/
changelog.xml
8107 lines (8098 loc) · 313 KB
/
changelog.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
<?xml version="1.0" encoding="UTF-8"?>
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<!DOCTYPE document [
<!ENTITY project SYSTEM "project.xml">
]>
<?xml-stylesheet type="text/xsl" href="tomcat-docs.xsl"?>
<document url="changelog.html">
&project;
<properties>
<title>Changelog</title>
<no-comments />
</properties>
<body>
<!--
Subsection ordering:
General, Catalina, Coyote, Jasper, Cluster, WebSocket, Web applications,
Extras, Tribes, jdbc-pool, Other
Item Ordering:
Fixes having an issue number are sorted by their number, ascending.
There is no ordering by add/update/fix/scode.
Other fixed issues are added to the end of the list, chronologically.
They eventually become mixed with the numbered issues (i.e., numbered
issues do not "pop up" wrt. others).
-->
<section name="Tomcat 9.0.23 (markt)" rtext="in development">
<subsection name="Catalina">
<changelog>
<add>
<bug>62496</bug>: Add option to write auth information (remote user/auth type)
to response headers. (michaelo)
</add>
<add>
<bug>57665</bug>: Add support for the <code>X-Forwarded-Host</code>
header to the <code>RemoteIpFilter</code> and <code>RemotepValve</code>.
(markt)
</add>
<fix>
<bug>63550</bug>: Only try the <code>alternateURL</code> in the
<code>JNDIRealm</code> if one has been specified. (markt)
</fix>
<add>
<bug>63556</bug>: Mark request as forwarded in RemoteIpValve and
RemoteIpFilter (michaelo)
</add>
<fix>
If an unhandled exception occurs on a asynchronous thread started via
<code>AsyncContext.start(Runnable)</code>, process it using the standard
error page mechanism. (markt)
</fix>
<fix>
Discard large byte buffers allocated using setBufferSize when recycling
the request. (remm)
</fix>
<fix>
<bug>63579</bug>: Correct parsing of malformed OPTIONS requests and
reject them with a 400 response rather than triggering an internal error
that results in a 500 response. (markt)
</fix>
<fix>
<bug>63608</bug>: Align the implementation of the negative match feature
for patterns used with the <code>RewriteValve</code> with the
description in the documentation. (markt)
</fix>
</changelog>
</subsection>
<subsection name="Coyote">
<changelog>
<scode>
Refactor the APR poller to always use a single pollset now that the
Windows operating systems that required multiple smaller pollsets to be
used are no longer supported. (markt)
</scode>
<fix>
<bug>63524</bug>: Improve the handling of PEM file based keys and
certificates that do not include a full certificate chain when
configuring the internal, in-memory key store. Improve the handling of
PKCS#1 formatted private keys when configuring the internal, in-memory
key store. (markt)
</fix>
<update>
Add callback when finishing the set properties rule in the digester.
