/
changelog.xml
3856 lines (3832 loc) · 142 KB
/
changelog.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
<?xml version="1.0" encoding="UTF-8"?>
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<!DOCTYPE document [
<!ENTITY project SYSTEM "project.xml">
<!-- DTD is used to validate changelog structure at build time. BZ 64931. -->
<!ELEMENT document (project?, properties, body)>
<!ATTLIST document url CDATA #REQUIRED>
<!-- body and title are used both in project.xml and in this document -->
<!ELEMENT body ANY>
<!ELEMENT title (#PCDATA)>
<!-- Elements of project.xml -->
<!ELEMENT project (title, logo, body)>
<!ATTLIST project name CDATA #REQUIRED>
<!ATTLIST project href CDATA #REQUIRED>
<!ELEMENT logo (#PCDATA)>
<!ATTLIST logo href CDATA #REQUIRED>
<!ELEMENT menu (item+)>
<!ATTLIST menu name CDATA #REQUIRED>
<!ELEMENT item EMPTY>
<!ATTLIST item name CDATA #REQUIRED>
<!ATTLIST item href CDATA #REQUIRED>
<!-- Elements of this document -->
<!ELEMENT properties (author*, title, no-comments) >
<!ELEMENT author (#PCDATA)>
<!ATTLIST author email CDATA #IMPLIED>
<!ELEMENT no-comments EMPTY>
<!ELEMENT section (subsection)*>
<!ATTLIST section name CDATA #REQUIRED>
<!ATTLIST section rtext CDATA #IMPLIED>
<!ELEMENT subsection (changelog+)>
<!ATTLIST subsection name CDATA #REQUIRED>
<!ELEMENT changelog (add|update|fix|scode|docs|design)*>
<!ELEMENT add ANY>
<!ELEMENT update ANY>
<!ELEMENT fix ANY>
<!ELEMENT scode ANY>
<!ELEMENT docs ANY>
<!ELEMENT design ANY>
<!ELEMENT bug (#PCDATA)>
<!ELEMENT rev (#PCDATA)>
<!ELEMENT pr (#PCDATA)>
<!-- Random HTML markup tags. Add more here as needed. -->
<!ELEMENT a (#PCDATA)>
<!ATTLIST a href CDATA #REQUIRED>
<!ATTLIST a rel CDATA #IMPLIED>
<!ELEMENT b (#PCDATA)>
<!ELEMENT code (#PCDATA)>
<!ELEMENT em (#PCDATA)>
<!ELEMENT strong (#PCDATA)>
<!ELEMENT tt (#PCDATA)>
]>
<?xml-stylesheet type="text/xsl" href="tomcat-docs.xsl"?>
<document url="changelog.html">
&project;
<properties>
<title>Changelog</title>
<no-comments />
</properties>
<body>
<!--
Subsection ordering:
General, Catalina, Coyote, Jasper, Cluster, WebSocket, Web applications,
Extras, Tribes, jdbc-pool, Other
Item Ordering:
Fixes having an issue number are sorted by their number, ascending.
There is no ordering by add/update/fix/scode/docs/design.
Other fixed issues are added to the end of the list, chronologically.
They eventually become mixed with the numbered issues (i.e., numbered
issues do not "pop up" wrt. others).
-->
<section name="Tomcat 10.1.14 (schultz)" rtext="in development">
<subsection name="Catalina">
<changelog>
<add>
<bug>65770</bug>: Provide a lifecycle listener that will automatically
reload TLS configurations a set time before the certificate is due to
expire. This is intended to be used with third-party tools that
regularly renew TLS certificates. (markt)
</add>
<fix>
Fix handling of an error reading a context descriptor on deployment.
(remm)
</fix>
<fix>
Fix rewrite rule qsd (query string discard) being ignored if qsa was
also use, while it should instead take precedence. (remm)
</fix>
<fix>
<bug>67472</bug>: Send fewer CORS-related headers when CORS is not
actually being engaged. (schultz)
</fix>
<add>
Improve handling of failures within <code>recycle()</code> methods.
