/
changelog.xml
1119 lines (1095 loc) · 41 KB
/
changelog.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
<?xml version="1.0" encoding="UTF-8"?>
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<!DOCTYPE document [
<!ENTITY project SYSTEM "project.xml">
<!-- DTD is used to validate changelog structure at build time. BZ 64931. -->
<!ELEMENT document (project?, properties, body)>
<!ATTLIST document url CDATA #REQUIRED>
<!-- body and title are used both in project.xml and in this document -->
<!ELEMENT body ANY>
<!ELEMENT title (#PCDATA)>
<!-- Elements of project.xml -->
<!ELEMENT project (title, logo, body)>
<!ATTLIST project name CDATA #REQUIRED>
<!ATTLIST project href CDATA #REQUIRED>
<!ELEMENT logo (#PCDATA)>
<!ATTLIST logo href CDATA #REQUIRED>
<!ELEMENT menu (item+)>
<!ATTLIST menu name CDATA #REQUIRED>
<!ELEMENT item EMPTY>
<!ATTLIST item name CDATA #REQUIRED>
<!ATTLIST item href CDATA #REQUIRED>
<!-- Elements of this document -->
<!ELEMENT properties (author*, title, no-comments) >
<!ELEMENT author (#PCDATA)>
<!ATTLIST author email CDATA #IMPLIED>
<!ELEMENT no-comments EMPTY>
<!ELEMENT section (subsection)*>
<!ATTLIST section name CDATA #REQUIRED>
<!ATTLIST section rtext CDATA #IMPLIED>
<!ELEMENT subsection (changelog+)>
<!ATTLIST subsection name CDATA #REQUIRED>
<!ELEMENT changelog (add|update|fix|scode|docs|design)*>
<!ELEMENT add ANY>
<!ELEMENT update ANY>
<!ELEMENT fix ANY>
<!ELEMENT scode ANY>
<!ELEMENT docs ANY>
<!ELEMENT design ANY>
<!ELEMENT bug (#PCDATA)>
<!ELEMENT rev (#PCDATA)>
<!ELEMENT pr (#PCDATA)>
<!-- Random HTML markup tags. Add more here as needed. -->
<!ELEMENT a (#PCDATA)>
<!ATTLIST a href CDATA #REQUIRED>
<!ATTLIST a rel CDATA #IMPLIED>
<!ELEMENT b (#PCDATA)>
<!ELEMENT code (#PCDATA)>
<!ELEMENT em (#PCDATA)>
<!ELEMENT strong (#PCDATA)>
<!ELEMENT tt (#PCDATA)>
]>
<?xml-stylesheet type="text/xsl" href="tomcat-docs.xsl"?>
<document url="changelog.html">
&project;
<properties>
<title>Changelog</title>
<no-comments />
</properties>
<body>
<!--
Subsection ordering:
General, Catalina, Coyote, Jasper, Cluster, WebSocket, Web applications,
Extras, Tribes, jdbc-pool, Other
Item Ordering:
Fixes having an issue number are sorted by their number, ascending.
There is no ordering by add/update/fix/scode/docs/design.
Other fixed issues are added to the end of the list, chronologically.
They eventually become mixed with the numbered issues (i.e., numbered
issues do not "pop up" wrt. others).
-->
<section name="Tomcat 11.0.0-M8 (markt)" rtext="in development">
<subsection name="Catalina">
<changelog>
<fix>
Fix an edge case where intra-web application symlinks would be followed
if the web applications were deliberately crafted to allow it even when
<code>allowLinking</code> was set to <code>false</code>. (markt)
</fix>
</changelog>
</subsection>
<subsection name="Coyote">
<changelog>
<fix>
<bug>66627</bug>: Restore the documented behaviour of
<code>MessageBytes.getType()</code> that it returns the type of the
original content rather than reflecting the most recent conversion.