(remm)
</update>
<fix>
<bug>63570</bug>: Fix regression retrieving local address with
the NIO connector. Submitted by Aditya Kadakia. (remm)
</fix>
<fix>
<bug>63568</bug>: Avoid error when trying to set tcpNoDelay on socket
types that do not support it, which can occur when using the NIO
inherited channel capability. Submitted by František Kučera. (remm)
</fix>
<fix>
Correct parsing of invalid host names that contain bytes in the range
128 to 255 and reject them with a 400 response rather than triggering an
internal error that results in a 500 response. (markt)
</fix>
<fix>
<bug>63571</bug>: Allow users to configure infinite TLS session caches
and/or timeouts. (markt)
</fix>
<fix>
<bug>63578</bug>: Improve handling of invalid requests so that 400
responses are returned to the client rather than 500 responses. (markt)
</fix>
<fix>
Fix h2spec test suite failure. It is an error if a Huffman encoded
string literal contains the EOS symbol. (jfclere)
</fix>
<add>
Connections that fail the TLS handshake will now appear in the access
logs with a 400 status code. (markt)
</add>
</changelog>
</subsection>
<subsection name="Cluster">
<changelog>
<fix>
Avoid failing Kubernetes membership (and preventing startup) if the
stream cannot be opened, to get the same behavior as the DNS based
membership. The namespace is still a failure on startup but it is easy
to provide. (remm)
</fix>
<fix>
Avoid non fatal NPEs with Tribes when JMX is not available. (remm)
</fix>
<fix>
Make Kube environment optional for Kube memberships, for easier testing
and Graal training. A warn log will occur if the environment is not
present. (remm)
</fix>
</changelog>
</subsection>
<subsection name="Web applications">
<changelog>
<fix>
<bug>63597</bug>: Update the custom 404 error page for the Host Manager
to take account of previous refactoring so that the page is used for
404 errors rather than falling back to the default error page. (markt)
</fix>
</changelog>
</subsection>
<subsection name="Other">
<changelog>
<fix>
JNDI support for GraalVM native images. (remm)
</fix>
<fix>
JSP runtime library support for GraalVM native images. (remm)
</fix>
<fix>
java.util.logging configuration for GraalVM native images. (remm)
</fix>
<update>
Update Checkstyle to 8.22. (markt)
</update>
<update>
<bug>63310</bug>: Update to Commons Daemon 1.2.0. This provides improved
support for Java 11. This also changes the user configured by the
Windows installer for the Windows service from <code>Local System</code>
to the lower privileged <code>Local Service</code>. (markt)
</update>
<fix>
<bug>55969</bug>: Tighten up the security of the Apache Tomcat
installation created by the Windows installer. Change the default
shutdown port used by the Windows installer from <code>8005</code> to
<code>-1</code> (disabled). Limit access to the chosen installation
directory to local administrators, Local System and Local Service.
(markt)
</fix>
<add>
Expand the coverage and quality of the French translations provided
with Apache Tomcat. (remm)
</add>
<fix>
<bug>63567</bug>: Restore the passing of <code>$LOGGING_MANAGER</code>
to the jvm in <code>catalina.sh</code> when calling <code>stop</code>.
(markt)
</fix>
<fix>
Correct broken OSGi data in JAR file manifests. (markt)
</fix>
<fix>
Add "embed" to the <code>Bundle-Name</code> and
<code>Bundle-Symbolic-Name</code> for the Tomact embedded WebSocket JAR
to align the naming with the other embedded JARs and to differentiate it
from the standard WebSocket JAR that does not include the API classes.
(markt)
</fix>
<fix>
<bug>63555</bug>: Add <code>Automatic-Module-Name</code> entries for
each of the Tomcat provided JARs included in the Tomcat embedded
distribution. (markt)
</fix>
<update>
Update dependency on bnd to 4.2.0. (markt)
</update>
<update>
Update the internal fork of Commons Codec to 3ebef4a (2018-08-01) to
pick up the fix for CODEC-134. (markt)
</update>
<update>
Update the internal fork of Commons Pool2 to 796e32d (2018-08-01) to
pick up the changes Commons Pool2 2.7.0. (markt)
</update>
<update>
Update the internal fork of Commons DBCP2 to 87d9e3a (2018-08-01) to
pick up the changes Commons DBCP2 2.7.0 RC1. (markt)
</update>
</changelog>
</subsection>
</section>
<section name="Tomcat 9.0.22 (markt)" rtext="2019-07-09">
<subsection name="Catalina">
<changelog>
<fix>
Improve parsing of Range request headers. (markt)
</fix>
<fix>
Range headers that specify a range unit Tomcat does not recognise should
be ignored rather than triggering a 416 response. Based on a pull
request by zhanhb. (markt)
</fix>
<fix>
When comparing a date from a <code>If-Range</code> header, an exact
match is required. Based on a pull request by zhanhb. (markt)
</fix>
<fix>
Add an option to the default servlet to disable processing of PUT
requests with Content-Range headers as partial PUTs. The default
behaviour (processing as partial PUT) is unchanged. Based on a pull
request by zhanhb. (markt)
</fix>
<fix>
Improve parsing of Content-Range headers. (markt)
</fix>
<update>
Update the recommended minimum Tomcat Native version to 1.2.23. (markt)
</update>
</changelog>
</subsection>
<subsection name="Coyote">
<changelog>
<fix>
Remove a source of potential deadlocks when using HTTP/2 when the
Connector is configured with <code>useAsyncIO</code> as
<code>true</code>. (markt)
</fix>
<fix>
<bug>63523</bug>: Restore SSLUtilBase methods as protected to preserve
compatibility. (remm)
</fix>
<fix>
Fix typo in UTF-32LE charset name. Patch by zhanhb vi Github.
