix>
        Refactor waiting for an HTTP/2 stream or connection window update to
        handle spurious wake-ups during the wait. (markt)
      </fix>
    </changelog>
  </subsection>
  <subsection name="WebSocket">
    <changelog>
      <fix>
        Improve handling of error conditions for the WebSocket server,
        particularly during Tomcat shutdown. (markt)
      </fix>
      <fix>
        Correct a regression in the fix for <bug>66574</bug> that meant the
        WebSocket session could return false for <code>onOpen()</code> before
        the <code>onClose()</code> event had been completed. (markt)
      </fix>
    </changelog>
  </subsection>
  <subsection name="Web applications">
    <changelog>
      <add>
        Documentation. Expand the security guidance to cover the embedded use
        case and add notes on the uses made of the <code>java.io.tmpdir</code>
        system property. (markt)
      </add>
      <fix>
        <bug>66662</bug>: Documentation. Fix a typo in the name of the
        <strong>algorithms</strong> attribute in the configuration section for
        the Digest authentication valve. Pull request <pr>629</pr> provided by
        gohilmca. (markt)
      </fix>
    </changelog>
  </subsection>
  <subsection name="Other">
    <changelog>
      <add>
        Include the Windows specific binary distributions in the files uploaded
        to Maven Central. (markt)
      </add>
      <add>
        Improvements to French translations. (remm)
      </add>
      <add>
        Improvements to Japanese translations. Contributed by tak7iji. (markt)
      </add>
      <update>
        Update UnboundID to 6.0.9. (markt)
      </update>
      <update>
        Update Checkstyle to 10.12.1. (markt)
      </update>
      <update>
        Update BND to 6.4.1. (markt)
      </update>
      <update>
        Update JSign to 5.0. (markt/rjung)
      </update>
      <fix>
        Align documentation for maxParameterCount to match hard-coded defaults.
        Contributed by Michal Sobkiewicz. (schultz)
      </fix>
    </changelog>
  </subsection>
</section>
<section name="Tomcat 10.1.10 (schultz)" rtext="2023-06-12">
  <subsection name="Catalina">
    <changelog>
      <scode>
        Move the management of the utility executor from the
        <code>init()</code>/<code>destroy()</code> methods of components to the
        <code>start()</code>/<code>stop()</code> methods. (markt)
      </scode>
      <add>
        Add <code>org.apache.catalina.core.StandardVirtualThreadExecutor</code>,
        a virtual thread based executor that may be used with one or more
        Connectors to process requests received by those Connectors using
        virtual threads. This Executor requires a minimum Java version of Java
        21. (markt)
      </add>
      <fix>
        <bug>66513</bug>: Add a per session Semaphore to the
        <code>PersistentValve</code> that ensures that, within a single Tomcat
        instance, there is no more than one concurrent request per session. Also
        expand the debug logging to include whether a request bypasses the Valve
        and the reason if a request fails to obtain the per session Semaphore.
        (markt)
      </fix>
      <fix>
        <bug>66609</bug>: Ensure that the default servlet correctly escapes
        file names in directory listings when using XML output. Based on pull
        request <pr>621</pr> by Alex Kachanov. (markt)
      </fix>
      <add>
       <bug>66618</bug>: Add a numeric last modified field to the XML directory
       listings produced by the default servlet to enable sorting in the XSLT.
       Pull request <pr>622</pr> by Alex Kachanov. (markt)
      </add>
      <fix>
        <bug>66621</bug>: Attempts to lock a collection with WebDAV may
        incorrectly fail if a child collection has an expired lock. (markt)
      </fix>
      <fix>
        <bug>66622</bug>: Deprecate the <code>xssProtectionEnabled</code>
        setting from the <code>HttpHeaderSecurityFilter</code> and change the
        default value to <code>false</code> as support for the associated HTTP
        header has been removed from all major browsers. (markt)
      </fix>
    </changelog>
  </subsection>
  <subsection name="Coyote">
    <changelog>
      <update>
        Update the HTTP/2 implementation to use the prioritization scheme
        defined in RFC 9218 rather than the one defined in RFC 7540.
        (markt)
      </update>
      <fix>
        <bug>66602</bug>: not sending WINDOW_UPDATE when dataLength is ZERO
        on call SwallowedDataFramePayload. Pull request #619 by
        ledefe. (lihan)
      </fix>
    </changelog>
  </subsection>
  <subsection name="Other">
    <changelog>
      <update>
        Update to Commons Daemon 1.3.4. (markt)
      </update>
      <add>
        Improvements to French translations. (remm)
      </add>
      <update>
        Update Checkstyle to 10.12.0. (markt)
      </update>
      <update>
        Update the packaged version of the Apache Tomcat Native Library to 2.0.4
        to pick up the Windows binaries built with with OpenSSL 3.0.9. (markt)
      </update>
    </changelog>
  </subsection>
</section>
<section name="Tomcat 10.1.9 (schultz)" rtext="2023-05-19">
  <subsection name="Catalina">
    <changelog>
      <fix>
        <bug>66567</bug>: Fix missing <code>IllegalArgumentException</code>
        after the Tomcat code was converted to using URI instead of URL. (remm)
      </fix>
      <fix>
        Escape timestamp output in <code>AccessLogValve</code> if a
        <code>SimpleDateFormat</code> is used which contains verbatim
        characters that need escaping. (rjung)
      </fix>
      <update>
        Change output of vertical tab in <code>AccessLogValve</code> from
        <code>\v</code> to <code>\u000b</code>. (rjung)
      </update>
      <update>
        Improve performance of escaping in <code>AccessLogValve</code>
        roughly by a factor of two. (rjung)
      </update>
      <update>
        Improve <code>JsonAccessLogValve</code>: support more patterns
        like for headers and attributes. Those will be logged as sub objects.
        (rjung)
      </update>
      <fix>
        <pr>613</pr>: Fix possible partial corrupted file copies when using
        file locking protection or the manager servlet. Submitted
        by Jack Shirazi. (remm)
      </fix>
      <add>
        Add RateLimitFilter which can be used to mitigate DoS and Brute Force
        attacks. (isapir)
      </add>
    </changelog>
  </subsection>
  <subsection name="Coyote">
    <changelog>
      <add>
        Add support for a new character set, <code>gb18030-2022</code> -
        introduced in Java 21, to the character set caching mechanism. (markt)
      </add>
      <fix>
        Fix an edge case in HTTP header parsing and ensure that HTTP headers
        without names are treated as invalid. (markt)
      </fix>
      <update>
        Deprecate the HTTP Connector settings <code>rejectIllegalHeader</code>
        and <code>allowHostHeaderMismatch</code> as they have been removed in
        Tomcat 11 onwards. (markt)
      </update>
      <fix>
        <bug>66591</bug>: Fix a regression introduced in the fix for
        <bug>66512</bug> that meant that an AJP Send Headers was not sent for
        responses where no HTTP headers were set. (markt)
      </fix>
    </changelog>
  </subsection>
  <subsection name="Jasper">
    <changelog>
      <fix>
        <bug>66582</bug>: Account for EL having stricter requirements for static
        imports than JSPs when adding JSP static imports to the EL context.
        (markt)
      </fix>
    </changelog>
  </subsection>
  <subsection name="WebSocket">
    <changelog>
      <fix>
        <bug>66574</bug>: Refactor WebSocket session close to remove the lock on
        the <code>SocketWrapper</code> which was a potential cause of deadlocks
        if the application code used simulated blocking. (markt)
      </fix>
      <fix>
        <bug>66575</bug>: Avoid unchecked use of the backing array of a
        buffer provided by the user in the compression transformation. (remm)
      </fix>
      <fix>
        Improve exception handling when flushing batched messages during
        WebSocket session close. (markt)
      </fix>
      <fix>
        <bug>66581</bug>: Update <code>AsyncChannelGroupUtil</code> to align it
        with the current defaults for AsynchronousChannelGroup. Pull request
        <pr>612</pr> by Matthew Painter. (markt)
      </fix>
    </changelog>
  </subsection>
  <subsection name="Other">
    <changelog>
      <add>
        Improvements to French translations. (remm)
      </add>
      <add>
        Improvements to Chinese translations. (lihan)
      </add>
      <update>
        Update Checkstyle to 10.10.0. (markt)
      </update>
      <update>
        Update Jacoco to 0.8.10. (markt)
      </update>
      <update>
        Update the packaged version of the Tomcat Migration Tool for Jakarta EE
        to 1.0.7. (markt)
      </update>
    </changelog>
  </subsection>
</section>
<section name="Tomcat 10.1.8 (schultz)" rtext="2023-04-19">
  <subsection name="Catalina">
    <changelog>
      <fix>
        <bug>65995</bug>: Implement RFC 9239 and use
        <code>text/javascript</code> as the media type for JavaScript rather
        than <code>application/javascript</code>. (markt)
      </fix>
      <add>
        Add an access log valve that uses a json format. Based on pull request
        <pr>539</pr> provided by Thomas Meyer. (remm)
      </add>
      <add>
        Harden the FORM authentication process against DoS attacks by using a
        reduced session timeout if the FORM authentication process creates a
        session. The duration of this timeout is configured by the
        <code>authenticationSessionTimeout</code> attribute of the FORM
        authenticator. (markt)
      </add>
      <fix>
        <bug>66527</bug>: Correct the Javadoc for the
        <code>Tomcat.addWebapp()</code> methods that incorrectly stated that the
        <code>docBase</code> parameter could be a relative path. (markt)
      </fix>
      <fix>
        <bug>66524</bug> Correct eviction ordering in WebResource cache to
        by LRU as intended. (schultz)
      </fix>
      <update>
        Use server.xml to reduce the default value of
        <code>maxParameterCount</code> from 10,000 to 1,000. If not configured
        in server.xml, the default remains 10,000. (markt)
      </update>
      <add>
        Update Digest authentication support to align with RFC 7616. This adds a
        new configuration attribute, <code>algorithms</code>, to the
        <code>DigestAuthenticator</code> with a default of
        <code>SHA-256,MD5</code>. (markt)
      </add>
      <update>
        Add support code for custom user attributes in <code>RealmBase</code>.
        Based on code from <pr>473</pr> by Carsten Klein. (remm)
      </update>
      <fix>
        Expand the set of HTTP request headers considered sensitive that should
        be skipped when generating a response to a <code>TRACE</code> request.
        This aligns with 11.0.x. (markt)
      </fix>
      <fix>
        <bug>66541</bug>: Improve handling for cached resources for resources
        that use custom URL schemes. The scheme specific <code>equals()</code>
        and <code>hashCode()</code> algorithms, if present, will now be used for
        URLs for these resources. This addresses a potential performance issue
        with some OSGi custom URL schemes that can trigger potentially slow DNS
        lookups in some configurations. Based on a patch provided by Tom
        Whitmore. (markt)
      </fix>
      <fix>
        When using a custom session manager deployed as part of the web
        application, avoid <code>ClassNotFoundException</code>s when validating
        session IDs extracted from requests. (markt)
      </fix>
      <fix>
        <bug>66543</bug>: Give <code>StandardContext#fireRequestDestroyEvent</code>
         its own log message. (fschumacher)
      </fix>
      <fix>
        <bug>66554</bug>: Initialize Random during server initialization to
        avoid possible JVM thread creation in the webapp context on some
        platforms. (remm)
      </fix>
      <update>
        Make the server utility executor available to webapps using a Servlet
        context attribute named
        <code>org.apache.tomcat.util.threads.ScheduledThreadPoolExecutor</code>. (remm)
      </update>
    </changelog>
  </subsection>
  <subsection name="Coyote">
    <changelog>
      <fix>
        JSON filter should support specific escaping for common special
        characters as defined in RFC 8259. Based on code submitted by
        Thomas Meyer. (remm)
      </fix>
      <fix>
        <bug>66511</bug>: Fix <code>GzipOutputFilter</code> (used for compressed
        HTTP responses) when used with direct buffers. Patch suggested by Arjen
        Poutsma. (markt)
      </fix>
      <fix>
        <bug>66512</bug>: Align AJP handling of invalid HTTP response headers
        (they are now removed from the response) with HTTP. (markt)
      </fix>
      <fix>
        <bug>66530</bug>: Correct a regression in the fix for bug
        <bug>66442</bug> that meant that streams without a response body did not
        decrement the active stream count when completing leading to
        <code>ERR_HTTP2_SERVER_REFUSED_STREAM</code> for some connections.
        (markt)
      </fix>
    </changelog>
  </subsection>
  <subsection name="Jasper">
    <changelog>
      <fix>
        Fix bug that meant some instances of coercing a
        <code>LambdaExpression</code> to a functional interface invocation
        failed. (markt)
      </fix>
      <fix>
        <bug>66536</bug>: Fix parsing of tag files that meant that tag
        directives could be ignored for some tag files. (markt)
      </fix>
    </changelog>
  </subsection>
  <subsection name="Cluster">
    <changelog>
      <fix>
        <bug>66535</bug>: Redefine the <code>maxValidTime</code> attribute of
        <code>FarmWarDeployer</code> to be the maximum time allowed between
        receiving parts of a transferred file before the transfer is cancelled
        and the associated resources cleaned-up. A new warning message will be
        logged if the file transfer is cancelled. (markt)
      </fix>
    </changelog>
  </subsection>
  <subsection name="WebSocket">
    <changelog>
      <fix>
        <bug>66508</bug>: When using WebSocket with NIO2, avoid waiting for
        a timeout before sending the close frame if an I/O error occurs during a
        write. (markt)
      </fix>
      <fix>
        <bug>66548</bug>: Expand the validation of the value of the
        <code>Sec-Websocket-Key</code> header in the HTTP upgrade request that
        initiates a WebSocket connection. The value is not decoded but it is
        checked for the correct length and that only valid characters from the
        base64 alphabet are used. (markt)
      </fix>
    </changelog>
  </subsection>
  <subsection name="Web applications">
    <changelog>
      <fix>
        <bug>66542</bug>: Documentation. Update the JNDI documentation to
        replace references to JavaMail with references to Jakarta Mail. (markt)
      </fix>
    </changelog>
  </subsection>
  <subsection name="Other">
    <changelog>
      <add>
        Improvements to French translations. (remm)
      </add>
      <add>
        Improvements to Japanese translations. Contributed by Shirayuking and
        tak7iji. (markt)
      </add>
      <add>
        Improvements to Chinese translations. Contributed by totoo. (markt)
      </add>
      <scode>
        Refactor code using <code>MD5Encoder</code> to use
        <code>HexUtils.toHexString()</code>. (markt)
      </scode>
      <fix>
        <bug>66507</bug>: Fix a bug that <code>$JAVA_OPTS</code> is not passed
        to the jvm in <code>catalina.sh</code> when calling <code>version</code>.