(markt)
</fix>
</changelog>
</subsection>
<subsection name="WebSocket">
<changelog>
<fix>
Improve handling of error conditions for the WebSocket server,
particularly during Tomcat shutdown. (markt)
</fix>
</changelog>
</subsection>
</section>
<section name="Tomcat 11.0.0-M7 (markt)" rtext="release in progress">
<subsection name="General">
<changelog>
<update>
Increase the minimum supported Java version to Java 21. (markt)
</update>
</changelog>
</subsection>
<subsection name="Catalina">
<changelog>
<scode>
Move the management of the utility executor from the
<code>init()</code>/<code>destroy()</code> methods of components to the
<code>start()</code>/<code>stop()</code> methods. (markt)
</scode>
<add>
Add RateLimitFilter which can be used to mitigate DoS and Brute Force
attacks. (isapir)
</add>
<scode>
Remove support for using the <code>^</code> character to separate the
WAR file and WAR contents in Tomcat's custom WAR URL handler. The
current default separator character of <code>*</code> remains unchanged.
(markt)
</scode>
<add>
Add <code>org.apache.catalina.core.StandardVirtualThreadExecutor</code>,
a virtual thread based executor that may be used with one or more
Connectors to process requests received by those Connectors using
virtual threads. (markt)
</add>
<fix>
<bug>66513</bug>: Add a per session Semaphore to the
<code>PersistentValve</code> that ensures that, within a single Tomcat
instance, there is no more than one concurrent request per session. Also
expand the debug logging to include whether a request bypasses the Valve
and the reason if a request fails to obtain the per session Semaphore.
(markt)
</fix>
<fix>
<bug>66609</bug>: Ensure that the default servlet correctly escapes
file names in directory listings when using XML output. Based on pull
request <pr>621</pr> by Alex Kachanov. (markt)
</fix>
<add>
<bug>66618</bug>: Add a numeric last modified field to the XML directory
listings produced by the default servlet to enable sorting in the XSLT.
Pull request <pr>622</pr> by Alex Kachanov. (markt)
</add>
<fix>
<bug>66621</bug>: Attempts to lock a collection with WebDAV may
incorrectly fail if a child collection has an expired lock. (markt)
</fix>
<fix>
<bug>66622</bug>: Remove the <code>xssProtectionEnabled</code> setting
from the <code>HttpHeaderSecurityFilter</code> as support for the
associated HTTP header has been removed from all major browsers. (markt)
</fix>
</changelog>
</subsection>
<subsection name="Coyote">
<changelog>
<fix>
<bug>66602</bug>: not sending WINDOW_UPDATE when dataLength is ZERO
on call SwallowedDataFramePayload. Pull request #619 by
ledefe. (lihan)
</fix>
</changelog>
</subsection>
<subsection name="Other">
<changelog>
<update>
Update to Commons Daemon 1.3.4. (markt)
</update>
<add>
Improvements to French translations. (remm)
</add>
<update>
Update Checkstyle to 10.12.0. (markt)
</update>
<update>
Update the packaged version of the Apache Tomcat Native Library to 2.0.4
to pick up the Windows binaries built with with OpenSSL 3.0.9. (markt)
</update>
</changelog>
</subsection>
</section>
<section name="Tomcat 11.0.0-M6 (markt)" rtext="2023-05-09">
<subsection name="Catalina">
<changelog>
<fix>
<bug>66567</bug>: Fix missing <code>IllegalArgumentException</code>
after the Tomcat code was converted to using URI instead of URL. (remm)
</fix>
<fix>
Escape timestamp output in <code>AccessLogValve</code> if a
<code>SimpleDateFormat</code> is used which contains verbatim
characters that need escaping. (rjung)
</fix>
<update>
Change output of vertical tab in <code>AccessLogValve</code> from
<code>\v</code> to <code>\u000b</code>. (rjung)
</update>
<update>
Improve performance of escaping in <code>AccessLogValve</code>
roughly by a factor of two. (rjung)
</update>
<update>
Improve <code>JsonAccessLogValve</code>: support more patterns
like for headers and attributes. Those will be logged as sub objects.