(markt)
</add>
</changelog>
</subsection>
<subsection name="Coyote">
<changelog>
<fix>
<bug>67198</bug>: Ensure that the AJP connector attribute
<code>tomcatAuthorization</code> takes precedence over the
<code>tomcatAuthentication</code> attribute when processing an
<code>auth_type</code> attribute received from a proxy server. (markt)
</fix>
<fix>
<bug>67235</bug>: Fix a <code>NullPointerException</code> when an
<code>AsyncListener</code> handles an error with a dispatch rather than
a complete. (markt)
</fix>
<fix>
When an error occurs during asynchronous processing, ensure that the
error handling process is only triggered once per asynchronous cycle.
(markt)
</fix>
<fix>
Fix logic issue trying to match no argument method in IntropectionUtil.
(remm)
</fix>
<fix>
Improve thread safety around readNotify and writeNotify in the NIO2
endpoint. (remm)
</fix>
<fix>
Avoid rare thread safety issue accessing message digest map. (remm)
</fix>
<fix>
Improve statistics collection for upgraded connections under load.
(remm)
</fix>
<fix>
Align validation of HTTP trailer fields with standard fields. (markt)
</fix>
<fix>
Improvements to HTTP/2 overhead protection. (markt)
</fix>
</changelog>
</subsection>
<subsection name="Jasper">
<changelog>
<fix>
<bug>67080</bug>: Improve performance of EL expressions in JSPs that use
implicit objects. Based on suggestions by John Engebretson, Anurag Dubey
and Christopher Schultz. (markt)
</fix>
</changelog>
</subsection>
<subsection name="Other">
<changelog>
<update>
Update the internal fork of Apache Commons FileUpload to 7a8c324
(2023-09-16, 1.x-SNAPSHOT). Due to significant refactoring in the 2.x
branch requiring additional Commons IO dependencies, Tomcat has switched
to tracking the 1.x branch. (markt)
</update>
<add>
Add the <code>Bundle-License</code> header to the JAR manifest for all
Tomcat JARs. (markt)
</add>
<update>
Update UnboundID to 6.0.9. (markt)
</update>
<update>
Update Checkstyle to 10.12.3. (markt)
</update>
<update>
Update Tomcat Native to 2.0.6. (markt)
</update>
<update>
Update Commons Pool to 2.12.0. (markt)
</update>
<fix>
<bug>67611</bug>: Correct the download link in BUILDING.txt. (lihan)
</fix>
<add>
Improvements to French translations. (remm)
</add>
<add>
Improvements to Japanese translations by tak7iji. (markt)
</add>
<add>
Improvements to Russian translations by usmazat. (markt)
</add>
</changelog>
</subsection>
</section>
<section name="Tomcat 10.1.13 (markt)" rtext="2023-08-25">
<subsection name="Catalina">
<changelog>
<fix>
If an application or library sets both a non-500 error code and the
<code>jakarta.servlet.error.exception</code> request attribute, use the
provided error code during error page processing rather than assuming an
error code of 500. (markt)
</fix>
<fix>
Update code comments and Tomcat output to use MiB for 1024 * 1024 bytes
and KiB for 1024 bytes rather than MB and kB. (martk)
</fix>
<fix>
Avoid protocol relative redirects in FORM authentication. (markt)
</fix>
</changelog>
</subsection>
<subsection name="Web applications">
<changelog>
<fix>
Documentation. Update documentation to use MiB for 1024 * 1024 bytes and
KiB for 1024 bytes rather than MB and kB. (martk)
</fix>
</changelog>
</subsection>
<subsection name="Other">
<changelog>
<add>
Improvements to Chinese translations. (lihan)
</add>
<add>
Improvements to French translations. (remm)
</add>
<add>
Improvements to Japanese translations by tak7iji. (markt)
</add>
</changelog>
</subsection>
</section>
<section name="Tomcat 10.1.12 (markt)" rtext="2023-08-14">
<subsection name="Catalina">
<changelog>
<fix>
<bug>66680</bug>: When serializing a session during the session
presistence process, do not log a warning that null Principals are not
serializable. Pull request <pr>638</pr> provided by tsryo. (markt)
</fix>
<fix>
Catch <code>NamingException</code> in <code>JNDIRealm#getPrincipal</code>.