(fschumacher)
</fix>
<fix>
Once a URI is identified as invalid don't attempt to process it further.
Based on a PR by Alex Repert. (markt)
</fix>
<fix>
Fix to avoid the possibility of long poll times for individual pollers
when using multiple pollers with APR. (markt)
</fix>
<fix>
Refactor the fix for <bug>63205</bug> so it only applies when using
PKCS12 keystores as regressions have been reported with some other
keystore types. (markt)
</fix>
</changelog>
</subsection>
<subsection name="Jasper">
<changelog>
<add>
Include file names if SMAP processor is unable to delete or rename a
class file during SMAP generation. (markt)
</add>
<update>
Update to the Eclipse JDT compiler 4.12. (markt)
</update>
</changelog>
</subsection>
<subsection name="WebSocket">
<changelog>
<fix>
<bug>63521</bug>: As required by the WebSocket specification, if a POJO
that is deployed as a result of the SCI scan for annotated POJOs is
subsequently deployed via the programmatic API ignore the programmatic
deployment. (markt)
</fix>
</changelog>
</subsection>
<subsection name="Other">
<changelog>
<fix>
Switch the check for terminal availability to test for stdin as using
stdout does not work when output is piped to another process. Patch
provided by Radosław Józwik. (markt)
</fix>
<add>
Add user buildable optional modules for easier CDI 2 and JAX-RS
support. Also include a new documentation page describing how
to use it. (remm)
</add>
</changelog>
</subsection>
</section>
<section name="Tomcat 9.0.21 (markt)" rtext="2019-06-07">
<subsection name="Catalina">
<changelog>
<add>
<bug>57287</bug>: Add file sorting to DefaultServlet (schultz)
</add>
<fix>
Fix <code>--no-jmx</code> flag processing, which was called after
registry initialization. (remm)
</fix>
<fix>
Ensure that a default request character encoding set on a
<code>ServletContext</code> is used when calling
<code>ServletRequest#getReader()</code>. (markt)
</fix>
<fix>
Make a best efforts attempt to clean-up if a request fails during
processing due to an <code>OutOfMemoryException</code>. (markt)
</fix>
<fix>
Improve the BoM detection for static files handled by the default
servlet for the rarely used UTF-32 encodings. Identified by Coverity
Scan. (markt)
</fix>
<fix>
Ensure that the default servlet reads the entire global XSLT file if
one is defined. Identified by Coverity Scan. (markt)
</fix>
<fix>
Avoid potential <code>NullPointerException</code> when generating an
HTTP <code>Allow</code> header. Identified by Coverity Scan. (markt)
</fix>
<scode>
Add <code>Context.createInstanceManager()</code> for easier framework
integration. (remm)
</scode>
<scode>
Add utility <code>org.apache.catalina.core.FrameworkListener</code> to
allow replicating adding a Listener to context.xml in a programmatic
way. (remm)
</scode>
<scode>
Move <code>Container.ADD_CHILD_EVENT</code> to before the child
container start, and <code>Container.REMOVE_CHILD_EVENT</code> to
before removal of the child from the internal child collection.
(remm)
</scode>
<add>
Remove any fragment included in the target path used to obtain a
<code>RequestDispatcher</code>. The requested target path is logged as a
warning since this is an application error. (markt)
</add>
</changelog>
</subsection>
<subsection name="Coyote">
<changelog>
<fix>
NIO poller seems to create some unwanted concurrency, causing rare
CI test failures. Add sync when processing async operation to avoid
this. (remm)
</fix>
<fix>
Fix concurrency issue that lead to incorrect HTTP/2 connection timeout.