(rjung)
</update>
<fix>
<pr>613</pr>: Fix possible partial corrupted file copies when using
file locking protection or the manager servlet. Submitted
by Jack Shirazi. (remm)
</fix>
</changelog>
</subsection>
<subsection name="Coyote">
<changelog>
<add>
Add support for a new character set, <code>gb18030-2022</code> -
introduced in Java 21, to the character set caching mechanism. (markt)
</add>
<fix>
Fix an edge case in HTTP header parsing and ensure that HTTP headers
without names are treated as invalid. (markt)
</fix>
<update>
Remove support for the HTTP Connector settings
<code>rejectIllegalHeader</code> and
<code>allowHostHeaderMismatch</code>. These are now hard-coded to the
previous defaults. (markt)
</update>
<fix>
<bug>66591</bug>: Fix a regression introduced in the fix for
<bug>66512</bug> that meant that an AJP Send Headers was not sent for
responses where no HTTP headers were set. (markt)
</fix>
</changelog>
</subsection>
<subsection name="Jasper">
<changelog>
<fix>
<bug>66582</bug>: Account for EL having stricter requirements for static
imports than JSPs when adding JSP static imports to the EL context.
(markt)
</fix>
</changelog>
</subsection>
<subsection name="WebSocket">
<changelog>
<fix>
<bug>66574</bug>: Refactor WebSocket session close to remove the lock on
the <code>SocketWrapper</code> which was a potential cause of deadlocks
if the application code used simulated blocking. (markt)
</fix>
<fix>
<bug>66575</bug>: Avoid unchecked use of the backing array of a
buffer provided by the user in the compression transformation. (remm)
</fix>
<fix>
Improve exception handling when flushing batched messages during
WebSocket session close. (markt)
</fix>
<fix>
<bug>66581</bug>: Update <code>AsyncChannelGroupUtil</code> to align it
with the current defaults for AsynchronousChannelGroup. Pull request
<pr>612</pr> by Matthew Painter. (markt)
</fix>
</changelog>
</subsection>
<subsection name="Other">
<changelog>
<add>
Improvements to French translations. (remm)
</add>
<add>
Improvements to Chinese translations. (lihan)
</add>
<update>
Update Checkstyle to 10.10.0. (markt)
</update>
<update>
Update Jacoco to 0.8.10. (markt)
</update>
<update>
Update the packaged version of the Tomcat Migration Tool for Jakarta EE
to 1.0.7. (markt)
</update>
</changelog>
</subsection>
</section>
<section name="Tomcat 11.0.0-M5 (markt)" rtext="2023-04-19">
<subsection name="Catalina">
<changelog>
<add>
Add a <code>doPatch</code> method to <code>HttpServlet</code> to provide
support for the HTTP <code>PATCH</code> method as defined in RFC 5789.
This is one of the changes in the Servlet 6.1 API. (markt)
</add>
<fix>
<bug>65995</bug>: Implement RFC 9239 and use
<code>text/javascript</code> as the media type for JavaScript rather
than <code>application/javascript</code>. (markt)
</fix>
<scode>
Tomcat no longer sets the <code>java.protocol.handler.pkgs</code> system
property when starting. Users are now free to configure this property if
they wish. (markt)
</scode>
<add>
Add an access log valve that uses a json format. Based on pull request
<pr>539</pr> provided by Thomas Meyer. (remm)
</add>
<add>
Harden the FORM authentication process against DoS attacks by using a
reduced session timeout if the FORM authentication process creates a
session. The duration of this timeout is configured by the
<code>authenticationSessionTimeout</code> attribute of the FORM
authenticator. (markt)
</add>
<add>
Implement the new Servlet API methods that provide additional control
when sending a redirect to the client. (markt)
</add>
<add>
Update Digest authentication support to align with RFC 7616. This adds a
new configuration attribute, <code>algorithms</code>, to the
<code>DigestAuthenticator</code> with a default of
<code>SHA-256,MD5</code>. (markt)
</add>
<update>
Reduce the default value of <code>maxParameterCount</code> from 10,000
to 1,000. (markt)
</update>
<fix>
<bug>66527</bug>: Correct the Javadoc for the
<code>Tomcat.addWebapp()</code> methods that incorrectly stated that the
<code>docBase</code> parameter could be a relative path. (markt)
</fix>
<fix>
<bug>66524</bug> Correct eviction ordering in WebResource cache to
by LRU as intended. (schultz)
</fix>
<update>
Add support code for custom user attributes in <code>RealmBase</code>.