        Patch suggested by Eric Hamilton. (lihan)
      </fix>
      <update>
        Update the internal fork of Commons DBCP to f131286 (2023-03-08,
        2.10.0-SNAPSHOT). This corrects a regression introduced in 10.1.5.
        (markt)
      </update>
      <fix>
        Improve the error messages if <code>JRE_HOME</code> or
        <code>JAVA_HOME</code> are not set correctly. On windows, align the
        handling of <code>JRE_HOME</code> and <code>JAVA_HOME</code> for the
        start-up scripts and the service install script. (markt)
      </fix>
      <update>
        Update to the Eclipse JDT compiler 4.27. (markt)
      </update>
      <update>
        Update UnboundID to 6.0.8. (markt)
      </update>
      <update>
        Update Checkstyle to 10.9.3. (markt)
      </update>
      <update>
        Update Jacoco to 0.8.9. (markt)
      </update>
      <fix>
        Enhance PEMFile to load from an InputStream. Patch provided by
        Romain Manni-Bucau. (schultz)
      </fix>
    </changelog>
  </subsection>
</section>
<section name="Tomcat 10.1.7 (schultz)" rtext="2023-03-03">
  <subsection name="General">
    <changelog>
      <fix>
        Fix a bug that memory allocation is larger than limit in
        <code>SynchronizedStack</code> to reduce memory footprint. (lihan)
      </fix>
    </changelog>
  </subsection>
  <subsection name="Catalina">
    <changelog>
      <add>
        Add support for <code>txt:</code> and <code>rnd:</code> rewrite map
        types from mod_rewrite. Based on a pull request <pr>591</pr>
        provided by Dimitrios Soumis. (remm)
      </add>
      <update>
        Provide a more appropriate response (501 rather than 400) when rejecting
        an HTTP request using the CONNECT method. (markt)
      </update>
      <fix>
        <bug>66488</bug>: Correct a regression introduced in the fix for bug
        <bug>66196</bug> that meant that the HTTP headers and/or request line
        could get corrupted (one part overwriting another part) within a single
        request. (markt)
      </fix>
      <fix>
        <bug>66491</bug>: Revert the switch to using the ServiceLoader mechanism
        to load the custom URL protocol handlers that Tomcat uses. The original
        system property based approach has been restored. (markt)
      </fix>
    </changelog>
  </subsection>
  <subsection name="Coyote">
    <changelog>
      <add>
        Add a check for the validity of the scheme pseudo-header in HTTP/2.
        (markt)
      </add>
      <fix>
        <bug>66482</bug>: Restore inline state after async operation in NIO2,
        to account the fact that unexpected exceptions are sometimes thrown
        by the implementation. Patch submitted by zhougang. (remm)
      </fix>
    </changelog>
  </subsection>
</section>
<section name="Tomcat 10.1.6 (schultz)" rtext="2023-02-24">
  <subsection name="Catalina">
    <changelog>
      <fix>
        Allow a Valve to access cookies from a request that cannot be mapped to
        a Context. (markt)
      </fix>
      <fix>
        <bug>66438</bug>: Correct names of Jakarta modules in JPMS metadata.
        (markt)
      </fix>
      <update>
        Switch to using the ServiceLoader mechanism to load the custom URL
        protocol handlers that Tomcat uses. (markt)
      </update>
      <fix>
        Avoid possible ISE when scanning from bad JAR URLs, to restore the
        previous behavior following the removal of Java 9+ reflection code which
        caught the ISE. (remm)
      </fix>
      <fix>
        Refactor uses of <code>String.replaceAll()</code> to use
        <code>String.replace()</code> where regular expressions where not being
        used. Pull request <pr>581</pr> provided by Andrei Briukhov. (markt)
      </fix>
      <add>
        Add error report valve that allows redirecting to of proxying from an
        external web server. Based on code and ideas from pull request
        <pr>506</pr> provided by Max Fortun. (remm)
      </add>
      <add>
        <bug>66470</bug>: Add the Shared Address Space defined by RFC 6598
        (100.64.0.0/10) to the regular expression used to identify internal
        proxies for the <code>RemoteIpFilter</code> and
        <code>RemoteIpValve</code>. (markt)
      </add>
      <fix>
        <bug>66471</bug>: Fix JSessionId secure attribute missing When
        <code>RemoteIpFilter</code> determines that this request was submitted
        via a secure channel. (lihan)
      </fix>
    </changelog>
  </subsection>
  <subsection name="Coyote">
    <changelog>
      <add>
        Log basic information for each configured TLS certificate when Tomcat
        starts. (markt)
      </add>
      <fix>
        <bug>66442</bug>: When an HTTP/2 response must not include a body,
        ensure that the end of stream flag is set on the headers frame and that
        no data frame is sent. (markt)
      </fix>
      <fix>
        <bug>66455</bug>: Fix the cause of a potential
        <code>ClassCastException</code> when processing a
        <code>WINDOW_UPDATE</code> frame on an HTTP/2 connection where the flow
        control window for the overall connection has been exhausted. (markt)
      </fix>
      <fix>
        Fix a regression introduced in 10.1.0-M17 that prevented HTTP/2
        connections from timing out when using a Connector configured with
        <code>useAsyncIO=true</code> (the default). (markt)
      </fix>
      <add>
        Provided dedicated loggers
        (<code>org.apache.tomcat.util.net.NioEndpoint.certificate</code> /
        <code>org.apache.tomcat.util.net.Nio2Endpoint.certificate</code>) for
        logging of configured TLS certificates. (markt)
      </add>
    </changelog>
  </subsection>
  <subsection name="Jasper">
    <changelog>
      <fix>
        <bug>66419</bug>: Fix calls from expression language to a method that
        accepts varargs when only one argument was passed. (markt)
      </fix>
      <fix>
        <bug>66441</bug>: Make imports of static fields in JSPs visible to any
        EL expressions used on the page. (markt)
      </fix>
    </changelog>
  </subsection>
  <subsection name="Web applications">
    <changelog>
      <fix>
        <bug>66429</bug>: Documentation. Limit access to the documentation web
        application to localhost by default. (markt)
      </fix>
      <fix>
        <bug>66429</bug>: Examples. Limit access to the examples web application
        to localhost by default. (markt)
      </fix>
    </changelog>
  </subsection>
  <subsection name="Other">
    <changelog>
      <update>
        Update BND to 6.4.0. (markt)
      </update>
      <add>
        Improvements to Korean translations. (woonsan)
      </add>
      <update>
        Update the packaged version of the Apache Tomcat Native Library to 2.0.3
        to pick up the Windows binaries built with with OpenSSL 3.0.8. (markt)
      </update>
    </changelog>
  </subsection>
</section>
<section name="Tomcat 10.1.5 (markt)" rtext="2023-01-13">
  <subsection name="Catalina">
    <changelog>
      <fix>
        <bug>66388</bug>: Correct a regression in the refactoring that replaced
        the use of the <code>URL</code> constructors. The regression broke
        lookups for resources that contained one or more characters in their
        name that required escaping when used in a URI path. (markt)
      </fix>
      <fix>
        <bug>66392</bug>: Change the default value of <code>AccessLogValve</code>'s
        file encoding to UTF-8 and update documentation. (lihan)
      </fix>
      <fix>
        <bug>66393</bug>: Align <code>ExtendedAccessLogValve</code>'s x-P(XXX) with the
        documentation. (lihan)
      </fix>
    </changelog>
  </subsection>
  <subsection name="Coyote">
    <changelog>
      <fix>
        When resetting an HTTP/2 stream because the final response has been
        generated before the request has been fully read, use the HTTP/2 error
        code <code>NO_ERROR</code> so that client does not discard the response.
        Based on a suggestion by Lorenzo Dalla Vecchia. (markt)
      </fix>
      <fix>
        <bug>66385</bug>: Correct a bug in HTTP/2 where a non-blocking read for
        a new frame with the NIO2 connector was incorrectly made using the read
        timeout leading to unexpected stream closure. (markt)
      </fix>
    </changelog>
  </subsection>
  <subsection name="Jasper">
    <changelog>
      <fix>
        <bug>66370</bug>: Change the default of the
        <code>org.apache.el.GET_CLASSLOADER_USE_PRIVILEGED</code> system
        property to <code>true</code> unless the EL library is running on Tomcat
        in which case the default remains <code>false</code> as the EL library
        is already called from within a privileged block and skipping the
        unnecessary privileged block improves performance. (markt)
      </fix>
      <add>
        Add support for specifying Java 21 (with the value <code>21</code>) as
        the compiler source and/or compiler target for JSP compilation. If used
        with an Eclipse JDT compiler version that does not support these values,
        a warning will be logged and the default will used.
        (markt)
      </add>
    </changelog>
  </subsection>
  <subsection name="Other">
    <changelog>
      <update>
        Update the internal fork of Apache Commons BCEL to 2ee2bff (2023-01-03,
        6.7.1-SNAPSHOT). (markt)
      </update>
      <update>
        Update the internal fork of Apache Commons Codec to 3eafd6c (2023-01-03,
        1.16-SNAPSHOT). (markt)
      </update>
      <update>
        Update the internal fork of Apache Commons FileUpload to 34eb241
        (2023-01-03, 2.0-SNAPSHOT). (markt)
      </update>
      <update>
        Update the internal fork of Apache Commons DBCP to f131286 (2023-01-03,
        2.10.0-SNAPSHOT). (markt)
      </update>
      <add>
        Improvements to Japanese translations. Contributed by Shirayuking.
        (markt)
      </add>
      <add>
        Improvements to Portuguese translations. Contributed by Guilherme
        Custódio. (markt)
      </add>
      <update>
        Update to the Eclipse JDT compiler 4.26. (markt)
      </update>
      <update>
        Update Checkstyle to 10.6.0. (markt)
      </update>
      <update>
        Update Unboundid to 6.0.7. (markt)
      </update>
      <update>
        Update SpotBugs to 4.7.3. (markt)
      </update>
    </changelog>
  </subsection>
</section>
<section name="Tomcat 10.1.4 (markt)" rtext="2022-12-09">
  <subsection name="Other">
    <changelog>
      <update>
        Update the packaged version of the Apache Tomcat Migration Tool for
        Jakarta EE to 1.0.6. (markt)
      </update>
    </changelog>
  </subsection>
</section>
<section name="Tomcat 10.1.3 (markt)" rtext="not released">
  <subsection name="Catalina">
    <changelog>
      <fix>
        Correct the default implementation of
        <code>HttpServletRequest.isTrailerFieldsReady()</code> to return
        <code>true</code> so it is consistent with the default implementation of
        <code>HttpServletRequest.getTrailerFields()</code> and with the Servlet
        API provided by the Jakarta EE project. (markt)
      </fix>
      <fix>
        Refactor <code>WebappLoader</code> so it only has a runtime dependency
        on the migration tool for Jakarta EE if configured to use the converter
        as classes are loaded. (markt)
      </fix>
      <fix>
        Improve the behavior of the credential handler attribute that is set in
        the Servlet context so that it actually reflects what is used during
        authentication. (remm)
      </fix>
      <fix>
        <bug>66359</bug>: Update javadoc for RemoteIpValve and RemoteIpFilter with
        correct <code>protocolHeader</code> default value of "X-Forwarded-Proto".
        (lihan)
      </fix>
    </changelog>
  </subsection>
  <subsection name="Coyote">
    <changelog>
      <fix>
        When an HTTP/2 stream was reset, the current active stream count was not
        reduced. If enough resets occurred on a connection, the current active
        stream count limit was reached and no new streams could be created on
        that connection. (markt)
      </fix>
    </changelog>
  </subsection>
  <subsection name="Web applications">
    <changelog>
      <fix>
        <bug>66348</bug>: Update the JARs listed in the class loader
        documentation and note which ones are optional. (markt)
      </fix>
      <fix>
        Documentation. Replace references in the application developer's guide
        to CVS with more general references to a source code control system.
        (markt)
      </fix>
    </changelog>
  </subsection>
  <subsection name="Other">
    <changelog>
      <scode>
        Refactor code base to replace use of URL constructors. While they are
        deprecated in Java 20 onwards, the reasons for deprecation are valid for
        all versions so move away from them now. (markt)
      </scode>
      <scode>
        Refine the Tomcat native image metadata to avoid including unintended
        non-Tomcat resources. Pull request <pr>569</pr> provided by Sébastien
        Deleuze. (markt)
      </scode>
      <update>
        Update the internal fork of Apache Commons BCEL to b015e90 (2022-11-28,
        6.7.0-RC1). (markt)
      </update>
      <update>
        Update the internal fork of Apache Commons Codec to ae32a3f (2022-11-29,
        1.16-SNAPSHOT). (markt)
      </update>
      <update>
        Update to Commons Daemon 1.3.3. (markt)
      </update>
      <update>
        Update the internal fork of Apache Commons FileUpload to aa8eff6
        (2022-11-29, 2.0-SNAPSHOT). (markt)
      </update>
      <add>
        Improvements to Japanese translations. Contributed by Shirayuking and
        tak7iji. (markt)
      </add>
    </changelog>
  </subsection>
</section>
<section name="Tomcat 10.1.2 (markt)" rtext="2022-11-14">
  <subsection name="Catalina">
    <changelog>
      <add>
        <bug>66209</bug>: Add a configuration option to allow bloom filters used
        to index JAR files to be retained for the lifetime of the web
        application. Prior to this addition, the indexes were always flushed by
        the periodic calls to <code>WebResourceRoot.gc()</code>. As part of this
        addition, configuration of archive indexing moves from
        <code>Context</code> to <code>WebResourceRoot</code>. Based on a patch
        provided by Rahul Jaisimha. (markt)
      </add>
      <fix>
        <bug>66330</bug>: Correct a regression introduced when fixing
        <bug>62897</bug> that meant any value configured for
        <code>skipMemoryLeakChecksOnJvmShutdown</code> on the
        <code>Context</code> was ignored and the default was always used.
        (markt)
      </fix>
      <fix>
        <bug>66331</bug>: Fix a regression in refactoring for <code>Stack</code>
        on the <code>SystemLogHandler</code> which caught incorrect exception.
        (lihan)
      </fix>
      <fix>
        <bug>66338</bug>: Fix a regression that caused a nuance in refactoring
        for <code>ErrorReportValve</code>. (lihan)
      </fix>
      <fix>
        Escape values used to construct output for the
        <code>JsonErrorReportValve</code> to ensure that it always outputs valid
        JSON. (markt)
      </fix>
    </changelog>
  </subsection>
  <subsection name="Coyote">
    <changelog>
      <fix>
        Correct the date format used with the expires attribute of HTTP cookies.