It is used in Java up to 17 to signal closed connections. (fschumacher)
</fix>
<fix>
<bug>66822</bug>: Use the same naming format in log messages for
Connector instances as the associated ProtocolHandler instance. (markt)
</fix>
<fix>
The parts count should also lower the actual
<code>maxParameterCount</code> used for parsing parameters if parts are
parsed first. (remm)
</fix>
</changelog>
</subsection>
<subsection name="Coyote">
<changelog>
<fix>
Correct a regression introduced in 10.1.11 and use the correct
constant when constructing the default value for the
<code>certificateKeystoreFile</code> attribute of an
<code>SSLHostConfigCertificate</code> instance. (markt)
</fix>
<scode>
Refactor HTTP/2 implementation to reduce pinning when using virtual
threads. (markt)
</scode>
<fix>
Pass through ciphers referring to an OpenSSL profile, such as
<code>PROFILE=SYSTEM</code> instead of producing an error trying to
parse it. (remm)
</fix>
<fix>
<bug>66841</bug>: Ensure that <code>AsyncListener.onError()</code> is
called after an error during asynchronous processing with HTTP/2.
(markt)
</fix>
<fix>
<bug>66842</bug>: When using asynchronous I/O (the default), include
DATA frames when calculating the HTTP/2 overhead count to ensure that
connections are not prematurely terminated. (markt)
</fix>
<fix>
Correct a race condition that could cause spurious RST messages to be
sent after the response had been written to an HTTP/2 stream. (markt)
</fix>
</changelog>
</subsection>
<subsection name="WebSocket">
<changelog>
<fix>
<bug>66681</bug>: Fix a <code>NullPointerException</code> when flushing
batched messages with compression enabled using
<code>permessage-deflate</code>. (markt)
</fix>
</changelog>
</subsection>
<subsection name="jdbc-pool">
<changelog>
<fix>
Fix the <code>releaseIdleCounter</code> does not increment when testAllIdle
releases them. Pull request <pr>241</pr> provided by Arun Chaitanya Miriappalli
(lihan)
</fix>
<fix>
Fix the <code>ConnectionState</code> state will be inconsistent with actual
state on the connection when an exception occurs while writing. Pull request
<pr>643</pr> provided by Wenjun Xiao. (lihan)
</fix>
</changelog>
</subsection>
<subsection name="Other">
<changelog>
<update>
Update NSIS to 3.0.9. (markt)
</update>
<update>
Update Checkstyle to 10.12.2. (markt)
</update>
<add>
Improvements to French translations. (remm)
</add>
<add>
Improvements to Japanese translations. Contributed by tak7iji and
Shirayuking. (markt)
</add>
<fix>
<bug>66829</bug>: Fix quoting so users can use the <code>_RUNJAVA</code>
environment variable as intended on Windows when the path to the Java
executable contains spaces. (markt)
</fix>
<fix>
<bug>66834</bug>: Correct the OSGi contract references in the manifest
files to refer to the Jakarta EE contract names rather than the Java EE
contract names. (markt)
</fix>
<update>
Update Tomcat Native to 2.0.5. (markt)
</update>
</changelog>
</subsection>
</section>
<section name="Tomcat 10.1.11 (schultz)" rtext="2023-07-10">
<subsection name="Catalina">
<changelog>
<add>
<bug>59232</bug>: Add
<code>org.apache.catalina.core.ContextNamingInfoListener</code>,
a listener which creates context naming information environment entries.
(michaelo)
</add>
<add>
<bug>66665</bug>: Add
<code>org.apache.catalina.core.PropertiesRoleMappingListener</code>,
a listener which populates the context's role mapping from a properties
file. (michaelo)
</add>
<fix>
Fix an edge case where intra-web application symlinks would be followed
if the web applications were deliberately crafted to allow it even when
<code>allowLinking</code> was set to <code>false</code>. (markt)
</fix>
<update>
Add utlity config file resource lookup on <code>Context</code> to allow
looking up resources from the webapp (prefixed with
<code>webapp:</code>) and make the resource lookup API more visible.