(remm/markt)
</fix>
<fix>
Avoid useless exception wrapping in async IO. (remm)
</fix>
<fix>
<bug>63412</bug>: Security manager failure when using the async IO
API from a webapp. (remm)
</fix>
<fix>
Remove <code>acceptorThreadCount</code> Connector attribute,
one accept thread is sufficient. As documented, value <code>2</code>
was the only other sensible value, but without and impact beyond
certain microbenchmarks. (remm)
</fix>
<fix>
Avoid possible NPEs on connector stop. (remm)
</fix>
<update>
Remove <code>pollerThreadCount</code> Connector attribute for NIO,
one poller thread is sufficient. (remm)
</update>
<add>
Add async IO for APR connector for consistency, but disable it by
default due to low performance. (remm)
</add>
<fix>
Avoid blocking write of internal buffer when using async IO. (remm)
</fix>
<scode>
Refactor async IO implementation to the <code>SocketWrapperBase</code>.
(remm)
</scode>
<update>
Refactor <code>SocketWrapperBase</code> close using an atomic boolean
and a <code>doClose</code> method that subclasses will implement, with
a guarantee that it will be run only once. (remm)
</update>
<fix>
Decouple the socket wrapper, which is not recycled, from the NIOx
channel after close, and replace it with a dummy static object. (remm)
</fix>
<fix>
Clear buffers on socket wrapper close. (remm)
</fix>
<fix>
NIO2 failed to properly close sockets on connector stop. (remm)
</fix>
<update>
Reduce the default for <code>maxConcurrentStreams</code> on the
<code>Http2Protocol</code> from 200 to 100 to align with typical
defaults for HTTP/2 implementations. (markt)
</update>
<update>
Reduce the default HTTP/2 header list size from 4GB to 32kB to align
with typical HTTP/2 implementations. (markt)
</update>
<add>
Add support for same-site cookie attribute. Patch provided by John
Kelly. (markt)
</add>
<fix>
Drop legacy NIO double socket close (close channel, then close
socket). (remm)
</fix>
<fix>
Fix HTTP/2 end of stream concurrency with async. (remm)
</fix>
<fix>
Correct a bug in the stream flushing code that could lead to multiple
threads processing the stream concurrently which in turn could cause
errors processing the stream. (markt)
</fix>
</changelog>
</subsection>
<subsection name="Cluster">
<changelog>
<fix>
<bug>62841</bug>: Refactor the <code>DeltaRequest</code> serialization
to reduce the window during which the <code>DeltaSession</code> is
locked and to remove a potential cause of deadlocks during
serialization. (markt)
</fix>
<fix>
<bug>63441</bug>: Further streamline the processing of session creation
messages in the <code>DeltaManager</code> to reduce the possibility of a
session update message being processed before the session has been
created. (markt)
</fix>
</changelog>
</subsection>
<subsection name="WebSocket">
<changelog>
<fix>
Fix timeout logic for async non blocking writes. Identified by
Coverity Scan. (remm)
</fix>
</changelog>
</subsection>
<subsection name="Web applications">
<changelog>
<add>
Expand the explanation of how deprecated TLS configuration attributes
are converted to the new TLS configuration style. (markt)
</add>
</changelog>
</subsection>
<subsection name="Tribes">
<changelog>
<fix>
Treat <code>NoRouteToHostException</code> the same way as
<code>SocketTimeoutException</code> when checking the health of group
members. This avoids a SEVERE log message every time the check is
performed when the host associated with a group member is not powered
on. (markt)
</fix>
</changelog>
</subsection>
<subsection name="Other">
<changelog>
<update>
Switch from FindBugs to SpotBugs. (fschumacher)
</update>
<update>
Start Graal native image compatibility, using the tomcat-maven
packaging. (remm)
</update>
<fix>
<bug>63403</bug>: Fix TestHttp2InitialConnection test failures when
running with a non-English locale. (kkolinko)
</fix>
<fix>
Add Graal JreCompat, and use it to disable JMX and URL stream handlers.