Based on code from <pr>473</pr> by Carsten Klein. (remm)
</update>
<fix>
Expand the set of HTTP request headers considered sensitive that should
be skipped when generating a response to a <code>TRACE</code> request.
This aligns with the current draft of the Servlet 6.1 specification.
(markt)
</fix>
<fix>
<bug>66541</bug>: Improve handling for cached resources for resources
that use custom URL schemes. The scheme specific <code>equals()</code>
and <code>hashCode()</code> algorithms, if present, will now be used for
URLs for these resources. This addresses a potential performance issue
with some OSGi custom URL schemes that can trigger potentially slow DNS
lookups in some configurations. Based on a patch provided by Tom
Whitmore. (markt)
</fix>
<fix>
When using a custom session manager deployed as part of the web
application, avoid <code>ClassNotFoundException</code>s when validating
session IDs extracted from requests. (markt)
</fix>
<fix>
<bug>66543</bug>: Give <code>StandardContext#fireRequestDestroyEvent</code>
its own log message. (fschumacher)
</fix>
<fix>
<bug>66554</bug>: Initialize Random during server initialization to
avoid possible JVM thread creation in the webapp context on some
platforms. (remm)
</fix>
<update>
Make the server utility executor available to webapps using a Servlet
context attribute named
<code>org.apache.tomcat.util.threads.ScheduledThreadPoolExecutor</code>. (remm)
</update>
</changelog>
</subsection>
<subsection name="Coyote">
<changelog>
<fix>
JSON filter should support specific escaping for common special
characters as defined in RFC 8259. Based on code submitted by
Thomas Meyer. (remm)
</fix>
<fix>
<bug>66511</bug>: Fix <code>GzipOutputFilter</code> (used for compressed
HTTP responses) when used with direct buffers. Patch suggested by Arjen
Poutsma. (markt)
</fix>
<fix>
<bug>66512</bug>: Align AJP handling of invalid HTTP response headers
(they are now removed from the response) with HTTP. (markt)
</fix>
<fix>
<bug>66530</bug>: Correct a regression in the fix for bug
<bug>66442</bug> that meant that streams without a response body did not
decrement the active stream count when completing leading to
<code>ERR_HTTP2_SERVER_REFUSED_STREAM</code> for some connections.
(markt)
</fix>
<fix>
Remove use of deprecated classes in the <code>javax.security.cert</code>
package. Pull request <pr>608</pr> provided by Eirik Bjorsnos. (markt)
</fix>
</changelog>
</subsection>
<subsection name="Jasper">
<changelog>
<fix>
Fix bug that meant some instances of coercing a
<code>LambdaExpression</code> to a functional interface invocation
failed. (markt)
</fix>
<fix>
<bug>66536</bug>: Fix parsing of tag files that meant that tag
directives could be ignored for some tag files. (markt)
</fix>
<add>
Align the EL implementation with the latest changes to the Jakarta EL
specification and add support for the length attribute to the
<code>ArrayElResolver</code>. (markt)
</add>
</changelog>
</subsection>
<subsection name="Cluster">
<changelog>
<fix>
<bug>66535</bug>: Redefine the <code>maxValidTime</code> attribute of
<code>FarmWarDeployer</code> to be the maximum time allowed between
receiving parts of a transferred file before the transfer is cancelled
and the associated resources cleaned-up. A new warning message will be
logged if the file transfer is cancelled. (markt)
</fix>
</changelog>
</subsection>
<subsection name="WebSocket">
<changelog>
<fix>
<bug>66508</bug>: When using WebSocket with NIO2, avoid waiting for
a timeout before sending the close frame if an I/O error occurs during a
write. (markt)
</fix>
<fix>
<bug>66548</bug>: Expand the validation of the value of the
<code>Sec-Websocket-Key</code> header in the HTTP upgrade request that
initiates a WebSocket connection. The value is not decoded but it is
checked for the correct length and that only valid characters from the
base64 alphabet are used. (markt)
</fix>
</changelog>
</subsection>
<subsection name="Web applications">
<changelog>
<fix>
<bug>66542</bug>: Documentation. Update the JNDI documentation to
replace references to JavaMail with references to Jakarta Mail. (markt)
</fix>
</changelog>
</subsection>
<subsection name="Other">
<changelog>
<add>
Improvements to French translations. (remm)
</add>
<add>
Improvements to Japanese translations. Contributed by Shirayuking and
tak7iji. (markt)
</add>
<add>
Improvements to Chinese translations. Contributed by totoo. (markt)
</add>
<scode>
Refactor code using <code>MD5Encoder</code> to use
<code>HexUtils.toHexString()</code>. (markt)
</scode>
<fix>
<bug>66507</bug>: Fix a bug that <code>$JAVA_OPTS</code> is not passed
to the jvm in <code>catalina.sh</code> when calling <code>version</code>.