        A single space rather than a single dash should be used to separate the
        day, month and year components to be compliant with RFC 6265. (markt)
      </fix>
      <add>
        Include the name of the current stream state in the error message when a
        stream is cancelled due to an attempt to write to the stream when it is
        in a state that does not permit writes. (markt)
      </add>
      <scode>
        NIO writes never return -1 so refactor <code>CLOSED_NIO_CHANNEL</code>
        not to do so and remove checks for this return value. Based on
        <pr>562</pr> by tianshuang. (markt)
      </scode>
      <scode>
        Remove unnecessary code that exposed the <code>asyncTimeout</code> to
        components that never used it. (markt)
      </scode>
    </changelog>
  </subsection>
  <subsection name="Jasper">
    <changelog>
      <fix>
        <bug>66294</bug>: Make the use of a privileged block to obtain the
        thread context class loader added to address <bug>62080</bug> optional
        and disabled by default. This is now controlled by the
        <code>org.apache.el.GET_CLASSLOADER_USE_PRIVILEGED</code> system
        property. (markt)
      </fix>
      <fix>
        <bug>66317</bug>: Fix for Lambda coercion security manager missing
        privileges. Based on pull request #557 by Isaac Rivera Rivas (lihan)
      </fix>
      <fix>
        <bug>66325</bug>: Fix concurrency issue in evaluation of expression
        language containing lambda expressions. (markt)
      </fix>
    </changelog>
  </subsection>
  <subsection name="jdbc-pool">
    <changelog>
      <fix>
        <bug>66346</bug>: Ensure all JDBC pool JARs are reproducible. Pull
        request <pr>566</pr> provided by John Neffenger. (markt)
      </fix>
    </changelog>
  </subsection>
  <subsection name="Other">
    <changelog>
      <update>
        Update to Commons Daemon 1.3.2. (markt)
      </update>
      <fix>
        <bug>66323</bug>: Move module start up parameters from
        <code>JDK_JAVA_OPTIONS</code> to <code>JAVA_OPTS</code> now that the
        minimum Java version is 11 and these options are always required. (markt)
      </fix>
      <add>
        Improvements to Chinese translations. Contributed by DigitalCat and
        lihan. (markt)
      </add>
      <add>
        Improvements to French translations. Contributed by Mathieu Bouchard.
        (markt)
      </add>
      <add>
        Improvements to Japanese translations. Contributed by Shirayuking.
        (markt)
      </add>
      <fix>
        Correct a regression in the removal of the APR connector that broke
        Graal native image support. Pull request <pr>564</pr> provided by
        Sébastien Deleuze. (markt)
      </fix>
      <update>
        Update the packaged version of the Apache Tomcat Native Library to 2.0.2
        to pick up the Windows binaries built with with OpenSSL 3.0.7. (markt)
      </update>
      <update>
        Update the packaged version of the Apache Tomcat Migration Tool for
        Jakarta EE to 1.0.5. (markt)
      </update>
    </changelog>
  </subsection>
</section>
<section name="Tomcat 10.1.1 (markt)" rtext="2022-10-11">
  <subsection name="Catalina">
    <changelog>
      <fix>
        Update the <code>RewriteValve</code> to perform pattern matching using
        dotall mode to avoid unexpected behaviour if the URL includes encoded
        line terminators. (markt)
      </fix>
    </changelog>
  </subsection>
  <subsection name="Coyote">
    <changelog>
      <fix>
        <bug>66276</bug>: Fix incorrect class cast when adding
        a descendant of HTTP/2 streams. (lihan)
      </fix>
      <fix>
        <bug>66281</bug>: Fix unexpected timeouts that may appear as client
        disconnections when using HTTP/2 and NIO2. (markt)
      </fix>
      <fix>
        Enforce the requirement of RFC 7230 onwards that a request with a
        malformed <code>content-length</code> header should always be rejected
        with a 400 response. (markt)
      </fix>
    </changelog>
  </subsection>
  <subsection name="Jasper">
    <changelog>
      <fix>
        <bug>66277</bug>: Fix regressions in refactoring from <code>Stack</code>
        <code>ArrayDeque</code>.
      </fix>
      <add>
        Add support for specifying Java 20 (with the value <code>20</code>) as
        the compiler source and/or compiler target for JSP compilation. If used
        with an Eclipse JDT compiler version that does not support these values,
        a warning will be logged and the default will used.
        (markt)
      </add>
    </changelog>
  </subsection>
  <subsection name="Web applications">
    <changelog>
      <fix>
        Documentation. Document the <code>nonceRequestParameterName</code>
        attribute for the <code>CsrfPreventionFilter</code>. Based on
        <pr>553</pr> by Mert Ülkgün. (markt)
      </fix>
    </changelog>
  </subsection>
  <subsection name="Other">
    <changelog>
      <update>
        Update to the Eclipse JDT compiler 4.23. (markt)
      </update>
      <update>
        Update Objenesis to 3.2. (markt)
      </update>
      <update>
        Update UnboundID to 6.0.6. (markt)
      </update>
      <update>
        Update Checkstyle to 10.3.4. (markt)
      </update>
      <update>
        Update JaCoCo to 0.8.8. (markt)
      </update>
      <update>
        Update SpotBugs to 4.7.2. (markt)
      </update>
      <update>
        Update JSign to 4.2. (markt)
      </update>
      <update>
        Update Derby to 10.16.1.1. (markt)
      </update>
      <add>
        Improvements to Chinese translations. (markt)
      </add>
      <add>
        Improvements to Czech translations. (markt)
      </add>
      <add>
        Improvements to French translations. (remm)
      </add>
      <add>
        Improvements to Japanese translations. Contributed by tak7iji and
        Shirayuking. (markt)
      </add>
      <add>
        Improvements to Korean translations. (markt)
      </add>
      <add>
        Improvements to Spanish translations. (markt)
      </add>
    </changelog>
  </subsection>
</section>
<section name="Tomcat 10.1.0 (markt)" rtext="2022-09-26">
  <subsection name="Coyote">
    <changelog>
      <update>
        Update Panama OpenSSL code for the extensive Java 20 changes. (remm)
      </update>
      <fix>
        Fix a regression in refactoring for Hashtables which caused mbeans to
        lose many of their attributes. (remm)
      </fix>
    </changelog>
  </subsection>
  <subsection name="Jasper">
    <changelog>
      <add>
        <bug>66203</bug>: Log an error message when the JSP compiler is unable
        to create the output directory for the generated code. (markt)
      </add>
    </changelog>
  </subsection>
  <subsection name="Other">
    <changelog>
      <add>
        Further automation to the build process to reduce the number of manual
        steps that release managers must perform. (markt)
      </add>
    </changelog>
  </subsection>
</section>
<section name="Tomcat 10.1.0-M20 (markt)" rtext="not released">
  <subsection name="Coyote">
    <changelog>
      <fix>
        Prepare OpenSSL Panama module for Java 20 API changes. (remm)
      </fix>
    </changelog>
  </subsection>
  <subsection name="Other">
    <changelog>
      <update>
        Update the Apache Tomcat migration tool for Jakarta EE library to 1.0.4.
        (markt)
      </update>
    </changelog>
  </subsection>
</section>
<section name="Tomcat 10.1.0-M19 (markt)" rtext="not released">
  <subsection name="Coyote">
    <changelog>
      <fix>
        Correct a regression in the previous fix for <bug>66236</bug>. (markt)
      </fix>
    </changelog>
  </subsection>
</section>
<section name="Tomcat 10.1.0-M18 (markt)" rtext="not released">
  <subsection name="Catalina">
    <changelog>
      <fix>
        Correct handling of HTTP TRACE requests where there are multiple
        instances of an HTTP header with the same name. (markt)
      </fix>
      <fix>
        Implement the requirements of RFC 7231 and do not include sensitive
        headers in responses to HTTP TRACE requests. (markt)
      </fix>
      <fix>
        Implement the clarification in RFC 9110 that the units in HTTP range
        specifiers are case insensitive. (markt)
      </fix>
      <fix>
        Properly-escape role and group information when writing
        MemoryUserDatabase to an XML file. (schultz)
      </fix>
      <fix>
        Move control of XML-export logic from individual support classes into
        MemoryUserDatabase.save(). Deprecate and discontinue use of MemoryUser,
        MemoryRole, and MemoryGroup classes. (schultz)
      </fix>
      <fix>
        <bug>66183</bug>: When logging cookie values in an access log valve and
        there are multiple cookies with the same name, log all cookie values
        rather than just the first. Based on pull request <pr>541</pr> by Han
        Li. (markt)
      </fix>
      <fix>
        <bug>66184</bug>: Ensure that JULI root loggers have a default level of
        <code>INFO</code>. Pull request <pr>533</pr> provided by Piotr P.
        Karwasz. (markt)
      </fix>
      <fix>
        Improve handling of stack overflow errors when parsing SSI expressions.
        (markt)
      </fix>
      <fix>
        <bug>66120</bug>: Enable FORM authentication to work correctly if
        session persistence and restoration occurs during the authentication
        process. (markt)
      </fix>
      <fix>
        <bug>66233</bug>: Include an error message when sending a 400 response
        because a request has too many cookies. (markt)
      </fix>
      <fix>
        When web application deployment fails due to JARs with duplicate
        fragment names, improve the error message by listing the JARs that
        contain the duplicates. Based on pull request <pr>535</pr> by Mads
        Rolsdorph. (markt)
      </fix>
      <fix>
        Replace logging thread for JULI's <code>AsyncFileHandler</code> with an
        executor to protect against failure of the logging thread. Based on pull
        request <pr>545</pr> by Piotr P. Karwasz. (markt)
      </fix>
    </changelog>
  </subsection>
  <subsection name="Coyote">
    <changelog>
      <fix>
        Avoid potential NPE by skipping duplicate accept check when using a Unix
        Domain Socket. Based on <pr>532</pr> by Han Li. (markt)
      </fix>
      <fix>
        Address an edge case in HTTP header parsing that allowed CRCRLF to be
        used as a valid line terminator. (markt)
      </fix>
      <fix>
        Ensure HTTP/2 requests that include connection specific headers are
        rejected. (markt)
      </fix>
      <fix>
        When processing HTTP/2 requests, allow a <code>host</code> header to be
        used in place of an <code>:authority</code> header. (markt)
      </fix>
      <fix>
        When processing HTTP/2 requests, allow a <code>host</code> header and an
        <code>:authority</code> header to  be present providing they are
        consistent. (markt)
      </fix>
      <fix>
        When processing HTTP/2 requests, reject requests containing multiple
        <code>host</code> headers. (markt)
      </fix>
      <fix>
        Make parsing of invalid filename directives in
        <code>Content-Disposition</code> headers more robust. Invalid filename
        directives will now be ignored rather than triggering a 500 response.
        (markt)
      </fix>
      <fix>
        <bug>66194</bug>: Log HTTP/2 stream closures (usually caused by client
        errors) via a <code>UserDataHelper</code> to broadly align it with the
        behaviour of HTTP/1.1 for parsing issues and exceeding limits. (markt)
      </fix>
      <fix>
        <bug>66196</bug>: Align HTTP/1.1 with HTTP/2 and throw an exception when
        attempting to commit a response with an header value that includes one
        or more characters with a code point above 255. (markt)
      </fix>
      <fix>
        <bug>66236</bug>: Implement support for the special values zero and
        minus one when configuring <code>maxSavePostSize</code> for a Connector
        when used in conjunction with TLS renegotiation. (markt)
      </fix>
      <fix>
        <bug>66240</bug>: Avoid int overflow when parsing octets by limiting
        the maximum value to 255. Based on a PR <pr>548</pr> by Stefan Mayr.
        (lihan)
      </fix>
      <fix>
        <pr>550</pr>: Correctly handle case where a Servlet responds to a
        request with an expectation with a 2xx response without reading the
        request body. Pull request provided by Malay Shah. (markt)
      </fix>
      <fix>
        <pr>551</pr>: Avoid potential IndexOutOfBoundsException by fixing
        incorrect check when matching HTTP/2 preface. Submitted by 刘文章.
        (lihan)
      </fix>
    </changelog>
  </subsection>
  <subsection name="Jasper">
    <changelog>
      <fix>
        Improve handling of stack overflow errors when parsing EL expressions.
        (markt)
      </fix>
      <fix>
        Correct parsing of integer and floating point literals in EL expressions
        so that larger values are correctly parsed to <code>BigInteger</code>
        and <code>BigDecimal</code> respectively. (markt)
      </fix>
      <fix>
        <bug>66235</bug>: Fix various issues with the bean resolver used for
        Graal. (remm)
      </fix>
      <fix>
        Improve the performance of the <code>ImportHandler</code> in the
        Expression Language implementation. This removes a previous optimisation
        that is now detrimental rather than helpful. Pull request <pr>547</pr>
        provided by rmannibucau. (markt)
      </fix>
      <fix>
        Improve handling of EL error messages so instances of Number are not
        formatted in unexpected ways. (markt/kkolinko)
      </fix>
      <fix>
        Switch to using ELException rather than IllegalArgumentException when a
        type conversion fails during an EL arithmetic operation. This is an EL
        error so ELException seems more appropriate. (markt)
      </fix>
      <fix>
        Fix a bug in <code>MethodExpression</code> handling that triggered an
        error when invoking a static method on an instance of the class rather
        than directly on the class. (markt)
      </fix>
      <fix>
        Use <code>BigInteger.remainder()</code> rather than
        <code>BigInteger.mod()</code> when performing the modulus operation for
        instances of <code>BigInteger</code> as part of an EL expression.
        (markt)
      </fix>
    </changelog>
  </subsection>
  <subsection name="Cluster">
    <changelog>
      <fix>
        To aid future additions of new functionality, rather than throw an
        <code>IllegalArgumentException</code> if a <code>DeltaRequest</code> is
        passed an unrecognised action type, a warning message will now be
        logged. (markt)
      </fix>
      <fix>
        <bug>66120</bug>: Enable FORM authentication to work correctly if
        session failover occurs during the authentication process. (markt)
      </fix>
    </changelog>
  </subsection>
  <subsection name="WebSocket">
    <changelog>
      <add>
        <bug>62312</bug>: Add support for authenticating WebSocket clients with
        an HTTP forward proxy when establishing a connection to a WebSocket
        endpoint via a forward proxy that requires authentication. Based on a
        patch provided by Joe Mokos. (markt)
      </add>
    </changelog>
  </subsection>
  <subsection name="Other">
    <changelog>
      <fix>
        Ensure that zip archives use UTC for file modification times to ensure
        repeatable builds across time zones. (markt)
      </fix>
      <add>
        Improvements to Chinese translations. (lihan)
      </add>
      <add>
        Improvements to Czech translations. (markt)
      </add>
      <add>
        Improvements to French translations. (remm)
      </add>
      <add>
        Improvements to German translations. (markt)
      </add>
      <add>
        Improvements to Japanese translations. Contributed by tak7iji and
        Shirayuking. (markt)
      </add>
      <add>
        Improvements to Korean translations. Contributed by 수현. (markt)
      </add>
      <add>
        Improvements to Brazilian Portuguese translations. (markt)
      </add>
      <add>
        Improvements to Russian translations. (markt)
      </add>
      <add>
        Improvements to Spanish translations. (markt)
      </add>
      <update>
        Update the Apache Tomcat migration tool for Jakarta EE library to 1.0.3.