(remm)
</update>
<fix>
Fix potential database connection leaks in
<code>DataSourceUserDatabase</code> identified by Coverity Scan. (markt)
</fix>
<fix>
Make parsing of <code>ExtendedAccessLogValve</code> patterns more
robust. (markt)
</fix>
</changelog>
</subsection>
<subsection name="Coyote">
<changelog>
<fix>
<bug>66627</bug>: Restore the documented behaviour of
<code>MessageBytes.getType()</code> that it returns the type of the
original content rather than reflecting the most recent conversion.
(markt)
</fix>
<fix>
<bug>66635</bug>: Correct certificate logging on start-up so it
differentiates between keystore based keys/certificates and PEM file
based keys/certificates and logs the relevant information for each.
(markt)
</fix>
<fix>
Refactor blocking reads and writes for the NIO connector to remove
code paths that could allow a notification from the Poller to be missed
resuting in a timeout rather than the expected read or write. (markt)
</fix>
<fix>
Refactor waiting for an HTTP/2 stream or connection window update to
handle spurious wake-ups during the wait. (markt)
</fix>
</changelog>
</subsection>
<subsection name="WebSocket">
<changelog>
<fix>
Improve handling of error conditions for the WebSocket server,
particularly during Tomcat shutdown. (markt)
</fix>
<fix>
Correct a regression in the fix for <bug>66574</bug> that meant the
WebSocket session could return false for <code>onOpen()</code> before
the <code>onClose()</code> event had been completed. (markt)
</fix>
</changelog>
</subsection>
<subsection name="Web applications">
<changelog>
<add>
Documentation. Expand the security guidance to cover the embedded use
case and add notes on the uses made of the <code>java.io.tmpdir</code>
system property. (markt)
</add>
<fix>
<bug>66662</bug>: Documentation. Fix a typo in the name of the
<strong>algorithms</strong> attribute in the configuration section for
the Digest authentication valve. Pull request <pr>629</pr> provided by
gohilmca. (markt)
</fix>
</changelog>
</subsection>
<subsection name="Other">
<changelog>
<add>
Include the Windows specific binary distributions in the files uploaded
to Maven Central. (markt)
</add>
<add>
Improvements to French translations. (remm)
</add>
<add>
Improvements to Japanese translations. Contributed by tak7iji. (markt)
</add>
<update>
Update UnboundID to 6.0.9. (markt)
</update>
<update>
Update Checkstyle to 10.12.1. (markt)
</update>
<update>
Update BND to 6.4.1. (markt)
</update>
<update>
Update JSign to 5.0. (markt/rjung)
</update>
<fix>
Align documentation for maxParameterCount to match hard-coded defaults.
Contributed by Michal Sobkiewicz. (schultz)
</fix>
</changelog>
</subsection>
</section>
<section name="Tomcat 10.1.10 (schultz)" rtext="2023-06-12">
<subsection name="Catalina">
<changelog>
<scode>
Move the management of the utility executor from the
<code>init()</code>/<code>destroy()</code> methods of components to the
<code>start()</code>/<code>stop()</code> methods. (markt)
</scode>
<add>
Add <code>org.apache.catalina.core.StandardVirtualThreadExecutor</code>,
a virtual thread based executor that may be used with one or more
Connectors to process requests received by those Connectors using
virtual threads. This Executor requires a minimum Java version of Java
21. (markt)
</add>
<fix>
<bug>66513</bug>: Add a per session Semaphore to the
<code>PersistentValve</code> that ensures that, within a single Tomcat
instance, there is no more than one concurrent request per session. Also
expand the debug logging to include whether a request bypasses the Valve
and the reason if a request fails to obtain the per session Semaphore.
(markt)
</fix>
<fix>
<bug>66609</bug>: Ensure that the default servlet correctly escapes
file names in directory listings when using XML output. Based on pull
request <pr>621</pr> by Alex Kachanov. (markt)
</fix>
<add>
<bug>66618</bug>: Add a numeric last modified field to the XML directory
listings produced by the default servlet to enable sorting in the XSLT.