Patch suggested by Eric Hamilton. (lihan)
</fix>
<update>
Update the internal fork of Commons DBCP to f131286 (2023-03-08,
2.10.0-SNAPSHOT). This corrects a regression introduced in 11.0.0-M2.
(markt)
</update>
<fix>
Improve the error messages if <code>JRE_HOME</code> or
<code>JAVA_HOME</code> are not set correctly. On windows, align the
handling of <code>JRE_HOME</code> and <code>JAVA_HOME</code> for the
start-up scripts and the service install script. (markt)
</fix>
<update>
Update to the Eclipse JDT compiler 4.27. (markt)
</update>
<update>
Update UnboundID to 6.0.8. (markt)
</update>
<update>
Update Checkstyle to 10.9.3. (markt)
</update>
<update>
Update Jacoco to 0.8.9. (markt)
</update>
<fix>
Enhance PEMFile to load from an InputStream. Patch provided by
Romain Manni-Bucau. (schultz)
</fix>
</changelog>
</subsection>
</section>
<section name="Tomcat 11.0.0-M4 (markt)" rtext="2023-03-06">
<subsection name="General">
<changelog>
<fix>
Fix a bug that memory allocation is larger than limit in
<code>SynchronizedStack</code> to reduce memory footprint. (lihan)
</fix>
</changelog>
</subsection>
<subsection name="Catalina">
<changelog>
<add>
Add support for <code>txt:</code> and <code>rnd:</code> rewrite map
types from mod_rewrite. Based on a pull request <pr>591</pr>
provided by Dimitrios Soumis. (remm)
</add>
<update>
Provide a more appropriate response (501 rather than 400) when rejecting
an HTTP request using the CONNECT method. (markt)
</update>
<fix>
<bug>66491</bug>: Revert the switch to using the ServiceLoader mechanism
to load the custom URL protocol handlers that Tomcat uses. The original
system property based approach has been restored. (markt)
</fix>
</changelog>
</subsection>
<subsection name="Coyote">
<changelog>
<add>
Add a check for the validity of the scheme pseudo-header in HTTP/2.
(markt)
</add>
<fix>
<bug>66482</bug>: Restore inline state after async operation in NIO2,
to account the fact that unexpected exceptions are sometimes thrown
by the implementation. Patch submitted by zhougang. (remm)
</fix>
</changelog>
</subsection>
<subsection name="Jasper">
<changelog>
<add>
Provide an implementation of the sub-set of JavaBeans support that does
not depend on the <code>java.beans</code> package. This for use by
Expression Language when the <code>java.desktop</code> module (which is
where the <code>java.beans</code> package resides) is not available.
(markt)
</add>
</changelog>
</subsection>
</section>
<section name="Tomcat 11.0.0-M3 (markt)" rtext="2023-02-23">
<subsection name="General">
<changelog>
<update>
Increase the minimum supported Java version to Java 17. Note that
Jakarta EE 11 permits a minimum Java version of 21. The minimum Java
version for Tomcat 11 may be increased to Java 21 before the first
stable release. (markt)
</update>
</changelog>
</subsection>
<subsection name="Catalina">
<changelog>
<fix>
Allow a Valve to access cookies from a request that cannot be mapped to
a Context. (markt)
</fix>
<add>
Implement the new Servlet API methods for setting character encodings
that accept <code>Charset</code> objects. (markt)
</add>
<update>
The default HEAD response no longer includes some HTTP header fields
where the value is determined only while generating the content as per
section 9.3.2 of RFC 9110. (markt)
</update>
<fix>
<bug>66438</bug>: Correct names of Jakarta modules in JPMS metadata.