        (markt)
      </update>
    </changelog>
  </subsection>
</section>
<section name="Tomcat 10.1.0-M17 (markt)" rtext="2022-07-20">
  <subsection name="Catalina">
    <changelog>
      <fix>
        <bug>66104</bug>: Avoid error message by not trying to clean up old
        files from the logging directory before the directory has been created.
        Based on <pr>521</pr> by HanLi. (markt)
      </fix>
      <update>
        Update the Jakarta Common Annotations API to 2.1.1. This deprecates the
        <code>ManagedBean</code> annotation which will be removed in a future
        release. (markt)
      </update>
    </changelog>
  </subsection>
  <subsection name="Coyote">
    <changelog>
      <add>
        Provide dedicated loggers
        (<code>org.apache.tomcat.util.net.NioEndpoint.handshake</code> /
        <code>org.apache.tomcat.util.net.Nio2Endpoint.handshake</code>) for TLS
        handshake failures. (markt)
      </add>
      <add>
        Enable the use of the FIPS provider for TLS enabled Connectors when
        using Tomcat Native 1.2.34 onwards built with OpenSSL 3.0.x onwards.
        (markt)
      </add>
      <scode>
        Remove the <code>jvmRoute</code> system property used to configure a
        default value for the <code>jvmRoute</code> attribute of an Engine.
        (markt)
      </scode>
      <update>
        Update experimental Panama modules with support for OpenSSL 3.0+.
        OpenSSL 1.1 remains supported. (remm)
      </update>
      <fix>
        Correct a regression in the refactoring to support experimentation with
        project Loom that broke HTTP/2 support if async IO was disabled. (markt)
      </fix>
      <fix>
        Fix duplicate Poller registration with HTTP/2, NIO and async IO that
        could cause HTTP/2 connections to unexpectedly fail. (markt)
      </fix>
      <update>
        Refactor Panama module to better take advantage of the Panama preview
        API updates and fixes. Improves memory session usage and avoids some
        allocations. Review from Maurizio Cimadamore. (remm)
      </update>
      <update>
        Update the minimum recommended version of the Tomcat Native Library to
        2.0.1. (markt)
      </update>
    </changelog>
  </subsection>
  <subsection name="Jasper">
    <changelog>
      <add>
        Add support for specifying Java 19 (with the value <code>19</code>) as
        the compiler source and/or compiler target for JSP compilation. If used
        with an Eclipse JDT compiler version that does not support these values,
        a warning will be logged and the default will used.
        (markt)
      </add>
    </changelog>
  </subsection>
  <subsection name="WebSocket">
    <changelog>
      <update>
        Remove configuration settings related to the restriction on WebSocket
        endpoint deployment that was removed in version 2.1 of the
        specification. (markt)
      </update>
    </changelog>
  </subsection>
  <subsection name="Web applications">
    <changelog>
      <fix>
        Documentation. <bug>62245</bug>: Include <code>contextXsltFile</code>
        when discussing options for configuring directory listings. (markt)
      </fix>
      <fix>
        Examples. Fix CVE-2022-34305, a low severity XSS vulnerability in the
        Form authentication example. (markt)
      </fix>
      <fix>
        Documentation. Expand the description of the <code>useSendfile</code>
        attribute for HTTP/2 and reference the possibility of file locking when
        using this feature on Windows operating systems. (markt)
      </fix>
    </changelog>
  </subsection>
  <subsection name="Other">
    <changelog>
      <update>
        Update to bnd 6.3.1. (markt)
      </update>
      <update>
        The minimum Ant version required to build Tomcat 10.1.x is now 1.10.2.
        (markt)
      </update>
      <add>
        Add additional automation to the build process to reduce the number of
        manual steps that release managers must perform. (schultz)
      </add>
      <add>
        Implement support for reproducible builds. Reproducible builds are
        independent of operating system but require the same Ant version and
        same JDK (vendor and version) to be used as associated version
        information is embedded in a number of build outputs such as JAR file
        manifests. (markt)
      </add>
      <update>
        Update the minimum supported version of Tomcat Native to 1.2.34 to allow
        the removal of the deprecated Java API associated with features that
        will be removed in Tomcat Native 2.0.x. (markt)
      </update>
      <fix>
        Remove and/or update references to the removed
        <code>org.apache.tomcat.util.threads.res</code> package. The
        <code>LocalStrings*.properties</code> files in that package were moved
        to <code>org.apache.tomcat.util.threads</code> package for consistency
        with the rest of the Tomcat code base. (markt)
      </fix>
      <fix>
        <bug>66134</bug>: The NSIS based Tomcat installer for Windows now
        correctly handles the combination of <code>TomcatAdminRoles</code>
        defined in a configuration file and selecting the Manager and/or
        Host Manager web applications in the installer's GUI. (markt)
      </fix>
      <update>
        Update the OWB module to Apache OpenWebBeans 2.0.27. (remm)
      </update>
      <update>
        Update the CXF module to Apache CXF 3.5.3. (remm)
      </update>
      <update>
        Update the Apache Tomcat migration tool for Jakarta EE library to 1.0.1.
        (markt)
      </update>
      <update>
        Update the packaged version of the Tomcat Native Library to 2.0.1 to
        pick up the Windows binaries built with with OpenSSL 3.0.5. (markt)
      </update>
      <add>
        Improvements to French translations. (remm)
      </add>
      <add>
        Improvements to Japanese translations contributed tak7iji. (markt)
      </add>
    </changelog>
  </subsection>
</section>
<section name="Tomcat 10.1.0-M16 (markt)" rtext="2022-06-09">
  <subsection name="Catalina">
    <changelog>
      <fix>
        Update the memory leak protection code to support stopping application
        created executor threads when running on Java 19 and later. (markt)
      </fix>
      <fix>
        Improve the error message if a required <code>--add-opens</code> option
        is missing. (markt)
      </fix>
      <fix>
        Disable the memory leak correction code enabled by the Context attribute
        <code>clearReferencesObjectStreamClassCaches</code> when running on a
        JRE that includes a fix for the underlying memory leak. (markt)
      </fix>
      <fix>
        <pr>515</pr>: Avoid deadlock on startup with some utility executor
        configurations. Submitted by Han Li. (remm)
      </fix>
      <fix>
        <bug>66068</bug>: Ensure that the changes made to a request by the
        <code>RemoteIPValve</code> persist after the request is put into
        asynchronous mode. (markt)
      </fix>
      <add>
        Include the major version in the recommended version used for Tomcat
        Native with the <code>AprLifecycleListener</code>. (markt)
      </add>
      <scode>
        Remove the reporting of the unused APR feature flags. (markt)
      </scode>
    </changelog>
  </subsection>
  <subsection name="Coyote">
    <changelog>
      <fix>
        Additional fix for <bug>65118</bug>. Fix a potential
        <code>NullPointerException</code> when pruning closed HTTP/2 streams
        from the connection. (markt)
      </fix>
      <scode>
        Refactor synchronization blocks locking on <code>SocketWrapper</code> to
        use <code>ReentrantLock</code> to support users wishing to experiment
        with project Loom. (markt)
      </scode>
      <fix>
        <bug>66076</bug>: When using TLS with non-blocking writes and the NIO
        connector, ensure that flushing the buffers attempts to empty all of the
        output buffers. (markt)
      </fix>
      <fix>
        <bug>66084</bug>: Correctly calculate bytes written to a response. Pull
        request <pr>516</pr> provided by aooohan HanLi. (markt)
      </fix>
      <add>
        Correct a regression in the support added for encrypted PKCS#1 formatted
        private keys in the previous release that broke support for unencrypted
        PKCS#1 formatted private keys. (jfclere/markt)
      </add>
      <update>
        Remove support for NPN when using the Tomcat Native Connector as NPN was
        never standardised and browser support for NPN was removed several years
        ago. (markt)
      </update>
    </changelog>
  </subsection>
  <subsection name="Jasper">
    <changelog>
      <fix>
        Update XML schema used for generated web fragments to use the Servlet
        6.0 web fragment schema. (markt)
      </fix>
      <fix>
        Update the XML schema used by the web fragment defined for the Jasper EL
        JAR to use the Servlet 6.0 web fragment schema. (markt)
      </fix>
      <fix>
        Update <code>ImportHandler</code> optimisation for new classes
        introduced in Java 19. (markt)
      </fix>
    </changelog>
  </subsection>
  <subsection name="Web Socket">
    <changelog>
      <fix>
        Update the XML schema used by the web fragment defined for the WebSocket
        JAR to use the Servlet 6.0 web fragment schema. (markt)
      </fix>
    </changelog>
  </subsection>
  <subsection name="Web applications">
    <changelog>
      <fix>
        <bug>66064</bug>: Update the building page in the documentation web
        application to reflect changes in required Java version and source
        repository. (markt)
      </fix>
      <fix>
        Documentation. Make the description of the HTTP/1.1 configuration
        attributes that control the maximum allowed HTTP header size more
        specific. (markt)
      </fix>
    </changelog>
  </subsection>
  <subsection name="Tribes">
    <changelog>
      <fix>
        Increase the default buffer size for replication messages from 43800 to
        65536 bytes. This is expected to improve performance for large messages
        when running on Linux based systems. (markt)
      </fix>
    </changelog>
  </subsection>
  <subsection name="Other">
    <changelog>
      <add>
        Improvements to French translations. (remm)
      </add>
      <add>
        Improvements to Japanese translations contributed by Shirayuking and
        tak7iji. (markt)
      </add>
      <add>
        Improvements to Chinese translations contributed by Dingzi2012. (markt)
      </add>
    </changelog>
  </subsection>
</section>
<section name="Tomcat 10.1.0-M15 (markt)" rtext="2022-05-16">
  <subsection name="Catalina">
    <changelog>
      <scode>
        <bug>65853</bug>: Refactor the <code>CsrfPreventionFilter</code> to make
        it easier for sub-classes to modify the nonce generation and storage.
        Based on suggestions by Marvin Fröhlich. (markt)
      </scode>
      <fix>
        <bug>65991</bug>: Avoid NPE with <code>SSLAuthenticator</code> when
        <code>boundOnInit</code> is used on a connector, during the check
        for client certificate authentication availability. (remm)
      </fix>
      <fix>
        <bug>66009</bug>: Use <code>getSubjectX500Principal().toString()</code>
        rather than <code>getSubjectX500Principal().getName(...)</code> to
        retrieve a certificate DN, to match the output of the deprecated
        <code>getSubjectDN().getName()</code> that was used previously. (remm)
      </fix>
      <add>
        Revert the change in 10.1.0-M11 that added a mapping of
        <code>Shift_JIS</code> for the <code>ja</code> locale to the default
        mappings used by <code>ServletResponse.setLocale()</code> as it
        caused regressions for applications using UTF-8. (markt)
      </add>
      <add>
        Provide a property source that sources values from Kubernetes service
        bindings. Pull request <pr>512</pr> provided by Sumit Kulhadia and
        Gareth Evans. (markt)
      </add>
    </changelog>
  </subsection>
  <subsection name="Coyote">
    <changelog>
      <add>
        <pr>501</pr>: Add new <code>maxHttpRequestHeaderSize</code> and
        <code>maxHttpResponseHeaderSize</code> attributes which allow setting
        the maximum HTTP header sizes independently. If not specified, the
        value of the <code>maxHttpHeaderSize</code> connector attribute will
        be used. Submitted by Zhongming Hua. (remm)
      </add>
      <fix>
        The root cause of the Linux kernel duplicate accept bug has been
        identified along with the version of the kernel that includes the fix.
        The error message displayed when this bug occurs has been updated to
        reflect this new information and to advise users to update to a version
        of the OS that uses kernel 5.10 or later. Thanks to Christopher Gual for
        the research into this issue. (markt)
      </fix>
      <scode>
        Remove the custom UTF-8 decoder that was introduced to work around
        various UTF-8 decoding bugs in Java. These issues were fixed in early
        Java 8 releases. Now the minimum Java version is 11, we can be sure that
        Tomcat will not be running on a JRE where these issues are present.
        (markt)
      </scode>
      <fix>
        <bug>66023</bug>: Improve the fix for <bug>65726</bug> and support HTTP
        upgrade with a request body for a wider set of use cases. (markt)
      </fix>
      <fix>
        <bug>66035</bug>: Add NULL check on the SSL session reference in the
        Panama code before accessing the session id and creation time. (remm)
      </fix>
      <add>
        Add support for encrypted PKCS#1 formatted private keys when configuring
        the internal, in memory key store. Based on <pr>511</pr>.
        (jfclere/markt)
      </add>
      <fix>
        Remove the <code>prestartminSpareThreads</code> attribute of the
        <code>StandardThreadExecutor</code> since all core threads are always
        started by default making this attribute meaningless. Pull request
        <pr>510</pr> provided by Aooohan. (markt)
      </fix>
    </changelog>
  </subsection>
  <subsection name="Jasper">
    <changelog>
      <update>
        To align with the JSP 3.1 specification, make the
        <code>jsp:plugin</code> action a NO-OP. No HTML will be generated as a
        result the <code>jsp:plugin</code> action being included in a JSP. This
        is be because the associated HTML elements are no longer supported by
        any major browser. (markt)
      </update>
      <fix>
        <bug>66031</bug>: Fix NPE when using a custom JspFactory. Patch by
        Jean-Louis Monteiro. (remm)
      </fix>
    </changelog>
  </subsection>
  <subsection name="Webapps">
    <changelog>
      <fix>
        <bug>66008</bug>: In the documentation web application, clarify the
        recommendation for the use the <code>trimSpaces</code> option for Jasper
        in production environments. (markt)
      </fix>
      <fix>
        Update the documentation web application to state that the
        <code>EncryptInterceptor</code> does not provide sufficient protection
        to run Tomcat clustering over an untrusted network. This is
        CVE-2022-29885. (markt)
      </fix>
    </changelog>
  </subsection>
  <subsection name="Other">
    <changelog>
      <add>
        Improvements to Chinese translations contributed by shawn. (markt)
      </add>
      <add>
        Improvements to French translations. (remm)
      </add>
      <add>
        Improvements to German translations contributed by Thomas Hoffmann.
        (markt)
      </add>
      <add>
        Improvements to Japanese translations contributed by Shirayuking.