Pull request <pr>622</pr> by Alex Kachanov. (markt)
</add>
<fix>
<bug>66621</bug>: Attempts to lock a collection with WebDAV may
incorrectly fail if a child collection has an expired lock. (markt)
</fix>
<fix>
<bug>66622</bug>: Deprecate the <code>xssProtectionEnabled</code>
setting from the <code>HttpHeaderSecurityFilter</code> and change the
default value to <code>false</code> as support for the associated HTTP
header has been removed from all major browsers. (markt)
</fix>
</changelog>
</subsection>
<subsection name="Coyote">
<changelog>
<update>
Update the HTTP/2 implementation to use the prioritization scheme
defined in RFC 9218 rather than the one defined in RFC 7540.
(markt)
</update>
<fix>
<bug>66602</bug>: not sending WINDOW_UPDATE when dataLength is ZERO
on call SwallowedDataFramePayload. Pull request #619 by
ledefe. (lihan)
</fix>
</changelog>
</subsection>
<subsection name="Other">
<changelog>
<update>
Update to Commons Daemon 1.3.4. (markt)
</update>
<add>
Improvements to French translations. (remm)
</add>
<update>
Update Checkstyle to 10.12.0. (markt)
</update>
<update>
Update the packaged version of the Apache Tomcat Native Library to 2.0.4
to pick up the Windows binaries built with with OpenSSL 3.0.9. (markt)
</update>
</changelog>
</subsection>
</section>
<section name="Tomcat 10.1.9 (schultz)" rtext="2023-05-19">
<subsection name="Catalina">
<changelog>
<fix>
<bug>66567</bug>: Fix missing <code>IllegalArgumentException</code>
after the Tomcat code was converted to using URI instead of URL. (remm)
</fix>
<fix>
Escape timestamp output in <code>AccessLogValve</code> if a
<code>SimpleDateFormat</code> is used which contains verbatim
characters that need escaping. (rjung)
</fix>
<update>
Change output of vertical tab in <code>AccessLogValve</code> from
<code>\v</code> to <code>\u000b</code>. (rjung)
</update>
<update>
Improve performance of escaping in <code>AccessLogValve</code>
roughly by a factor of two. (rjung)
</update>
<update>
Improve <code>JsonAccessLogValve</code>: support more patterns
like for headers and attributes. Those will be logged as sub objects.
(rjung)
</update>
<fix>
<pr>613</pr>: Fix possible partial corrupted file copies when using
file locking protection or the manager servlet. Submitted
by Jack Shirazi. (remm)
</fix>
<add>
Add RateLimitFilter which can be used to mitigate DoS and Brute Force
attacks. (isapir)
</add>
</changelog>
</subsection>
<subsection name="Coyote">
<changelog>
<add>
Add support for a new character set, <code>gb18030-2022</code> -
introduced in Java 21, to the character set caching mechanism. (markt)
</add>
<fix>
Fix an edge case in HTTP header parsing and ensure that HTTP headers
without names are treated as invalid. (markt)
</fix>
<update>
Deprecate the HTTP Connector settings <code>rejectIllegalHeader</code>
and <code>allowHostHeaderMismatch</code> as they have been removed in
Tomcat 11 onwards. (markt)
</update>
<fix>
<bug>66591</bug>: Fix a regression introduced in the fix for
<bug>66512</bug> that meant that an AJP Send Headers was not sent for
responses where no HTTP headers were set. (markt)
</fix>
</changelog>
</subsection>
<subsection name="Jasper">
<changelog>
<fix>
<bug>66582</bug>: Account for EL having stricter requirements for static
imports than JSPs when adding JSP static imports to the EL context.