(remm)
</fix>
<add>
Expand the coverage and quality of the Czech translations provided
with Apache Tomcat. Includes contributions by Arnošt Havelka. (markt)
</add>
<add>
Expand the coverage and quality of the German translations provided
with Apache Tomcat. Includes contributions by Niklasmerz, dusiema and
Jens. (markt)
</add>
<add>
Expand the coverage and quality of the French translations provided
with Apache Tomcat. (remm)
</add>
<add>
Expand the coverage and quality of the Simplified Chinese translations
provided with Apache Tomcat. Includes contributions by 諵. (markt)
</add>
<fix>
Use the <code>test</code> command to check for terminal availability
rather than the <code>tty</code> command since the <code>tty</code>
based test fails on non-English locales. (markt)
</fix>
</changelog>
</subsection>
</section>
<section name="Tomcat 9.0.20 (markt)" rtext="2019-05-13">
<subsection name="Catalina">
<changelog>
<fix>
Fix some edge cases where the docBase was not being set using a canonical
path which in turn meant resource URLs were not being constructed as
expected. (markt)
</fix>
<fix>
Fix a potential resource leak when executing CGI scripts from a WAR
file. Identified by Coverity scan. (markt)
</fix>
<fix>
Fix a potential concurrency issue in the StringCache identified by
Coverity scan. (markt)
</fix>
<fix>
Fix a potential concurrency issue in the main Sendfile thread of the APR
connector. Identified by Coverity scan. (markt)
</fix>
<fix>
Fix a potential resource leak when running a web application from a WAR
file. Identified by Coverity scan. (markt)
</fix>
<fix>
Fix a potential resource leak on some exception paths in the
<code>DataSourceRealm</code>. Identified by Coverity scan. (markt)
</fix>
<fix>
Fix a potential resource leak on an exception path when parsing JSP
files. Identified by Coverity scan. (markt)
</fix>
<fix>
Fix a potential resource leak when a JNDI lookup returns an object of an
in compatible class. Identified by Coverity scan. (markt)
</fix>
<scode>
Refactor <code>ManagerServlet</code> to avoid loading classes when
filtering JNDI resources for resources of a specified type. (markt)
</scode>
<fix>
<bug>63324</bug>: Refactor the <code>CrawlerSessionManagerValve</code>
so that the object placed in the session is compatible with session
serialization with mem-cached. Patch provided by Martin Lemanski.
(markt)
</fix>
<add>
<bug>63358</bug>: Expand the <code>throwOnFailure</code> support in the
<code>Connector</code> to include the adding of a <code>Connector</code>
to a running <code>Service</code>. (markt)
</add>
<add>
<bug>63361</bug>: Add a new method
(<code>Registry.disableRegistry()</code>) that can be used to disable
JMX registration of Tomcat components providing it is called before the
first component is registered. (markt)
</add>
<fix>
Avoid <code>OutOfMemoryError</code>s and
<code>ArrayIndexOutOfBoundsException</code>s when accessing large files
via the default servlet when resource caching has been disabled. (markt)
</fix>
<fix>
Avoid a <code>NullPointerException</code> when a <code>Context</code> is
defined in <code>server.xml</code> with a <code>docBase</code> but not
the optional <code>path</code>. (markt)
</fix>
<fix>
<bug>63333</bug>: Override the <code>isAvailable()</code> method in the
<code>JAASRealm</code> so that only login failures caused by invalid
credentials trigger account lock out when the <code>LockOutRealm</code>
is in use. Patch provided by jchobantonov. (markt)
</fix>
<fix>
Add <code>--no-jmx</code> flag to allow disabling JMX in
<code>startup.Tomcat.main</code>. (remm)
</fix>
</changelog>
</subsection>
<subsection name="Coyote">
<changelog>
<fix>
The <code>useAsyncIO</code> boolean attribute on the Connector element
value now defaults to <code>true</code>. (remm)
</fix>
<fix>
Possible HTTP/2 connection leak issue when using async with NIO. (remm)
</fix>
<fix>
Fix socket close discrepancies for NIO, now the wrapper close
is used everywhere except for socket accept problems. (remm)
</fix>
<fix>
Implement poller timeout when using async IO with NIO. (remm)
</fix>
<fix>
Avoid creating and using object caches when they are disabled. (remm)
</fix>
<fix>
When running on newer JREs that don't support SSLv2Hello, don't warn
that it is not available unless explicitly configured. (markt)
</fix>
<fix>
Change default value of <code>pollerThreadCount</code> of NIO
to <code>1</code>. (remm)
</fix>
<fix>
Associate BlockPoller thread name with its NIO connector for better
readability. (remm)
</fix>
<fix>
The async HTTP/2 frame parser should tolerate concurrency so clearing
shared buffers before attempting a read is not possible. (remm)
</fix>
<update>
Update the HTTP/2 connection preface and initial frame reading to be
asynchronous instead of blocking IO. (remm)
</update>
<scode>
Refactor Hostname validation to improve performance. Patch provided by
Uwe Hees. (markt)
</scode>
<update>
Add additional NIO2 style read and write methods closer to core NIO2,
for possible use with an asynchronous workflow like CompletableFuture.