        (markt)
      </add>
      <add>
        Improvements to Korean translations. (woonsan)
      </add>
      <update>
        Update to Commons Daemon 1.3.1. This fixes a known regression in 1.3.0
        when configuring the Windows service with custom scripts as described in
        <bug>66055</bug>. (markt)
      </update>
      <update>
        Update to JSign 4.1. (markt)
      </update>
      <update>
        Update the packaged version of the Tomcat Native Library to 1.2.33 to
        pick up Windows binaries built with OpenSSL 1.1.1o.(markt)
      </update>
    </changelog>
  </subsection>
</section>
<section name="Tomcat 10.1.0-M14 (markt)" rtext="2022-04-01">
  <subsection name="Catalina">
    <changelog>
      <fix>
        <bug>65736</bug>: Disable the <code>forceString</code> option for the
        JNDI <code>BeanFactory</code> and replace it with an automatic search
        for an alternative setter with the same name that accepts a
        <code>String</code>. This is a security hardening measure. (markt)
      </fix>
      <add>
         Remove the <code>WebappClassLoaderBase.getResources()</code> method as
         it is not used and if something accidentally exposes the class loader
         this method can be used to gain access to Tomcat internals. (markt)
      </add>
    </changelog>
  </subsection>
</section>
<section name="Tomcat 10.1.0-M13 (markt)" rtext="not released">
  <subsection name="Catalina">
    <changelog>
      <scode>
        Update the JASPIC 2.0 API to Jakarta Authentication 3.0 (JASPIC was
        renamed for Jakarta EE 10) including the implementation of the new
        methods on <code>AuthConfigFactory</code>. (markt)
      </scode>
      <scode>
        Harden the CredentialHandler implementations by switching to a
        constant-time implementation for credential comparisons. (schultz/markt)
      </scode>
    </changelog>
  </subsection>
  <subsection name="Coyote">
    <changelog>
      <fix>
        Use a constant for the default TLS cipher suite. This will allow
        skipping setting it in some cases (for example, it does not make
        sense for OpenSSL TLS 1.3). (remm)
      </fix>
      <fix>
        <pr>487</pr>: Improve logging of unknown settings frames. Pull request
        by Thomas Hoffmann. (remm)
      </fix>
      <add>
        <bug>65975</bug>: Add a warning if a TLS virtual host is configured with
        optional certificate authentication and the containing connector is also
        configured to support HTTP/2 as HTTP/2 does not permit optional
        certificate authentication. (markt)
      </add>
      <add>
        <bug>65975</bug>: Add a warning if a TLS virtual host is configured for
        TLS 1.3 with a JSSE implementation and a web application is configured
        for <code>CLIENT-CERT</code> authentication. <code>CLIENT-CERT</code>
        authentication requires post-handshake authentication (PHA) when used
        with TLS 1.3 but the JSSE TLS 1.3 implementation does not support PHA.
        (markt)
      </add>
      <fix>
        Improve the recycling of Processor objects to make it more robust.
        (markt)
      </fix>
    </changelog>
  </subsection>
  <subsection name="Jasper">
    <changelog>
      <fix>
        <bug>65959</bug>: Serialize Function as String[] rather Class[]. (remm)
      </fix>
    </changelog>
  </subsection>
  <subsection name="Web applications">
    <changelog>
      <fix>
        <bug>65947</bug>: Correct the name of HTTP/1.1 configuration property
        (<code>maxHttpHeaderSize</code>) that is inherited by the HTTP/2 upgrade
        protocol. Thanks to Thomas Hoffmann. (markt)
      </fix>
      <fix>
        <bug>65952</bug>: Align <code>--add-opens</code> configuration for jsvc
        with the current Tomcat scripts. (markt)
      </fix>
      <fix>
        Correct the AJP and HTTP/1.1 Connector configuration pages in the
        documentation web application to show which attributes are applicable to
        all Connectors and which are implementation specific. (markt)
      </fix>
    </changelog>
  </subsection>
  <subsection name="Other">
    <changelog>
      <fix>
        Correct a spelling mistake in the German translations. Thanks to Thomas
        Hoffmann. (markt)
      </fix>
      <fix>
        <bug>65951</bug>: Use the <code>tomcat.output</code> property for OSGi
        bundle manifest paths. (isapir)
      </fix>
      <update>
        Update to Commons Daemon 1.3.0. (markt)
      </update>
      <update>
        Update to Checkstyle 10.0. (markt)
      </update>
      <update>
        Update to SpotBugs 4.6.0. (markt)
      </update>
      <add>
        Expand the <code>spotbugs</code> Ant task to also cover test code.
        (markt)
      </add>
      <update>
        Update to bnd 6.2.0. (markt)
      </update>
      <update>
        Remove OSGi annotations dependency as it is no longer required with bnd
        6.2.0. (markt)
      </update>
      <update>
        Update to the Eclipse JDT compiler 4.23. (markt)
      </update>
      <scode>
        Refactor the resource files for the Apache Tomcat installer for Windows
        so that all the resource files are located in a single directory in the
        source tree. (markt)
      </scode>
      <update>
        Update the packaged version of the Tomcat Native Library to 1.2.32 to
        pick up Windows binaries built with OpenSSL 1.1.1n.(markt)
      </update>
      <add>
        Improvements to Chinese translations contributed by 15625988003. (markt)
      </add>
      <add>
        Improvements to French translations. (remm)
      </add>
      <add>
        Improvements to Japanese translations contributed by tak7iji. (markt)
      </add>
      <add>
        Expand coverage of translations for <code>jakarta.el</code> package.
        Based on <pr>488</pr> from Volodymyr Siedlecki. (markt)
      </add>
    </changelog>
  </subsection>
</section>
<section name="Tomcat 10.1.0-M12 (markt)" rtext="2022-03-14">
  <subsection name="Catalina">
    <changelog>
      <fix>
        <pr>477</pr>: Update the default list of JARs to skip to include the
        Apache Log4j JAR for Jakarta EE platforms. Pull request by Michael
        Seele. (markt)
      </fix>
      <fix>
        <bug>65921</bug>: The <code>type</code> substitution flag for the
        rewrite valve should set the content type for the response, not the
        request. (markt)
      </fix>
      <fix>
        <pr>479</pr>: Enable the rewrite valve to redirect requests when the
        original request cannot be mapped to a context. This typically happens
        when no ROOT context is defined. Pull request by elkman. (markt)
      </fix>
      <fix>
        <bug>65940</bug>: Fix <code>NullPointerException</code> if an exception
        occurs during the destruction of a Servlet. (markt)
      </fix>
    </changelog>
  </subsection>
  <subsection name="Coyote">
    <changelog>
      <fix>
        Fix regression introduced with <bug>65757</bug> bugfix which better
        identified non request threads but which introduced a similar problem
        when user code was doing sequential operations in a single thread.
        Test case code submitted by Istvan Szekely. (remm)
      </fix>
      <fix>
        Fix potential thread-safety issue that could cause HTTP/1.1 request
        processing to wait, and potentially timeout, waiting for additional
        data when the full request has been received. (markt)
      </fix>
      <fix>
        Throw <code>IOException</code> rather than
        <code>IllegalStateException</code> when the application attempts to
        write to an HTTP/2 stream after the client has closed the stream.
        (markt)
      </fix>
    </changelog>
  </subsection>
  <subsection name="Jasper">
    <changelog>
      <fix>
        When resolving methods in EL expressions that use beans and/or static
        fields, ensure that any custom type conversion is considered when
        identifying the method to call. (markt)
      </fix>
    </changelog>
  </subsection>
  <subsection name="Web applications">
    <changelog>
      <fix>
        Correct the name of the <code>value</code> attribute in the new
        documentation of <code>OpenSSLConfCmd</code> elements. (rjung)
      </fix>
    </changelog>
  </subsection>
  <subsection name="WebSocket">
    <changelog>
      <fix>
        Fix typo in JPMS substitution configuration for WebSocket client module.
        (markt)
      </fix>
    </changelog>
  </subsection>
</section>
<section name="Tomcat 10.1.0-M11 (markt)" rtext="2022-02-28">
  <subsection name="Catalina">
    <changelog>
      <add>
        Add <code>ha-api-*.jar</code> and <code>jaxws-rt-*.jar</code> to the
        list of JARs to skip when scanning for TLDs, web fragments and
        annotations. (michaelo)
      </add>
      <add>
        Expand the default mappings used by
        <code>ServletResponse.setLocale()</code> to include a mapping from the
        <code>ja</code> locale to the <code>Shift_JIS</code> encoding. (markt)
      </add>
      <fix>
        <bug>65806</bug>: Improve the handling of session ID generation when the
        default algorithm for <code>SecureRandom</code> (<code>SHA1PRNG</code>)
        is not supported by the configured providers as will be the case for a
        FIPS compliant configuration. (markt)
      </fix>
      <add>
        <pr>463</pr>: Add support for additional user attributes to
        <code>TomcatPrincipal</code> and <code>GenericPrincipal</code>.
        Patch provided by Carsten Klein. (michaelo)
      </add>
      <fix>
        <pr>464</pr>: Fall back to the class loader used to load JULI when the
        thread context class loader is not set. In a normal Tomcat
        configuration, this will be the system class loader. Based on a pull
        request by jackshirazi. (markt)
      </fix>
      <fix>
        <pr>469</pr>: Include the Jakarata Annotations API in the classes that
        Tomcat will not load from web applications. Pull request provided by
        ppkarwasz. (markt)
      </fix>
      <fix>
        Fix a potential <code>StringIndexOutOfBoundsException</code> exception
        when generating a WebDAV multi-status response after an error during a
        copy or delete. Report the paths relative to the server root for any
        resources with an error. (markt)
      </fix>
      <fix>
        Improve the format of WebDAV XML responses to make them easier for
        humans to read. The change ensures that there is always a line break
        before starting a new element. (markt)
      </fix>
      <fix>
        Improve validation of the <code>Destination</code> header for WebDAV
        <code>MOVE</code> and <code>COPY</code> requests. (markt)
      </fix>
    </changelog>
  </subsection>
  <subsection name="Coyote">
    <changelog>
      <fix>
        Correct a regression in the fix for <bug>65454</bug> that meant that
        <code>minSpareThreads</code> and <code>maxThreads</code> settings were
        ignored when the Connector used an internal executor. (markt)
      </fix>
      <fix>
        <bug>65776</bug>: Improve the detection of the Linux duplicate accept
        bug and reduce (hopefully avoid) instances of false positives. (markt)
      </fix>
      <fix>
        <bug>65848</bug>: Revert the change that attempted to align the
        behaviour of client certificate authentication with NIO or NIO2 with
        OpenSSL for TLS between MacOS and Linux/Windows as the root cause was
        traced to configuration differences. (markt)
      </fix>
      <fix>
        <pr>467</pr>: When system time moves backwards (e.g. after clock
        correction), ensure that the cached formatted current date used for
        HTTP headers tracks this change. Pull request provided by zhenguoli.
        (markt)
      </fix>
    </changelog>
  </subsection>
  <subsection name="Jasper">
    <changelog>
      <fix>
        <pr>474</pr>: Prevent a tag file from corrupting the ELContext of the
        calling page. Pull request provided by Dmitri Blinov. (markt)
      </fix>
      <fix>
        Minor optimisation of serialization for <code>FunctionMapperImpl</code>
        in response to pull request <pr>476</pr>. (markt)
      </fix>
    </changelog>
  </subsection>
  <subsection name="Web applications">
    <changelog>
      <fix>
        Remove the applet example from the example web application as applets
        are no longer supported in any major browser. (markt)
      </fix>
      <scode>
        Refactor a small number of pages in the examples web application to
        avoid an issue with reproducible builds due to differences in file
        ordering across different operating systems with Ant's zip task. (markt)
      </scode>
      <fix>
        Better documentation for the <code>protocol</code> attribute of the
        <code>JNDIRealm</code>. (markt)
      </fix>
      <fix>
        Clarify the settings described in the documentation web application to
        configure a cluster using static membership. (markt)
      </fix>
      <add>
        Add information on the <code>OpenSSLConf</code> and
        <code>OpenSSLConfCmd</code> elements to the HTTP SSL configuration page
        in the documentation web applications. (markt)
      </add>
    </changelog>
  </subsection>
  <subsection name="jdbc-pool">
    <changelog>
      <scode>
        Use LF line endings for text files in JARs to support reproducible
        builds across different operating systems. (markt)
      </scode>
    </changelog>
  </subsection>
  <subsection name="Other">
    <changelog>
      <scode>
        Use LF line endings for text files in JARs to support reproducible
        builds across different operating systems. (markt)
      </scode>
      <fix>
        Fix dependencies for individual test targets in Ant build file. Based on
        <pr>468</pr> provided by Totoo chenyonghui. (markt)
      </fix>
      <update>
        Update the OWB module to Apache OpenWebBeans 2.0.26. (remm)
      </update>
      <fix>
        Revert the cherry-pick of JavaDoc fix from DBCP applied in 10.1.0.M9
        that broke the <code>DataSourceMXBean</code> by using a type that isn't
        supported by MXBeans. (markt)
      </fix>
      <add>
        Improvements to Chinese translations contributed by cloudgyb, totoo and
        Chenyonghui1028. (markt)
      </add>
      <add>
        Improvements to French translations. (remm)
      </add>
      <add>
        Improvements to German translations contributed by Andreas Abraham.
        (markt)
      </add>
      <add>
        Improvements to Japanese translations contributed by tak7iji and
        Shirayuking. (markt)
      </add>
      <add>
        Improvements to Korean translations. (woonsan)
      </add>
      <add>
        Improvements to Spanish translations contributed by ceciliabarudi.
        (markt)
      </add>
    </changelog>
  </subsection>
</section>
<section name="Tomcat 10.1.0-M10 (markt)" rtext="2022-01-20">
  <subsection name="Coyote">
    <changelog>
      <fix>
        Correct a regression in the fix for <bug>65785</bug> that broke HTTP/2
        server push. (markt)
      </fix>
    </changelog>
  </subsection>
</section>
<section name="Tomcat 10.1.0-M9 (markt)" rtext="not released">
  <subsection name="Catalina">
    <changelog>
      <fix>
        Add missing check in <code>SessionCookieConfig.setAttribute()</code> to
        ensure that the method fails if called after the web application has
        started. (markt)
      </fix>
      <fix>
        Add additional locking to <code>DataSourceUserDatabase</code> to provide
        improved protection for concurrent modifications. (markt)
      </fix>
      <fix>
        Add recycling check in the input and output stream isReady to try to
        give a more informative ISE when the facade has been recycled. (remm)
      </fix>
      <fix>
        Make the calculation of the session storage location more robust when
        using file based persistent storage. (markt)
      </fix>
    </changelog>
  </subsection>
  <subsection name="Coyote">
    <changelog>
      <fix>
        <bug>65726</bug>: Implement support for HTTP/1.1 upgrade when the
        request includes a body. The maximum permitted size of the body is
        controlled by <code>maxSavePostSize</code>. (markt)
      </fix>
      <fix>
        Restore pre-starting of <code>minSpareThreads</code> lost in the fix for
        <bug>65454</bug>. (markt)
      </fix>
      <fix>
        Revert the previous fix for <bug>65714</bug> and implement a more
        comprehensive fix. (markt)
      </fix>
      <fix>
        Allow freeing up context on JVM shutdown in the OpenSSL Panama module
        by properly using a shared scope. (remm)
      </fix>
      <fix>
        <bug>65757</bug>: Missing initial IO listener notification on Servlet
        container dispatch to another container thread. (remm)
      </fix>
      <fix>
        Expand the fix for <bug>65757</bug> so that rather than just checking if
        processing is happening on a container thread, the check is now if
        processing is happening on the container thread currently allocated to
        this request/response. (markt)
      </fix>
      <fix>
        Improve the fix for RST frame ordering added in 10.1.0-M8 to avoid a
        potential deadlock on some systems in non-default configurations.