(markt)
</fix>
</changelog>
</subsection>
<subsection name="WebSocket">
<changelog>
<fix>
<bug>66574</bug>: Refactor WebSocket session close to remove the lock on
the <code>SocketWrapper</code> which was a potential cause of deadlocks
if the application code used simulated blocking. (markt)
</fix>
<fix>
<bug>66575</bug>: Avoid unchecked use of the backing array of a
buffer provided by the user in the compression transformation. (remm)
</fix>
<fix>
Improve exception handling when flushing batched messages during
WebSocket session close. (markt)
</fix>
<fix>
<bug>66581</bug>: Update <code>AsyncChannelGroupUtil</code> to align it
with the current defaults for AsynchronousChannelGroup. Pull request
<pr>612</pr> by Matthew Painter. (markt)
</fix>
</changelog>
</subsection>
<subsection name="Other">
<changelog>
<add>
Improvements to French translations. (remm)
</add>
<add>
Improvements to Chinese translations. (lihan)
</add>
<update>
Update Checkstyle to 10.10.0. (markt)
</update>
<update>
Update Jacoco to 0.8.10. (markt)
</update>
<update>
Update the packaged version of the Tomcat Migration Tool for Jakarta EE
to 1.0.7. (markt)
</update>
</changelog>
</subsection>
</section>
<section name="Tomcat 10.1.8 (schultz)" rtext="2023-04-19">
<subsection name="Catalina">
<changelog>
<fix>
<bug>65995</bug>: Implement RFC 9239 and use
<code>text/javascript</code> as the media type for JavaScript rather
than <code>application/javascript</code>. (markt)
</fix>
<add>
Add an access log valve that uses a json format. Based on pull request
<pr>539</pr> provided by Thomas Meyer. (remm)
</add>
<add>
Harden the FORM authentication process against DoS attacks by using a
reduced session timeout if the FORM authentication process creates a
session. The duration of this timeout is configured by the
<code>authenticationSessionTimeout</code> attribute of the FORM
authenticator. (markt)
</add>
<fix>
<bug>66527</bug>: Correct the Javadoc for the
<code>Tomcat.addWebapp()</code> methods that incorrectly stated that the
<code>docBase</code> parameter could be a relative path. (markt)
</fix>
<fix>
<bug>66524</bug> Correct eviction ordering in WebResource cache to
by LRU as intended. (schultz)
</fix>
<update>
Use server.xml to reduce the default value of
<code>maxParameterCount</code> from 10,000 to 1,000. If not configured
in server.xml, the default remains 10,000. (markt)
</update>
<add>
Update Digest authentication support to align with RFC 7616. This adds a
new configuration attribute, <code>algorithms</code>, to the
<code>DigestAuthenticator</code> with a default of
<code>SHA-256,MD5</code>. (markt)
</add>
<update>
Add support code for custom user attributes in <code>RealmBase</code>.
Based on code from <pr>473</pr> by Carsten Klein. (remm)
</update>
<fix>
Expand the set of HTTP request headers considered sensitive that should
be skipped when generating a response to a <code>TRACE</code> request.
This aligns with 11.0.x. (markt)
</fix>
<fix>
<bug>66541</bug>: Improve handling for cached resources for resources
that use custom URL schemes. The scheme specific <code>equals()</code>
and <code>hashCode()</code> algorithms, if present, will now be used for
URLs for these resources. This addresses a potential performance issue
with some OSGi custom URL schemes that can trigger potentially slow DNS
lookups in some configurations. Based on a patch provided by Tom
Whitmore. (markt)
</fix>
<fix>
When using a custom session manager deployed as part of the web
application, avoid <code>ClassNotFoundException</code>s when validating
session IDs extracted from requests. (markt)
</fix>
<fix>
<bug>66543</bug>: Give <code>StandardContext#fireRequestDestroyEvent</code>
its own log message. (fschumacher)
</fix>
<fix>
<bug>66554</bug>: Initialize Random during server initialization to
avoid possible JVM thread creation in the webapp context on some
platforms. (remm)
</fix>
<update>
Make the server utility executor available to webapps using a Servlet
context attribute named
<code>org.apache.tomcat.util.threads.ScheduledThreadPoolExecutor</code>. (remm)
</update>
</changelog>
</subsection>
<subsection name="Coyote">
<changelog>
<fix>
JSON filter should support specific escaping for common special
characters as defined in RFC 8259. Based on code submitted by
Thomas Meyer. (remm)
</fix>
<fix>
<bug>66511</bug>: Fix <code>GzipOutputFilter</code> (used for compressed
HTTP responses) when used with direct buffers. Patch suggested by Arjen
Poutsma. (markt)
</fix>
<fix>
<bug>66512</bug>: Align AJP handling of invalid HTTP response headers
(they are now removed from the response) with HTTP. (markt)
</fix>
<fix>
<bug>66530</bug>: Correct a regression in the fix for bug
<bug>66442</bug> that meant that streams without a response body did not
decrement the active stream count when completing leading to
<code>ERR_HTTP2_SERVER_REFUSED_STREAM</code> for some connections.