(markt)
</fix>
<update>
Switch to using the ServiceLoader mechanism to load the custom URL
protocol handlers that Tomcat uses. (markt)
</update>
<fix>
Switch to using <code>LongAdder</code> rather than
<code>AtomicInteger</code> to track request count and error count for
servlets. (markt)
</fix>
<fix>
Implement the clarification from the Jakarta Servlet project that
Servlets mapped to the context root should be mapped for requests to the
context root with or without the trailing <code>/</code>. (markt)
</fix>
<fix>
Implement the clarification from the Jakarta Servlet project that
calling <code>ServletOutputStream.close()</code> on a stream in
non-blocking mode returns immediately with the stream effectively closed
and any data remaining to be written is written in the background by the
container. (markt)
</fix>
<fix>
Avoid possible ISE when scanning from bad JAR URLs, to restore the
previous behavior following the removal of Java 9+ reflection code which
caught the ISE. (remm)
</fix>
<fix>
Refactor uses of <code>String.replaceAll()</code> to use
<code>String.replace()</code> where regular expressions where not being
used. Pull request <pr>581</pr> provided by Andrei Briukhov. (markt)
</fix>
<add>
Add error report valve that allows redirecting to of proxying from an
external web server. Based on code and ideas from pull request
<pr>506</pr> provided by Max Fortun. (remm)
</add>
<add>
<bug>66470</bug>: Add the Shared Address Space defined by RFC 6598
(100.64.0.0/10) to the regular expression used to identify internal
proxies for the <code>RemoteIpFilter</code> and
<code>RemoteIpValve</code>. (markt)
</add>
<fix>
<bug>66471</bug>: Fix JSessionId secure attribute missing When
<code>RemoteIpFilter</code> determines that this request was submitted
via a secure channel. (lihan)
</fix>
<add>
Add the additional HTTP status code constants to
<code>HttpServletResponse</code> defined by the Jakarta Servlet project
for the Servlet 6.1 API. (markt)
</add>
<fix>
Implement the clarification from the Jakarta Servlet project that
calling one of the <code>HttpServletResponse</code> methods for setting
HTTP header values with <code>null</code> as the new header value
removes any existing header of that name. (markt)
</fix>
</changelog>
</subsection>
<subsection name="Coyote">
<changelog>
<add>
Log basic information for each configured TLS certificate when Tomcat
starts. (markt)
</add>
<fix>
<bug>66442</bug>: When an HTTP/2 response must not include a body,
ensure that the end of stream flag is set on the headers frame and that
no data frame is sent. (markt)
</fix>
<fix>
Fix a bug that prevented HTTP/2 connections from timing out when using
a Connector configured with <code>useAsyncIO=true</code> (the default).
(markt)
</fix>
<add>
Provided dedicated loggers
(<code>org.apache.tomcat.util.net.NioEndpoint.certificate</code> /
<code>org.apache.tomcat.util.net.Nio2Endpoint.certificate</code>) for
logging of configured TLS certificates. (markt)
</add>
</changelog>
</subsection>
<subsection name="Jasper">
<changelog>
<fix>
<bug>66419</bug>: Fix calls from expression language to a method that
accepts varargs when only one argument was passed. (markt)
</fix>
<fix>
<bug>66441</bug>: Make imports of static fields in JSPs visible to any
EL expressions used on the page. (markt)
</fix>
</changelog>
</subsection>
<subsection name="Web applications">
<changelog>
<fix>
<bug>66429</bug>: Documentation. Limit access to the documentation web
application to localhost by default. (markt)
</fix>
<fix>
<bug>66429</bug>: Examples. Limit access to the examples web application
to localhost by default. (markt)
</fix>
</changelog>
</subsection>
<subsection name="Other">
<changelog>
<update>
Update BND to 6.4.0. (markt)
</update>
<update>
Remove support for starting Tomcat under a SecurityManager. (markt)
</update>
<add>
Improvements to Chinese translations. (lihan)