        (markt)
      </fix>
      <add>
        <bug>65767</bug>:  Add support for certificates that use keys encrypted
        using PBES2. Based on a pull request provided by xiezhaokun. (markt)
      </add>
      <scode>
        Refactor testing whether a String is a valid HTTP token. (markt)
      </scode>
      <fix>
        <bug>65785</bug>: Perform additional validation of HTTP headers when
        using HTTP/2. (markt)
      </fix>
      <fix>
        When a Connector or Endpoint is paused, ensure that only new connections
        and new requests on existing connections are stopped while allowing in
        progress requests to run to completion. (markt)
      </fix>
      <fix>
        Explicitly release ByteBuffer instances associated with pooled channels
        when stopping the NioEndpoint and Nio2Endpoint. (markt)
      </fix>
      <fix>
        Narrow the scope of the logging of invalid cookie headers to just the
        invalid cookie rather than the whole cookie header. (markt)
      </fix>
    </changelog>
  </subsection>
  <subsection name="Jasper">
    <changelog>
      <fix>
        <bug>65724</bug>: Fix missing messages for some
        <code>PropertyNotWritableException</code>s caused by a typo in the name
        used for a resource string. (markt)
      </fix>
      <add>
        Add support for specifying Java 18 (with the value <code>18</code>) as
        the compiler source and/or compiler target for JSP compilation. If used
        with an Eclipse JDT compiler version that does not support these values,
        a warning will be logged and the default will used.
        (markt)
      </add>
      <update>
        To align with the JSP 3.1 specification that requires Java 11 as a
        minimum, make the default JSP source version and target version Java 11.
        (markt)
      </update>
    </changelog>
  </subsection>
  <subsection name="WebSocket">
    <changelog>
      <fix>
        Remove the <code>ALLOW_UNSUPPORTED_EXTENSIONS</code> system property. As
        per RFC 6455, all extensions are optional. If an endpoint declares an
        extension that isn't supported there is no need to trigger an error. The
        extension can just be excluded from the result of the negotiation.
        (markt)
      </fix>
      <fix>
        Remove the <code>DISABLE_BUILTIN_EXTENSIONS</code>. It was added to
        enable Tomcat to pass the WebSocket TCK but after updates to the TCK, it
        is no longer required. (markt)
      </fix>
      <add>
        Add support for POJO WebSocket endpoints to the programmatic upgrade
        that allows applications to opt to upgrade an HTTP connection to
        WebSocket. (markt)
      </add>
      <add>
        Add support for the WebSocket 2.1 client-side API for configuring TLS
        connection for wss client connections. (markt)
      </add>
      <fix>
        <bug>65763</bug>: Improve handling of WebSocket connection close if a
        message write times out before the message is fully written. (markt)
      </fix>
    </changelog>
  </subsection>
  <subsection name="Other">
    <changelog>
      <update>
        Update the OWB module to Apache OpenWebBeans 2.0.25. (remm)
      </update>
      <update>
        Update the CXF module to Apache CXF 3.5.0. (remm)
      </update>
      <add>
        Improvements to Chinese translations contributed by zhnnn. (markt)
      </add>
      <add>
        Improvements to French translations. (remm)
      </add>
      <add>
        Improvements to Japanese translations contributed by Shirayuking, yoshy
        and tak7iji. (markt)
      </add>
      <add>
        Improvements to Korean translations. (woonsan)
      </add>
      <add>
        Improvements to Spanish translations contributed by Israel. (markt)
      </add>
      <update>
        Update SpotBugs to 4.5.2. (markt)
      </update>
      <update>
        Update to the Eclipse JDT compiler 4.22. (markt)
      </update>
      <update>
        Update the NSIS installer to 3.08. (markt)
      </update>
      <update>
        Update UnboundID to 6.0.3. (markt)
      </update>
      <update>
        Update CheckStyle to 9.2.1. (markt)
      </update>
      <update>
        Update BND to 6.1.0. (markt)
      </update>
      <update>
        Update OSGI annotations to 1.1.1. (markt)
      </update>
    </changelog>
  </subsection>
</section>
<section name="Tomcat 10.1.0-M8 (markt)" rtext="2021-12-08">
  <subsection name="Catalina">
    <changelog>
      <update>
        Log warning if a listener is not nested inside a Server element
        although it must have been. (michaelo)
      </update>
      <fix>
        Where the getter can be called safely, remove the checks for
        <code>ServletContext</code> getters called from a
        <code>contextInitialized()</code> method of a
        <code>ServletContextListener</code> that was not defined in a
        <code>web.xml</code> file, a <code>web-fragment.xml</code> file nor
        annotated with <code>WebListener</code>. (markt)
      </fix>
      <fix>
        Make SPNEGO authentication more robust for the case where the provided
        credential has expired. (markt)
      </fix>
      <fix>
        Limit cookie support to RFC 6265 to align with recent updates to the
        Servlet specification. (markt)
      </fix>
      <fix>
        <bug>65684</bug>: Fix a potential <code>NullPointerException</code> when
        using JULI. (markt)
      </fix>
      <docs>
        Document conditions under which the <code>AprLifecycleListener</code>
        can be used to avoid JVM crashes. (michaelo)
      </docs>
      <fix>
        Refactor the <code>AsyncFileHandler</code> to reduce the possibility of
        log messages being lost on shutdown. (markt)
      </fix>
      <update>
        Refactor the <code>AsyncFileHandler</code> to remove the need for the
        <code>org.apache.juli.AsyncLoggerPollInterval</code>. If set, this
        property now has no effect. (markt)
      </update>
      <add>
        Add debug logging to the <code>RestCsrfPreventionFilter</code>. Based on
        pull request <pr>452</pr> by Polina Georgieva. (markt)
      </add>
    </changelog>
  </subsection>
  <subsection name="Coyote">
    <changelog>
      <add>
        Use implicit scopes in the OpenSSL Panama module to tie the cleanup of
        OpenSSL memory to the Java GC. (remm)
      </add>
      <add>
        Provide protection against a known <a
        href="https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1924298">OS
        bug</a> that causes the acceptor to report an incoming connection more
        than once. (markt)
      </add>
      <fix>
        Avoid unnecessary duplicate read registrations for blocking I/O with the
        NIO connector. (markt)
      </fix>
      <fix>
        <bug>65677</bug>: Improve exception handling for errors during HTTP/1.1
        reads with NIO2. (markt)
      </fix>
      <fix>
        When an error occurs that triggers a stream reset, ensure that the first
        <code>RST</code> frame sent to the client is the one associated with the
        error that triggered the reset. (markt)
      </fix>
      <fix>
        <bug>65714</bug>: Fix exceptions when the security manager is enabled
        and the first request received after starting is an HTTP request to a
        TLS enabled NIO2 connector. (markt)
      </fix>
      <add>
        Ensure that using NIO or NIO2 with OpenSSL for TLS behaves the same way
        on MacOS as it does on Linux and Windows when no trusted certificate
        authorities are configured and reject all client certificates. (markt)
      </add>
      <fix>
        Avoid a potential deadlock during the concurrent processing of incoming
        HTTP/2 frames for a stream and that stream being reset. (markt)
      </fix>
    </changelog>
  </subsection>
  <subsection name="WebSocket">
    <changelog>
      <add>
        Update the WebSocket API packaging to remove the copy of the client API
        from the server API and replace it with a dependency on the client API.
        This aligns Tomcat with changes in the WebSocket 2.1 specification.
        (markt)
      </add>
    </changelog>
  </subsection>
</section>
<section name="Tomcat 10.1.0-M7 (markt)" rtext="2021-11-15">
  <subsection name="Catalina">
    <changelog>
      <scode>
        Refactor <code>HttpServlet</code> so the default <code>doHead()</code>
        implementation now calls <code>doGet()</code> and relies on the
        container to ensure that the response body is not sent. The previous
        behaviour (wrapping the response) may be enabled per Servlet by setting
        the <code>jakarta.servlet.http.legacyDoHead</code> Servlet
        initialisation parameter to <code>true</code>. This aligns Tomcat with
        recent changes updates for Servlet 6.0 in the Jakarta Servlet
        specification project. (markt)
      </scode>
      <add>
        Add support for setting generic attributes for session cookies. This
        aligns Apache Tomcat with recent changes in the Jakarta Servlet
        specification project. (markt)
      </add>
      <fix>
        Do not add a trailing <code>/</code> to a request URI during
        canonicalization. (markt)
      </fix>
      <fix>
        Invalid byte sequences (typically in %nn form) in a request URi that are
        not valid for the given URI encoding now trigger a 400 response. (markt)
      </fix>
      <fix>
        Ensure that a request URI starts with a <code>/</code>. (markt)
      </fix>
      <add>
        Add a new Connector option, <code>rejectSuspiciousURIs</code> that will
        causes 'suspicious' (see the Servlet 6.0 specification) URIs to be
        rejected with a 400 response. (markt)
      </add>
      <fix>
        Improve robustness of JNDIRealm for exceptions occurring when getting
        the connection. Also add missing close when running into issues
        getting the passord of a user. (remm)
      </fix>
      <docs>
        Add Javadoc comment which listeners must be nested within
        <code>Server</code> elements only. (michaelo)
      </docs>
      <add>
        Add support for custom caching strategies for web application resources.
        This initial implementation allows control over whether or not a
        resource is cached. (markt)
      </add>
    </changelog>
  </subsection>
  <subsection name="Coyote">
    <changelog>
      <scode>
        Improve performance of Connector shutdown - primarily to reduce the time
        it takes to run the test suite. (markt)
      </scode>
      <add>
        <pr>457</pr>: Add a <code>toString()</code> method to
        <code>MimeHeader</code> to aid debugging. (dblevins)
      </add>
      <add>
        Add experimental OpenSSL support through the Panama API incubating in
        Java 17, with support for OpenSSL 1.1+. This no longer requires
        tomcat-native or APR. Please refer to the <code>openssl-java17</code>
        module for more details. (remm)
      </add>
    </changelog>
  </subsection>
  <subsection name="Jasper">
    <changelog>
      <update>
        Regenerate the EL parser using JavaCC 7.0.10. (markt)
      </update>
      <fix>
        Fix a bug that prevented the EL parser correctly parsing a literal Map
        that used variables rather than literals for both keys and values.
        (markt)
      </fix>
      <update>
        Ensure that the <code>getType()</code> method of any
        <code>ELResolver</code> implementation returns <code>null</code> if
        either the <code>ELResolver</code> or the resolved property is read-only
        to align Tomcat with recent updates in the Jakarta EL specification
        project. (markt)
      </update>
      <fix>
        Implement an alternative solution to support the JSP page directive
        attribute <code>isThreadSafe</code> now that the
        <code>SingleThreadModel</code> interface has been removed from the
        Servlet API. The new approach synchronizes the <code>service()</code>
        method.
      </fix>
    </changelog>
  </subsection>
  <subsection name="WebSocket">
    <changelog>
      <update>
        Add a new method<code>
        ServerEndpointConfig.Configurator.getContainerDefaultConfigurator()
        </code>to align with recent updates in the WebSocket specification
        project. (markt)
      </update>
      <update>
        Add a new method <code>ServerContainer.upgradeHttpToWebSocket()</code>
        to align with recent updates in the WebSocket specification project.
        (markt)
      </update>
    </changelog>
  </subsection>
  <subsection name="Tribes">
    <changelog>
      <fix>
        <pr>454</pr>: Differentiate warning messages in
        <code>KubernetesMembershipProvider</code> so that the missing attribute
        is clear to the user. PR provided by Hal Deadman. (markt)
      </fix>
    </changelog>
  </subsection>
  <subsection name="Other">
    <changelog>
      <fix>
        Switch from Cobertura to JaCoCo for code coverage as Cobertura does not
        support code coverage for code compiled for Java 11 onwards. It also
        removes the need to use a single thread to run the tests. (markt)
      </fix>
    </changelog>
  </subsection>
</section>
<section name="Tomcat 10.1.0-M6 (markt)" rtext="2021-10-01">
  <subsection name="Catalina">
    <changelog>
      <fix>
        Provide the DataSource in the constructor of
        <code>DataSourceUserDatabase</code>, since it is always global. (remm)
      </fix>
      <fix>
        Fix delete then create object manipulations with
        <code>DataSourceUserDatabase</code>. (remm)
      </fix>
      <update>
        Remove all deprecated code from the Servlet API to align Tomcat with
        recent changes in the Jakarta Servlet specification project. (markt)
      </update>
      <add>
        Add the currently available Jakarta EE 10 schemas from the Jakarta EE
        schema project. (markt)
      </add>
      <add>
        Implement the new connection ID and request ID API for Servlet 6.0.
        (markt)
      </add>
      <fix>
        <bug>65553</bug>: Implement a work-around for a
        <a href="https://bugs.openjdk.java.net/browse/JDK-8273874">JRE bug</a>
        that can trigger a memory leak when using the JNDI realm. (markt)
      </fix>
      <fix>
        <bug>65586</bug>: Fix the bloom filter used to improve performance of
        archive file look ups in the web resources implementation so it works
        correctly for directory lookups whether or not the provided directory
        name includes the trailing <code>/</code>. (markt)
      </fix>
      <fix>
        <pr>451</pr>: Improve the usefulness of the thread name cache used in
        JULI. Pull request provided by t-gergely. (markt)
      </fix>
    </changelog>
  </subsection>
  <subsection name="Coyote">
    <changelog>
      <fix>
        <bug>65563</bug>: Correct parsing of HTTP <code>Content-Range</code>
        headers. Tomcat was incorrectly requiring an <code>=</code> character
        after <code>bytes</code>. Fix based on pull request <pr>449</pr> by
        Thierry Guérin. (markt)
      </fix>
      <fix>
        Correct a potential <code>StackOverflowException</code> with HTTP/2 and
        sendfile. (markt)
      </fix>
      <fix>
        Further improvements in the management of the connection flow control
        window. This addresses various bugs that caused streams to incorrectly
        report that they had timed out waiting for an allocation from the
        connection flow control window. (markt)
      </fix>
      <fix>
        <bug>65577</bug>: Fix a <code>AccessControlException</code> reporting
        when running an NIO2 connector with TLS enabled. (markt)
      </fix>
      <update>
        Reclassify TLS ciphers that use AESCCM8 as medium security rather than
        high security to align with recent changes in OpenSSL. (markt)
      </update>
      <fix>
        Fix an issue that caused some Servlet non-blocking API reads of the HTTP
        request body to incorrectly use blocking IO. (markt)
      </fix>
    </changelog>
  </subsection>
  <subsection name="Jasper">
    <changelog>
      <scode>
        Deprecate <code>ELResolver.getFeatureDescriptors</code> to align Tomcat
        with recent updates in the Jakarta EL specification project. (markt)
      </scode>
      <add>
        Add support for default methods to <code>BeanRELResolver</code> to align
        Tomcat with recent updates in the Jakarta EL specification project.