(remm)
</update>
<fix>
Expand HTTP/2 timeout handling to include connection window exhaustion
on write. This is the fix for CVE-2019-10072. (markt)
</fix>
</changelog>
</subsection>
<subsection name="Jasper">
<changelog>
<fix>
<bug>63359</bug>: Ensure that the type conversions used when converting
from strings for <code>jsp:setProperty</code> actions are correctly
implemented as per section JSP.1.14.2.1 of the JSP 2.3 specification.
(markt)
</fix>
</changelog>
</subsection>
<subsection name="Other">
<changelog>
<fix>
<bug>63335</bug>: Ensure that stack traces written by the
<code>OneLineFormatter</code> are fully indented. The entire stack trace
is now indented by an additional TAB character. (markt)
</fix>
<fix>
<bug>63370</bug>: Message files (LocalStrings_*.properties) of the
examples webapp not converted to ascii. (woonsan)
</fix>
<add>
Expand the coverage and quality of the French translations provided
with Apache Tomcat. (remm)
</add>
<add>
Expand the coverage and quality of the Japanese translations provided
with Apache Tomcat. Includes contributions by motohashi.yuki. (markt)
</add>
<add>
Expand the coverage and quality of the Czech translations provided
with Apache Tomcat. Includes contributions by Arnošt Havelka. (markt)
</add>
<fix>
When using the <code>OneLineFormatter</code>, don't print a blank line
in the log after printing a stack trace. (markt)
</fix>
<update>
Update the internal fork of Apache Commons FileUpload to 41e4047
(2019-04-24) pick up some enhancements. (markt)
</update>
<update>
Update the internal fork of Apache Commons DBCP 2 to dcdbc72
(2019-04-24) to pick up some clean-up and enhancements. (markt)
</update>
<update>
Update the internal fork of Apache Commons Pool 2 to 0664f4d
(2019-04-30) to pick up some enhancements and bug fixes. (markt)
</update>
</changelog>
</subsection>
</section>
<section name="Tomcat 9.0.19 (markt)" rtext="2019-04-13">
<subsection name="Catalina">
<changelog>
<fix>
Fix wrong JMX registration regression in 9.0.18. (remm)
</fix>
</changelog>
</subsection>
<subsection name="Coyote">
<changelog>
<update>
Add vectoring for NIO in the base and SSL channels. (remm)
</update>
<add>
Add asynchronous IO from NIO2 to the NIO connector, with support for
the async IO implementations for HTTP/2 and Websockets. The
<code>useAsyncIO</code> boolean attribute on the Connector element
allows enabling use of the asynchronous IO API. (remm)
</add>
</changelog>
</subsection>
<subsection name="Other">
<changelog>
<fix>
Ensure that the correct files are included in the source distribution
for javacc based parsers depending on whether jjtree is used or not.