</add>
<add>
Improvements to French translations. (remm)
</add>
<add>
Improvements to Japanese translations. Contributed by tak7iji. (markt)
</add>
<add>
Improvements to Korean translations. (woonsan)
</add>
<update>
Update the packaged version of the Apache Tomcat Native Library to 2.0.3
to pick up the Windows binaries built with with OpenSSL 3.0.8. (markt)
</update>
</changelog>
</subsection>
</section>
<section name="Tomcat 11.0.0-M2 (markt)" rtext="not released">
<subsection name="Catalina">
<changelog>
<add>
Update the <code>ServletInputStream</code> and
<code>ServletOuputStream</code> classes in the Servlet API to align with
the recent updates in the Jakarta Servlet specification to support
reading and writing with <code>ByteBuffer</code>s. The changes also
clarified various aspects of the Servlet non-blocking API. (markt)
</add>
<fix>
<bug>66388</bug>: Correct a regression in the refactoring that replaced
the use of the <code>URL</code> constructors. The regression broke
lookups for resources that contained one or more characters in their
name that required escaping when used in a URI path. (markt)
</fix>
<fix>
<bug>66392</bug>: Change the default value of <code>AccessLogValve</code>'s
file encoding to UTF-8 and update documentation. (lihan)
</fix>
<fix>
<bug>66393</bug>: Align <code>ExtendedAccessLogValve</code>'s x-P(XXX) with the
documentation. (lihan)
</fix>
<fix>
Remove JAX-RPC support which was removed from the Jakarta EE platform
for Jakarta EE 9. (markt)
</fix>
</changelog>
</subsection>
<subsection name="Coyote">
<changelog>
<fix>
Update Cookie parsing and handling to treat the quotes in a quoted
cookie value as part of the value as required by RFC 6265 and explicitly
clarified in RFC 6265bis. (markt)
</fix>
<add>
Add an RFC 8941 structured field parser. (markt)
</add>
<add>
Add a parser for the <code>priority</code> HTTP header field defined in
RFC 9218. (markt)
</add>
<fix>
When resetting an HTTP/2 stream because the final response has been
generated before the request has been fully read, use the HTTP/2 error
code <code>NO_ERROR</code> so that client does not discard the response.
Based on a suggestion by Lorenzo Dalla Vecchia. (markt)
</fix>
<fix>
<bug>66385</bug>: Correct a bug in HTTP/2 where a non-blocking read for
a new frame with the NIO2 connector was incorrectly made using the read
timeout leading to unexpected stream closure. (markt)
</fix>
</changelog>
</subsection>
<subsection name="Jasper">
<changelog>
<fix>
<bug>66370</bug>: Change the default of the
<code>org.apache.el.GET_CLASSLOADER_USE_PRIVILEGED</code> system
property to <code>true</code> unless the EL library is running on Tomcat
in which case the default remains <code>false</code> as the EL library
is already called from within a privileged block and skipping the
unnecessary privileged block improves performance. (markt)
</fix>
<add>
Add support for specifying Java 21 (with the value <code>21</code>) as
the compiler source and/or compiler target for JSP compilation. If used
with an Eclipse JDT compiler version that does not support these values,
a warning will be logged and the default will used.
(markt)
</add>
</changelog>
</subsection>
<subsection name="Other">
<changelog>
<update>
Update the packaged version of the Apache Tomcat Migration Tool for
Jakarta EE to 1.0.6. (markt)
</update>
<update>
Update the internal fork of Apache Commons BCEL to 2ee2bff (2023-01-03,
6.7.1-SNAPSHOT). (markt)
</update>
<update>
Update the internal fork of Apache Commons Codec to 3eafd6c (2023-01-03,
1.16-SNAPSHOT). (markt)
</update>
<update>
Update the internal fork of Apache Commons FileUpload to 34eb241
(2023-01-03, 2.0-SNAPSHOT). (markt)
</update>
<update>
Update the internal fork of Apache Commons DBCP to f131286 (2023-01-03,
2.10.0-SNAPSHOT). (markt)
</update>
<add>
Improvements to Japanese translations. Contributed by Shirayuking.