        (markt)
      </add>
      <add>
        Add support for <code>MethodReference</code> and the associated getter
        on <code>MethodExpression</code> to align Tomcat with recent updates in
        the Jakarta EL specification project. (markt)
      </add>
      <add>
        Refactor <code>ScopedAttributeELResolver</code> to separate out the
        functionality that is unrelated to scoped attributes into two new
        resolvers: <code>ImportELResolver</code> and
        <code>NotFoundELResolver</code>. This aligns Tomcat with recent updates
        to the Jakarta Server Pages specification. (markt)
      </add>
      <fix>
        Fix the implementation of <code>MethodExpression.getMethodInfo()</code>
        so that it returns the expected value rather than failing when the
        method expression is defined with the parameter values in the expression
        rather than the types being passed explicitly to
        <code>ExpressionFactory.createMethodExpression()</code>. (markt)
      </fix>
      <add>
        Add support for a new page/tag directive <code>errorOnELNotFound</code>
        that can be used to trigger an identifier if an EL expression in a
        page/tag contains an identifier that cannot be resolved. (markt)
      </add>
    </changelog>
  </subsection>
  <subsection name="WebSocket">
    <changelog>
      <fix>
        The internal upgrade handler should close the associated
        <code>WebConnection</code> on destroy. (remm)
      </fix>
    </changelog>
  </subsection>
  <subsection name="Web applications">
    <changelog>
      <update>
        Update the web applications that are included with Apache Tomcat to use
        the Jakarta EE 10 schema for web.xml. (markt)
      </update>
      <fix>
        Clarify the JASPIC configuration options in the documentation web
        application. (markt)
      </fix>
    </changelog>
  </subsection>
  <subsection name="Other">
    <changelog>
      <fix>
        <bug>65585</bug>: Update obsolete comments at the start of the
        <code>build.properties.default</code> file. (markt)
      </fix>
    </changelog>
  </subsection>
</section>
<section name="Tomcat 10.1.0-M5 (markt)" rtext="2021-09-10">
  <subsection name="Catalina">
    <changelog>
      <fix>
        Enable Tomcat to start if an (old) XML parser is configured that does
        not support <code>allow-java-encodings</code>. A warning will be logged
        if such an XML parser is detected. (markt)
      </fix>
      <fix>
        Change the behaviour of custom error pages. If an error occurs after the
        response is committed, once the custom error page content has been added
        to the response the connection is now closed immediately rather than
        closed cleanly. i.e. the last chunk that marks the end of the response
        body is no longer sent. This acts as an additional signal to the client
        that the request experienced an error. (markt)
      </fix>
      <fix>
        <bug>65479</bug>: When handling requests using JASPIC authentication,
        ensure that <code>PasswordValidationCallback.getResult()</code> returns
        the result of the password validation rather than always returning
        <code>false</code>. Fixed via pull request <pr>438</pr> provided by
        Robert Rodewald. (markt)
      </fix>
      <update>
        Improve the reusability of the <code>UserDatabase</code> by adding
        intermediate concrete implementation classes and allowing to do
        partial database updates on <code>save</code>. (remm)
      </update>
      <scode>
        Refactor the authenticators to delegate the check for preemptive
        authentication to the individual authenticators where an authentication
        scheme specific check can be performed. Based on pull request
        <pr>444</pr> by Robert Rodewald. (markt)
      </scode>
      <add>
        Add a <code>UserDatabase</code> implementation as a superset of the
        <code>DataSourceRealm</code> functionality. (remm)
      </add>
      <fix>
        Make sure the dynamic Principal returned by
        <code>UserDatabaseRealm</code> stays up to date with the database
        contents, and add an option to have it be static, similar to the other
        realms. (remm)
      </fix>
      <add>
        Add <code>derby-*.jar</code> to the list of JARs to skip when scanning
        for TLDs, web fragments and annotations. (markt)
      </add>
      <fix>
        <pr>447</pr>. Correct JPMS metadata for catalina.jar. Pull request
        provided by Hui Wang. (markt)
      </fix>
    </changelog>
  </subsection>
  <subsection name="Coyote">
    <changelog>
      <fix>
        Correct a logic error that meant setting
        <code>certificateKeystoreFile</code> to <code>NONE</code> did not have
        the expected effect. <code>NONE</code> was incorrectly treated as a file
        path. Patch provided by Mikael Sterner. (markt)
      </fix>
      <scode>
        Remove the deprecated APR/Native connector which includes the HTTP APR
        and the AJP APR connector. Also remove the Java interfaces to the
        APR/Native library that are not used by the OpenSSL integration for the
        NIO and NIO2 connectors. (markt)
      </scode>
      <scode>
        Refactor the JSSE/OpenSSL integration to avoid the use of
        <code>finalize()</code>. (markt)
      </scode>
      <fix>
        <bug>65505</bug>: When an HTTP header value is removed, ensure that the
        order of the remaining header values is unchanged. (markt)
      </fix>
    </changelog>
  </subsection>
  <subsection name="WebSocket">
    <changelog>
      <fix>
        <bug>65506</bug>: Fix write timeout check that was using the read
        timeout value. Patch submitted by Gustavo Mahlow. (remm)
      </fix>
    </changelog>
  </subsection>
  <subsection name="Web applications">
    <changelog>
      <fix>
        Remove unnecessary Context settings from the examples web application.
        (markt)
      </fix>
      <fix>
        Document default value for <code>unpackWARs</code> and related clean-up.
        Pull request <pr>439</pr> provided by Robert Rodewald. (markt)
      </fix>
      <fix>
        Clarify the documentation of the <code>compressionMinSize</code> and
        <code>compressibleMimeType</code> HTTP <code>Connector</code>
        attributes. Pull request <pr>442</pr> provided by crisgeek. (markt)
      </fix>
    </changelog>
  </subsection>
  <subsection name="Tribes">
    <changelog>
      <scode>
        Refactor the <code>ParallelNioSender</code> to avoid the use of
        <code>finalize()</code>. (markt)
      </scode>
    </changelog>
  </subsection>
  <subsection name="Other">
    <changelog>
      <fix>
        Fix failing build when building on non-English locales. Pull request
        <pr>441</pr> provided by Dachuan J. (markt)
      </fix>
      <update>
        Update to JSign version 4.0 to enable code signing without the need for
        the installation of additional client tools. (markt)
      </update>
      <update>
        Add Apache Derby 10.15.2.0 to the testsuite dependencies, for JDBC
        and DataSource testing. (remm)
      </update>
      <add>
        Update the internal fork of Apache Commons BCEL to 40d5eb4 (2021-09-01,
        6.6.0-SNAPSHOT). Code clean-up only. (markt)
      </add>
      <add>
        Update the internal fork of Apache Commons Codec to fd44e6b (2021-09-01,
        1.16-SNAPSHOT). Minor refactoring. (markt)
      </add>
      <add>
        <bug>65661</bug>: Update the internal fork of Apache Commons FileUpload
        to 33d2d79 (2021-09-01, 2.0-SNAPSHOT). Refactoring and code clean-up. As
        a result of Commons File Upload now using
        <code>java.nio.file.Files</code>, applications using multi-part uploads
        need to ensure that the JVM is configured with sufficient direct memory
        to store all in progress multi-part uploads. (markt)
      </add>
      <add>
        Update the internal fork of Apache Commons Pool to 2.11.1 (2021-08-17).
        Improvements, code clean-up and refactoring. (markt)
      </add>
      <add>
        Update the internal fork of Apache Commons DBCP to 2.9.0 (2021-08-03).
        Improvements, code clean-up and refactoring. (markt)
      </add>
      <update>
        Update the packaged version of the Tomcat Native Library to 1.2.31 to
        pick up Windows binaries built with OpenSSL 1.1.1l.(markt)
      </update>
      <update>
        Switch to the CDN as the primary download location for ASF dependencies.
        (markt)
      </update>
      <add>
        Improvements to Chinese translations contributed by syseal, wolibo,
        ZhangJieWen and DigitalFatCat. (markt)
      </add>
      <add>
        Improvements to French translations. (remm)
      </add>
      <add>
        Improvements to Japanese translations contributed by tak7iji. (markt)
      </add>
      <add>
        Improvements to Korean translations. (woonsan)
      </add>
    </changelog>
  </subsection>
</section>
<section name="Tomcat 10.1.0-M4 (markt)" rtext="2021-08-06">
  <subsection name="WebSocket">
    <changelog>
      <fix>
        Correct a regression in the Java 8 to Java 11 changes made in 10.1.0-M3
        that caused all WebSocket end points to fail to register. (markt)
      </fix>
    </changelog>
  </subsection>
</section>
<section name="Tomcat 10.1.0-M3 (markt)" rtext="not released">
  <subsection name="General">
    <changelog>
      <update>
        Update the minimum required Java version to Java 11. (markt)
      </update>
    </changelog>
  </subsection>
  <subsection name="Catalina">
    <changelog>
      <scode>
        Incremented the supported Jakarta Servlet version to 6.0 to align with
        the current development branch of the Jakarta Servlet specification.
        Plans have changed and the next iteration of the Servlet specification
        will be 6.0 rather than 5.1. (markt)
      </scode>
      <fix>
        <bug>65411</bug>: Always close the connection when an uncaught
        <code>NamingException</code> occurs to avoid connection locking.
        Submitted by Ole Ostergaard. (remm)
      </fix>
      <fix>
        <bug>65433</bug>: Correct a regression in the fix for <bug>65397</bug>
        where a <code>StringIndexOutOfBoundsException</code> could be triggered
        if the canonical path of the target of a symlink was shorter than the
        canonical path of the directory in which the symlink had been created.
        Patch provided by Cedomir Igaly. (markt)
      </fix>
      <add>
        <bug>65443</bug>: Refactor the <code>CorsFilter</code> to make it easier
        to extend. (markt)
      </add>
      <fix>
        To avoid unnecessary cache revalidation, do not add an HTTP
        <code>Expires</code> header when setting adding an HTTP header of
        <code>CacheControl: private</code>. (markt)
      </fix>
      <scode>
        Refactor JULI's custom <code>LogManager</code>, the
        web application class loader implementation, the web resources
        implementation, the <code>JreLeakPreventionListener</code>
        implementation and the <code>StandardJarScanner</code> implementation to
        remove Java 8 specific code now that the minimum Java version has been
        increased to 11. (markt)
      </scode>
      <scode>
        Remove all references to the endorsed standards override feature and the
        specifying of optional packages (extensions) in the manifest as these
        are not supported in Java 11. (markt)
      </scode>
    </changelog>
  </subsection>
  <subsection name="Coyote">
    <changelog>
      <fix>
        When writing an HTTP/2 response via sendfile (only enabled when
        <code>useAsyncIO</code> is true) the connection flow control window was
        sometimes ignored leading to various error conditions. sendfile now
        checks both the stream and connection flow control windows before
        writing. (markt)
      </fix>
      <add>
        Add debug logging for writing an HTTP/2 response via sendfile. (markt)
      </add>
      <fix>
        Correct bugs in the HTTP/2 connection flow control management that meant
        it was possible for a connection to stall waiting for a connection flow
        control window update that had already arrived. Any streams on that
        connection that were trying to write when this happened would time out.
        (markt)
      </fix>
      <fix>
        <bug>65448</bug>: When using TLS with NIO, it was possible for a
        blocking response write to hang just before the final TLS packet
        associated with the response until the connection timed out at which
        point the final packet would be sent and the connection closed. (markt)
      </fix>
      <fix>
        <bug>65454</bug>: Fix a race condition that could result in a delay to
        a new request. The new request could be queued to wait for an existing
        request to finish processing rather than the thread pool creating a new
        thread to process the new request. (markt)
      </fix>
      <fix>
        <bug>65460</bug>: Correct a regression introduced in the previous
        release in the change to reduce the number of small HTTP/2 window
        updates sent for streams. A logic error meant that small window updates
        for the connection were dropped. This meant that the connection flow
        window slowly reduced over time until nothing could be sent. (markt)
      </fix>
      <fix>
        Remove NIO workarounds and code that is no longer needed with Java 11.
        (remm)
      </fix>
      <scode>
        Refactor the endpoints to remove Java 8 specific code now that the
        minimum Java version has been increased to 11. (markt)
      </scode>
    </changelog>
  </subsection>
  <subsection name="Jasper">
    <changelog>
      <scode>
        Add additional generics to the EL API to align with the latest changes
        in the EL specification project. (markt)
      </scode>
      <add>
        Enable EL lambda expressions to be coerced to functional interfaces.
        This is an implementation of a proposed extension to the Jakarta
        Expression Language specification. (markt)
      </add>
      <scode>
        Refactor the EL API and implementation to remove Java 8 specific code
        now that the minimum Java version has been increased to 11. (markt)
      </scode>
    </changelog>
  </subsection>
  <subsection name="WebSocket">
    <changelog>
      <scode>
        Refactor the WebSocket implementation to remove Java 8 specific code now
        that the minimum Java version has been increased to 11. (markt)
      </scode>
    </changelog>
  </subsection>
  <subsection name="Web applications">
    <changelog>
      <fix>
        <bug>65404</bug>: Correct a regression in the fix for <bug>63362</bug>
        that caused the server status page in the Manager web application to be
        truncated if HTTP upgrade was used such as when starting a WebSocket
        connection. (markt)
      </fix>
    </changelog>
  </subsection>
  <subsection name="Other">
    <changelog>
      <add>
        Improvements to Chinese translations contributed by ZhangJieWen and
        chengzheyan. (markt)
      </add>
      <add>
        Improvements to French translations. (remm)
      </add>
      <add>
        Improvements to Japanese translations contributed by tak7iji. (markt)
      </add>
      <add>
        Improvements to Korean translations. (woonsan)
      </add>
      <fix>
        Use of GraalVM native images no longer automatically disables JMX
        support. JMX support may still be disabled by calling
        <code>org.apache.tomcat.util.modeler.Registry.disableRegistry()</code>.