(markt)
</fix>
<fix>
Ensure that text files in the source distribution have the correct line
endings for the target platform. (markt)
</fix>
</changelog>
</subsection>
</section>
<section name="Tomcat 9.0.18 (markt)" rtext="not released">
<subsection name="Catalina">
<changelog>
<fix>
<bug>63196</bug>: Provide a default (<code>X-Forwarded-Proto</code>) for
the <code>protocolHeader</code> attribute of the
<code>RemoteIpFilter</code> and <code>RemoteIpValve</code>. (markt)
</fix>
<fix>
<bug>63235</bug>: Refactor Charset cache to reduce start time. (markt)
</fix>
<fix>
<bug>63249</bug>: Use a consistent log level (<code>WARN</code>) when
logging the failure to register or deregister a JMX Bean. (markt)
</fix>
<fix>
<bug>63249</bug>: Use a consistent log level (<code>ERROR</code>) when
logging the <code>LifecycleException</code> associated with the failure
to start or stop a component. (markt)
</fix>
<fix>
When the SSI directive <code>fsize</code> is used with an invalid
target, return a file size of <code>-</code> rather than
<code>1k</code>. (markt)
</fix>
<fix>
<bug>63251</bug>: Implement a work-around for a known JRE bug (<a
href="https://bugs.openjdk.java.net/browse/JDK-8194653">JDK-8194653</a>)
that may cause a dead-lock when Tomcat starts. (markt)
</fix>
<fix>
<bug>63275</bug>: When using a <code>RequestDispatcher</code> ensure
that <code>HttpServletRequest.getContextPath()</code> returns an encoded
path in the dispatched request. (markt)
</fix>
<update>
Add optional listeners for Server/Listener, as a slight variant of
a standard listener. The difference is that loading is not fatal when
it fails. This would allow adding example configuration to the standard
server.xml if deemed useful. Storeconfig will not attempt to persist
the new listener. (remm)
</update>
<fix>
<bug>63286</bug>: Document the differences in behaviour between the
<code>LogFormat</code> directive in httpd and the <code>pattern</code>
attribute in the <code>AccessLogValve</code> for <code>%D</code> and
<code>%T</code>. (markt)
</fix>
<fix>
<bug>63287</bug>: Make logging levels more consistent for similar issues
of similar severity. (markt)
</fix>
<fix>
<bug>63311</bug>: Add support for https URLs to the local resolver within
Tomcat used to resolve standard XML DTDs and schemas when Tomcat is
configured to validate XML configuration files such as web.xml. (markt)
</fix>
<fix>
Encode the output of the SSI <code>printenv</code> command. This is the
fix for CVE-2019-0221. (markt)
</fix>
<scode>
Use constants for SSI encoding values. (markt)
</scode>
<add>
When the CGI Servlet is configured with
<code>enableCmdLineArguments</code> set to true, limit the encoded form
of the individual command line arguments to those values allowed by RFC
3875. This restriction may be relaxed by the use of the new
initialisation parameter <code>cmdLineArgumentsEncoded</code>. (markt)
</add>
<add>
When the CGI Servlet is configured with
<code>enableCmdLineArguments</code> set to true, limit the decoded form
of the individual command line arguments to known safe values when
running on Windows. This restriction may be relaxed by the use of the
new initialisation parameter <code>cmdLineArgumentsDecoded</code>. This
is the fix for CVE-2019-0232. (markt)
</add>
</changelog>
</subsection>
<subsection name="Coyote">
<changelog>
<fix>
Fix bad interaction between NIO2 async read API and the regular read.