(markt)
</fix>
</changelog>
</subsection>
<subsection name="Jasper">
<changelog>
<fix>
Fix bug that meant some instances of coercing a
<code>LambdaExpression</code> to a functional interface invocation
failed. (markt)
</fix>
<fix>
<bug>66536</bug>: Fix parsing of tag files that meant that tag
directives could be ignored for some tag files. (markt)
</fix>
</changelog>
</subsection>
<subsection name="Cluster">
<changelog>
<fix>
<bug>66535</bug>: Redefine the <code>maxValidTime</code> attribute of
<code>FarmWarDeployer</code> to be the maximum time allowed between
receiving parts of a transferred file before the transfer is cancelled
and the associated resources cleaned-up. A new warning message will be
logged if the file transfer is cancelled. (markt)
</fix>
</changelog>
</subsection>
<subsection name="WebSocket">
<changelog>
<fix>
<bug>66508</bug>: When using WebSocket with NIO2, avoid waiting for
a timeout before sending the close frame if an I/O error occurs during a
write. (markt)
</fix>
<fix>
<bug>66548</bug>: Expand the validation of the value of the
<code>Sec-Websocket-Key</code> header in the HTTP upgrade request that
initiates a WebSocket connection. The value is not decoded but it is
checked for the correct length and that only valid characters from the
base64 alphabet are used. (markt)
</fix>
</changelog>
</subsection>
<subsection name="Web applications">
<changelog>
<fix>
<bug>66542</bug>: Documentation. Update the JNDI documentation to
replace references to JavaMail with references to Jakarta Mail. (markt)
</fix>
</changelog>
</subsection>
<subsection name="Other">
<changelog>
<add>
Improvements to French translations. (remm)
</add>
<add>
Improvements to Japanese translations. Contributed by Shirayuking and
tak7iji. (markt)
</add>
<add>
Improvements to Chinese translations. Contributed by totoo. (markt)
</add>
<scode>
Refactor code using <code>MD5Encoder</code> to use
<code>HexUtils.toHexString()</code>. (markt)
</scode>
<fix>
<bug>66507</bug>: Fix a bug that <code>$JAVA_OPTS</code> is not passed
to the jvm in <code>catalina.sh</code> when calling <code>version</code>.
Patch suggested by Eric Hamilton. (lihan)
</fix>
<update>
Update the internal fork of Commons DBCP to f131286 (2023-03-08,
2.10.0-SNAPSHOT). This corrects a regression introduced in 10.1.5.