        (markt)
      </fix>
    </changelog>
  </subsection>
</section>
<section name="Tomcat 10.1.0-M2 (markt)" rtext="2021-07-02">
  <subsection name="Catalina">
    <changelog>
      <scode>
        Refactor the <code>RemoteIpValve</code> to use the common utility method
        for list to comma separated string conversion. (markt)
      </scode>
      <scode>
        Refactor <code>JNDIRealm$JNDIConnection</code> so its fields are
        accessible to sub-classes of <code>JNDIRealm</code>. (markt)
      </scode>
      <fix>
        Fix serialization warnings in <code>UserDatabasePrincipal</code>
        reported by SpotBugs. (markt)
      </fix>
      <fix>
        <bug>65397</bug>: Calls to
        <code>ServletContext.getResourcePaths()</code> no longer include
        symbolic links in the results unless <code>allowLinking</code> has been
        set to <code>true</code>. If a resource is skipped because of this
        change, a warning will be logged as this typically indicates a
        configuration issue. (markt)
      </fix>
    </changelog>
  </subsection>
  <subsection name="Coyote">
    <changelog>
      <fix>
        <bug>65368</bug>: Improve handling of clean closes of inbound TLS
        connections. Treat them the same way as clean closes of non-TLS
        connections rather than as unknown errors. (markt)
      </fix>
      <fix>
        Modify the HTTP/2 connector not to sent small updates for stream flow
        control windows to the user agent as, depending on how the user agent is
        written, this may trigger small writes from the user agent that in turn
        trigger the overhead protection. Small updates for stream flow control
        windows are now combined with subsequent flow control window updates for
        that stream to ensure that all stream flow control window updates sent
        from Tomcat are larger than <code>overheadWindowUpdateThreshold</code>.
        (markt)
      </fix>
      <add>
        Add additional debug logging to track the current state of the HTTP/2
        overhead count that Tomcat uses to detect and close potentially
        malicious connections. (markt)
      </add>
      <update>
        Many HTTP/2 requests from browsers will trigger one overhead frame and
        one non-overhead frame. Change the overhead calculation so that a
        non-overhead frame reduces the current overhead count by 2 rather than
        1. This means that, over time, the overhead count for a well-behaved
        connection will trend downwards. (markt)
      </update>
      <update>
        Change the initial HTTP/2 overhead count from <code>-10</code> to
        <code>-10 * overheadCountFactor</code>. This means that, regardless of
        the value chosen for <code>overheadCountFactor</code>, when a connection
        opens 10 overhead frames in a row will be required to trigger the
        overhead protection. (markt)
      </update>
      <update>
        Increase the default <code>overheadCountFactor</code> from
        <code>1</code> to <code>10</code> and change the reduction in overhead
        count for a non-overhead frame from <code>-2</code> to <code>-20</code>.
        This allows for a larger range (0-20) to be used for
        <code>overheadCountFactor</code> providing for finer-grained control.
        (markt)
      </update>
      <fix>
        Modify the parsing of HTTP header values that use the
        <code>1#token</code> to ignore empty elements as per RFC 7230 section 7
        instead of treating the presence of empty elements as an error. (markt)
      </fix>
      <fix>
        Expand the unit tests for <code>HttpServlet.doHead()</code> and correct
        the flushing of the response buffer. The buffer used to behave as if it
        was one byte smaller than the configured size. The buffer was flushed
        (and the response committed if required) when the buffer was full. The
        buffer is now flushed (and the response committed if required) if the
        buffer is full and there is more data to write. (markt)
      </fix>
      <fix>
        Fix an issue where concurrent HTTP/2 writes (or concurrent reads) to the
        same connection could hang and eventually timeout when async IO was
        enabled (it is enabled by default). (markt)
      </fix>
    </changelog>
  </subsection>
  <subsection name="Jasper">
    <changelog>
      <fix>
        <bug>65387</bug>: Correct a regression in the fix for <bug>65124</bug>
        and restore the local definition of <code>out</code> for tags that
        implement <code>TryCatchFinally</code>. (markt)
      </fix>
      <fix>
        <bug>65390</bug>: Correct a regression in the fix for <bug>65124</bug>
        and restore code that was removed in error leading to JSP compilation
        failures in some circumstances. (markt)
      </fix>
      <update>
        Update to the Eclipse JDT compiler 4.20. (markt)
      </update>
      <add>
        Add support for specifying Java 17 (with the value <code>17</code>) as
        the compiler source and/or compiler target for JSP compilation. If used
        with an Eclipse JDT compiler version that does not support these values,
        a warning will be logged and the latest supported version will used.
        (markt)
      </add>
      <fix>
        <bug>65377</bug>: Update the Java code generation for JSPs not to use
        the boxed primitive constructors as they have been deprecated in Java 9
        and marked for future removal in Java 16. <code>valueOf()</code> is now
        used instead. (markt)
      </fix>
    </changelog>
  </subsection>
  <subsection name="WebSocket">
    <changelog>
      <scode>
        Refactor the <code>DigestAuthenticator</code> to reuse a shared
        <code>SecureRandom</code> instance rather than create a new one to
        generate the <code>cnonce</code> if required. (markt)
      </scode>
    </changelog>
  </subsection>
  <subsection name="Web applications">
    <changelog>
      <fix>
        <bug>65385</bug>: Correct the link in the documentation web application
        the Maven Central repository. (markt)
      </fix>
    </changelog>
  </subsection>
  <subsection name="Other">
    <changelog>
      <add>
        Use JSign to integrate the build script with the code signing service to
        enable release builds to be created on Linux as well as Windows. (markt)
      </add>
      <update>
        Update the OWB module to Apache OpenWebBeans 2.0.23. (remm)
      </update>
      <update>
        Update the CXF module to Apache CXF 3.4.4. (remm)
      </update>
      <fix>
        <bug>65369</bug> / <pr>422</pr>: Add the additional
        <code>--add-opens=...</code> options required for running Tomcat on Java
        16 onwards to the <code>service.bat</code> script to align it with the
        other start-up scripts. PR provided by MCMicS. (markt)
      </fix>
      <add>
        Improvements to French translations. (remm)
      </add>
      <add>
        Improvements to Korean translations. (woonsan)
      </add>
      <update>
        Update JUnit to version 4.13.2. (markt)
      </update>
      <update>
        Update EasyMock to 4.3. (markt)
      </update>
      <update>
        Update Objenesis to 3.2. (markt)
      </update>
      <update>
        Update UnboundID to 6.0.0. (markt)
      </update>
      <update>
        Update CheckStyle to 8.43. (markt)
      </update>
      <update>
        Update SpotBugs to 4.2.3. (markt)
      </update>
      <update>
        Update OSGi annotations to 1.1.0. (markt)
      </update>
    </changelog>
  </subsection>
</section>
<section name="Tomcat 10.1.0-M1 (markt)" rtext="2021-06-15">
  <subsection name="General">
    <changelog>
      <scode>
        This release contains all of the changes up to and including those in
        Apache Tomcat 10.0.6 plus the additional changes listed below. (markt)
      </scode>
      <scode>
        Remove code previously marked for removal in Tomcat 10.1.x. (markt)
      </scode>
    </changelog>
  </subsection>
  <subsection name="Catalina">
    <changelog>
      <scode>
        Incremented the supported Jakarta Servlet version to 5.1 to align with
        the current development branch of the Jakarta Servlet specification.
        (markt)
      </scode>
      <fix>
        <bug>65301</bug>: <code>RemoteIpValve</code> will now avoid getting
        the local host name when it is not needed. (remm)
      </fix>
      <fix>
        <bug>65308</bug>: NPE in JNDIRealm when no <code>userRoleAttribute</code>
        is given. (fschumacher)
      </fix>
      <add>
        <pr>412</pr>: Add commented out, sample users for the Tomcat Manager app
        to the default <code>tomcat-users.xml</code> file. Based on a PR by
        Arnaud Dagnelies. (markt)
      </add>
      <add>
        <pr>418</pr>: Add a new option, <code>pass-through</code>, to the
        default servlet's <code>useBomIfPresent</code> initialization parameter
        that causes the default servlet to leave any BOM in place when
        processing a static file and not to use the BOM to determine the
        encoding of the file. Based on a pull request by Jean-Louis Monteiro.
        (markt)
      </add>
      <fix>
        <pr>419</pr>: When processing POST requests of type
        <code>multipart/form-data</code> for parts without a filename that are
        added to the parameter map in String form, check the size of the part
        before attempting conversion to String. Pull request provided by
        tianshuang. (markt)
      </fix>
      <add>
        Implement the new <code>Cookie</code> methods
        <code>setAttribute()</code>, <code>getAttribute()</code> and
        <code>getAttributes()</code> introduced in Servlet 6.0. (markt)
      </add>
      <fix>
        AprLifecycleListener does not show dev version suffix for libtcnative
        and libapr. (michaelo)
      </fix>
      <update>
        Refactor principal handling in <code>UserDatabaseRealm</code> using
        an inner class that extends <code>GenericPrincipal</code>. (remm)
      </update>
      <fix>
        Enable the default <code>doHead()</code> implementation in
        <code>HttpServlet</code> to correctly handle responses where the content
        length needs to be represented as a long since it is larger than the
        maximum value that can be represented by an int. (markt)
      </fix>
      <fix>
        Avoid synchronization on roles verification for the memory
        <code>UserDatabase</code>. (remm)
      </fix>
      <fix>
        Fix the default <code>doHead()</code> implementation in
        <code>HttpServlet</code> to correctly handle responses where the Servlet
        calls <code>ServletResponse.reset()</code> and/or
        <code>ServletResponse.resetBuffer()</code>. (markt)
      </fix>
      <fix>
        Fix the default <code>doHead()</code> implementation in
        <code>HttpServlet</code> to correctly handle responses generated using
        the Servlet non-blocking API. (markt)
      </fix>
    </changelog>
  </subsection>
  <subsection name="Coyote">
    <changelog>
      <fix>
        <bug>65303</bug>: Fix a possible <code>NullPointerException</code> if
        an error occurs on an HTTP/1.1 connection being upgraded to HTTP/2 or on
        a pushed HTTP/2 stream. (markt)
      </fix>
      <update>
        Simplify AprEndpoint socket bind for all platforms. (michaelo)
      </update>
      <fix>
        <bug>65340</bug>: Add missing check for a negative return value for
        <code>Hpack.decodeInteger</code> in the <code>HpackDecoder</code>,
        which could cause a <code>NegativeArraySizeException</code> exception.
        Submitted by Thomas, and verified the fix is present in the donated
        hpack code in a further update. (remm)
      </fix>
      <add>
        Add debug logging for HTTP/2 HPACK header decoding. (markt)
      </add>
      <fix>
        Correct parsing of HTTP headers consisting of a list of tokens so that a
        header with an empty token is treated consistently regardless of whether
        the empty token is at the start, middle or end of the list of tokens.
        (markt)
      </fix>
      <fix>
        Remove support for the <code>identity</code> transfer encoding. The
        inclusion of this encoding in RFC 2616 was an error that was corrected
        in 2001. Requests using this transfer encoding will now receive a 501
        response. (markt)
      </fix>
      <fix>
        Process transfer encoding headers from both HTTP 1.0 and HTTP 1.1
        clients. (markt)
      </fix>
      <fix>
        Ensure that if the transfer encoding header contains the
        <code>chunked</code>, that the <code>chunked</code> encoding is the
        final encoding listed. (markt)
      </fix>
    </changelog>
  </subsection>
  <subsection name="Jasper">
    <changelog>
      <scode>
        Incremented the supported Jakarta Expression Language version to 5.0 to
        align with the current development branch of the Jakarta Expression
        Language specification. (markt)
      </scode>
      <scode>
        Review code used to generate Java source from JSPs and tags and remove
        code found to be unnecessary. (markt)
      </scode>
      <scode>
        Refactor use of internal <code>ChildInfo</code> class to use compile
        time type checking rather than run time type checking. (markt)
      </scode>
      <fix>
        <bug>65124</bug>: Partial fix. When generating Java source code to call
        a tag handler, only define the local variable <code>JspWriter out</code>
        when it is going to be used. (markt)
      </fix>
      <scode>
        Add generics to the EL 5.0 API to align with the current EL 5.0
        development branch. (markt)
      </scode>
      <update>
        Update the <code>web-fragment.xml</code> included in
        <code>jasper.jar</code> and <code>jasper-el.jar</code> to use the
        Servlet 5.0 schema. (markt)
      </update>
      <fix>
        Update JspC to generate <code>web.xml</code> and
        <code>web-fragment.xml</code> files using Servlet 5.0 schemas. (markt)
      </fix>
      <scode>
        Remove the deprecated method
        <code>MethodExpression.isParmetersProvided()</code> from the EL API to
        align with the current EL 5.0 development branch. (markt)
      </scode>
      <fix>
        <bug>65358</bug>: Improve expression language method matching for
        methods with varargs. Where multiple methods may match the provided
        parameters, the method that requires the fewest varargs is preferred.
        (markt)
      </fix>
      <add>
        <bug>65332</bug>: Add a commented out section in
        <code>catalina.policy</code> that provides the necessary permissions to
        compile JSPs with javac when running on Java 9 onwards with a security
        manager. It is commented out as it will cause errors if used with
        earlier Java versions. (markt)
      </add>
    </changelog>
  </subsection>
  <subsection name="WebSocket">
    <changelog>
      <fix>
        <bug>65317</bug>: When using <code>permessage-deflate</code>, the
        WebSocket connection was incorrectly closed if the uncompressed payload
        size was an exact multiple of 8192. Based on a patch provided by Saksham
        Verma. (markt)
      </fix>
      <update>
        Update the <code>web-fragment.xml</code> included in
        <code>tomcat-websocket.jar</code> to use the Servlet 5.0 schema. (markt)
      </update>
      <fix>
        <bug>65342</bug>: Correct a regression introduced with the fix for
        <bug>65262</bug> that meant Tomcat's WebSocket implementation would only
        work with Tomcat's implementation of the Jakarta WebSocket API. (markt)
      </fix>
    </changelog>
  </subsection>
  <subsection name="Web applications">
    <changelog>
      <fix>
        Improve the description of the <code>maxConnections</code> and
        <code>acceptCount</code> attributes in the Connector section of the
        documentation web application. (markt)
      </fix>
    </changelog>
  </subsection>
  <subsection name="Other">
    <changelog>
      <add>
        Improvements to French translations. (remm)
      </add>
      <add>
        Improvements to Korean translations. (woonsan)
      </add>
      <fix>
        <bug>65362</bug>: Correct a regression in the previous release. The
        change to create OSGi <code>Require-Capability</code> sections in
        manifests for Jakarta API JARs manually rather than with bnd annotations
        did not add the necessary manual entries to the embedded JARs. (markt)
      </fix>
      <update>
        Update the packaged version of the Tomcat Native Library to 1.2.30. Also
        update the minimum recommended version to 1.2.30. (markt)
      </update>
    </changelog>
  </subsection>
</section>
</body>
</document>