(remm)
</fix>
<fix>
Refactor NIO2 write pending strategy for the classic IO API. (remm)
</fix>
<fix>
Restore original maxConnections default for NIO2 as the underlying
close issues have been fixed. (remm)
</fix>
<fix>
Harmonize NIO2 isReadyForWrite with isReadyForRead code. (remm)
</fix>
<fix>
When using a JSSE TLS connector that supported ALPN (Java 9 onwards) and
a protocol was not negotiated, Tomcat failed to fallback to HTTP/1.1 and
instead dropped the connection. (markt)
</fix>
<fix>
Correct a regression in the TLS connector refactoring in Tomcat 9.0.17
that prevented the use of PKCS#8 private keys with OpenSSL based
connectors. (markt)
</fix>
<fix>
Fix NIO2 SSL edge cases. (remm)
</fix>
<fix>
When performing an upgrade from HTTP/1.1 to HTTP/2, ensure that any
query string present in the original HTTP/1.1 request is passed to the
HTTP/2 request processing. (markt)
</fix>
<fix>
When Tomcat writes a final response without reading all of an HTTP/2
request, reset the stream to inform the client that the remaining
request body is not required. (markt)
</fix>
</changelog>
</subsection>
<subsection name="Jasper">
<changelog>
<add>
Add support for specifying Java 11 (with the value <code>11</code>) as
the compiler source and/or compiler target for JSP compilation. (markt)
</add>
<add>
Add support for specifying Java 12 (with the value <code>12</code>) and
Java 13 (with the value <code>13</code>) as the compiler source and/or
compiler target for JSP compilation. If used with an ECJ version that
does not support these values, a warning will be logged and the latest
supported version will used. Based on a patch by Thomas Collignon.
(markt)
</add>
</changelog>
</subsection>
<subsection name="Web applications">
<changelog>
<fix>
<bug>63184</bug>: Expand the SSI documentation to provide more
information on the supported directives and their attributes. Patch
provided by nightwatchcyber. (markt)
</fix>
<add>
Add a note to the documentation about the risk of DoS with poorly
written regular expressions and the <code>RewriteValve</code>. Patch
provided by salgattas. (markt)
</add>
</changelog>
</subsection>
<subsection name="jdbc-pool">
<changelog>
<fix>
Improved maxAge handling. Add support for age check on idle connections.
Connection that expired reconnects rather than closes it. Patch provided
by toby1984. (kfujino)
</fix>
<fix>
<bug>63320</bug>: Ensure that <code>StatementCache</code> caches
statements that include arrays in arguments. (kfujino)
</fix>
</changelog>
</subsection>
<subsection name="Other">
<changelog>
<update>
Update to the Eclipse JDT compiler 4.10. (markt)
</update>
<add>
Expand the coverage and quality of the Spanish translations provided
with Apache Tomcat. Includes contributions by Ulises Gonzalez Horta.
(markt)
</add>
<add>
Expand the coverage and quality of the Czech translations provided
with Apache Tomcat. Includes contributions by Arnošt Havelka. (markt)
</add>
<add>
Expand the coverage and quality of the Chinese translations provided
with Apache Tomcat. Includes contributions by winsonzhao and wjt.
(markt)
</add>
<add>
Expand the coverage and quality of the Russian translations provided
with Apache Tomcat. (kkolinko)
</add>
<add>
Expand the coverage and quality of the Japanese translations provided
with Apache Tomcat. (kfujino)
</add>
<add>
Expand the coverage and quality of the Korean translations provided
with Apache Tomcat. (woonsan)
</add>
<add>
Expand the coverage and quality of the German translations provided
with Apache Tomcat. (fschumacher)
</add>
<add>
Expand the coverage and quality of the French translations provided
with Apache Tomcat. (remm)
</add>
</changelog>
</subsection>
</section>
<section name="Tomcat 9.0.17 (markt)" rtext="2019-03-18">
<subsection name="Catalina">
<changelog>
<fix>
Refactor how cookies are transferred from the base request to a
<code>PushBuilder</code> so that they are accessible, and may be edited,
via the standard <code>PushBuilder</code> methods for working with HTTP
headers. (markt)
</fix>
<update>
Simplify the value of <code>jarsToSkip</code> property in
<code>catalina.properties</code> file for tomcat-i18n jar files.
Use prefix pattern instead of listing each language. (kkolinko)
</update>
<fix>
Restore the getter and setter for the access log valve attribute
<code>maxLogMessageBufferSize</code> that were accidentally removed.
(markt)
</fix>
<add>
<bug>63206</bug>: Add a new attribute to <code>Context</code> -