(markt)
</add>
<add>
Improvements to Portuguese translations. Contributed by Guilherme
Custódio. (markt)
</add>
<update>
Update to the Eclipse JDT compiler 4.26. (markt)
</update>
<update>
Update Checkstyle to 10.6.0. (markt)
</update>
<update>
Update Unboundid to 6.0.7. (markt)
</update>
<update>
Update SpotBugs to 4.7.3. (markt)
</update>
</changelog>
</subsection>
</section>
<section name="Tomcat 11.0.0-M1 (markt)" rtext="2022-12-05">
<subsection name="General">
<changelog>
<scode>
This release contains all of the changes up to and including those in
Apache Tomcat 10.1.1 plus the additional changes listed below. (markt)
</scode>
</changelog>
</subsection>
<subsection name="Catalina">
<changelog>
<fix>
<bug>66175</bug>: Change the default character set used by the
<code>BasicAuthenticator</code> from ISO-8859-1 to UTF-8. (markt)
</fix>
<add>
<bug>66209</bug>: Add a configuration option to allow bloom filters used
to index JAR files to be retained for the lifetime of the web
application. Prior to this addition, the indexes were always flushed by
the periodic calls to <code>WebResourceRoot.gc()</code>. As part of this
addition, configuration of archive indexing moves from
<code>Context</code> to <code>WebResourceRoot</code>. Based on a patch
provided by Rahul Jaisimha. (markt)
</add>
<fix>
<bug>66330</bug>: Correct a regression introduced when fixing
<bug>62897</bug> that meant any value configured for
<code>skipMemoryLeakChecksOnJvmShutdown</code> on the
<code>Context</code> was ignored and the default was always used.
(markt)
</fix>
<fix>
<bug>66331</bug>: Fix a regression in refactoring for <code>Stack</code>
on the <code>SystemLogHandler</code> which caught incorrect exception.
(lihan)
</fix>
<fix>
<bug>66338</bug>: Fix a regression that caused a nuance in refactoring
for <code>ErrorReportValve</code>. (lihan)
</fix>
<fix>
Escape values used to construct output for the
<code>JsonErrorReportValve</code> to ensure that it always outputs valid
JSON. (markt)
</fix>
<fix>
Correct the default implementation of
<code>HttpServletRequest.isTrailerFieldsReady()</code> to return
<code>true</code> so it is consistent with the default implementation of
<code>HttpServletRequest.getTrailerFields()</code> and with the Servlet
API provided by the Jakarta EE project. (markt)
</fix>
<fix>
Refactor <code>WebappLoader</code> so it only has a runtime dependency
on the migration tool for Jakarta EE if configured to use the converter
as classes are loaded. (markt)
</fix>
<fix>
Improve the behavior of the credential handler attribute that is set in
the Servlet context so that it actually reflects what is used during
authentication. (remm)
</fix>
<fix>
<bug>66359</bug>: Update javadoc for RemoteIpValve and RemoteIpFilter with
correct <code>protocolHeader</code> default value of "X-Forwarded-Proto".
(lihan)
</fix>
<add>
Add support for the new attribute for error dispatches
<code>jakarta.servlet.error.query_string</code>. (markt)
</add>
<update>
Update <code>ignoreAnnotation</code> attribute on <code>Context</code>
to dissociate it from <code>metadata-complete</code>. (remm)
</update>
</changelog>
</subsection>
<subsection name="Coyote">
<changelog>
<fix>
Correct the date format used with the expires attribute of HTTP cookies.
A single space rather than a single dash should be used to separate the
day, month and year components to be compliant with RFC 6265. (markt)
</fix>
<add>
Include the name of the current stream state in the error message when a
stream is cancelled due to an attempt to write to the stream when it is
in a state that does not permit writes. (markt)
</add>
<scode>
NIO writes never return -1 so refactor <code>CLOSED_NIO_CHANNEL</code>
not to do so and remove checks for this return value. Based on
<pr>562</pr> by tianshuang. (markt)
</scode>
<scode>
Remove unnecessary code that exposed the <code>asyncTimeout</code> to
components that never used it. (markt)
</scode>
<fix>
Ensure that all <code>MessageBytes</code> conversions to byte arrays are
valid for the configured character set and throw an exception if not.
(markt)
</fix>
<fix>
When an HTTP/2 stream was reset, the current active stream count was not
reduced. If enough resets occurred on a connection, the current active
stream count limit was reached and no new streams could be created on
that connection. (markt)