(markt)
</update>
<fix>
Improve the error messages if <code>JRE_HOME</code> or
<code>JAVA_HOME</code> are not set correctly. On windows, align the
handling of <code>JRE_HOME</code> and <code>JAVA_HOME</code> for the
start-up scripts and the service install script. (markt)
</fix>
<update>
Update to the Eclipse JDT compiler 4.27. (markt)
</update>
<update>
Update UnboundID to 6.0.8. (markt)
</update>
<update>
Update Checkstyle to 10.9.3. (markt)
</update>
<update>
Update Jacoco to 0.8.9. (markt)
</update>
<fix>
Enhance PEMFile to load from an InputStream. Patch provided by
Romain Manni-Bucau. (schultz)
</fix>
</changelog>
</subsection>
</section>
<section name="Tomcat 10.1.7 (schultz)" rtext="2023-03-03">
<subsection name="General">
<changelog>
<fix>
Fix a bug that memory allocation is larger than limit in
<code>SynchronizedStack</code> to reduce memory footprint. (lihan)
</fix>
</changelog>
</subsection>
<subsection name="Catalina">
<changelog>
<add>
Add support for <code>txt:</code> and <code>rnd:</code> rewrite map
types from mod_rewrite. Based on a pull request <pr>591</pr>
provided by Dimitrios Soumis. (remm)
</add>
<update>
Provide a more appropriate response (501 rather than 400) when rejecting
an HTTP request using the CONNECT method. (markt)
</update>
<fix>
<bug>66488</bug>: Correct a regression introduced in the fix for bug
<bug>66196</bug> that meant that the HTTP headers and/or request line
could get corrupted (one part overwriting another part) within a single
request. (markt)
</fix>
<fix>
<bug>66491</bug>: Revert the switch to using the ServiceLoader mechanism
to load the custom URL protocol handlers that Tomcat uses. The original
system property based approach has been restored. (markt)
</fix>
</changelog>
</subsection>
<subsection name="Coyote">
<changelog>
<add>
Add a check for the validity of the scheme pseudo-header in HTTP/2.
(markt)
</add>
<fix>
<bug>66482</bug>: Restore inline state after async operation in NIO2,
to account the fact that unexpected exceptions are sometimes thrown
by the implementation. Patch submitted by zhougang. (remm)
</fix>
</changelog>
</subsection>
</section>
<section name="Tomcat 10.1.6 (schultz)" rtext="2023-02-24">
<subsection name="Catalina">
<changelog>
<fix>
Allow a Valve to access cookies from a request that cannot be mapped to
a Context. (markt)
</fix>
<fix>
<bug>66438</bug>: Correct names of Jakarta modules in JPMS metadata.
(markt)
</fix>
<update>
Switch to using the ServiceLoader mechanism to load the custom URL
protocol handlers that Tomcat uses. (markt)
</update>
<fix>
Avoid possible ISE when scanning from bad JAR URLs, to restore the
previous behavior following the removal of Java 9+ reflection code which
caught the ISE. (remm)
</fix>
<fix>
Refactor uses of <code>String.replaceAll()</code> to use
<code>String.replace()</code> where regular expressions where not being
used. Pull request <pr>581</pr> provided by Andrei Briukhov. (markt)
</fix>
<add>
Add error report valve that allows redirecting to of proxying from an
external web server. Based on code and ideas from pull request
<pr>506</pr> provided by Max Fortun. (remm)
</add>
<add>
<bug>66470</bug>: Add the Shared Address Space defined by RFC 6598
(100.64.0.0/10) to the regular expression used to identify internal
proxies for the <code>RemoteIpFilter</code> and
<code>RemoteIpValve</code>. (markt)
</add>
<fix>
<bug>66471</bug>: Fix JSessionId secure attribute missing When
<code>RemoteIpFilter</code> determines that this request was submitted
via a secure channel. (lihan)
</fix>
</changelog>
</subsection>
<subsection name="Coyote">
<changelog>
<add>
Log basic information for each configured TLS certificate when Tomcat
starts. (markt)
</add>
<fix>
<bug>66442</bug>: When an HTTP/2 response must not include a body,
ensure that the end of stream flag is set on the headers frame and that
no data frame is sent. (markt)
</fix>
<fix>
<bug>66455</bug>: Fix the cause of a potential
<code>ClassCastException</code> when processing a
<code>WINDOW_UPDATE</code> frame on an HTTP/2 connection where the flow
control window for the overall connection has been exhausted. (markt)
</fix>
<fix>
Fix a regression introduced in 10.1.0-M17 that prevented HTTP/2
connections from timing out when using a Connector configured with
<code>useAsyncIO=true</code> (the default). (markt)
</fix>
<add>
Provided dedicated loggers
(<code>org.apache.tomcat.util.net.NioEndpoint.certificate</code> /
<code>org.apache.tomcat.util.net.Nio2Endpoint.certificate</code>) for
logging of configured TLS certificates. (markt)
</add>
</changelog>