-
Notifications
You must be signed in to change notification settings - Fork 5k
/
changelog.xml
6097 lines (6088 loc) · 236 KB
/
changelog.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
<?xml version="1.0" encoding="UTF-8"?>
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<!DOCTYPE document [
<!ENTITY project SYSTEM "project.xml">
]>
<?xml-stylesheet type="text/xsl" href="tomcat-docs.xsl"?>
<document url="changelog.html">
&project;
<properties>
<title>Changelog</title>
<no-comments />
</properties>
<body>
<!--
Subsection ordering:
General, Catalina, Coyote, Jasper, Cluster, WebSocket, Web applications,
Extras, Tribes, jdbc-pool, Other
Item Ordering:
Fixes having an issue number are sorted by their number, ascending.
There is no ordering by add/update/fix/scode.
Other fixed issues are added to the end of the list, chronologically.
They eventually become mixed with the numbered issues. (I.e., numbered
issues do not "pop up" wrt. others).
-->
<section name="Tomcat 9.0.12 (markt)" rtext="in development">
<subsection name="Catalina">
<changelog>
<fix>
Improve the handling of path parameters when working with
RequestDispatcher objects. (markt)
</fix>
<fix>
<bug>62664</bug>: Process requests with content type
<code>multipart/form-data</code> to servlets with a
<code>@MultipartConfig</code> annotation regardless of HTTP method.
(markt)
</fix>
<fix>
<bug>62669</bug>: When using the SSIFilter and a resource does not
specify a content type, do not force the content type to
<code>application/x-octet-stream</code>. (markt)
</fix>
<fix>
<bug>62670</bug>: Adjust the memory leak protection for the
<code>DriverManager</code> so that JDBC drivers located in
<code>$CATALINA_HOME/lib</code> and <code>$CATALINA_BASE/lib</code> are
loaded via the service loader mechanism when the protection is enabled.
(markt)
</fix>
<fix>
<bug>62667</bug>: Add recursion to rewrite substitution parsing. (remm)
</fix>
<fix>
When generating a redirect to a directory in the Default Servlet, avoid
generating a protocol relative redirect. (markt)
</fix>
</changelog>
</subsection>
<subsection name="Coyote">
<changelog>
<fix>
Fix potential deadlocks when using asynchronous Servlet processing with
HTTP/2 connectors. (markt)
</fix>
<fix>
<bug>62620</bug>: Fix corruption of response bodies when writing large
bodies using asynchronous processing over HTTP/2. (markt)
</fix>
<fix>
<bug>62628</bug>: Additional fixes for output corruption of response
bodies when writing large bodies using asynchronous processing over
HTTP/2. (markt)
</fix>
<scode>
Support for Netware in the <code>org.apache.tomcat.jni</code> package
has been removed as there has not been a supported Netware platform for
a number of years. (markt)
</scode>
</changelog>
</subsection>
<subsection name="Jasper">
<changelog>
<fix>
Correct the JSP version in the X-PoweredBy HTTP header generated when
the xpoweredBy option is enabled. (markt)
</fix>
<fix>
<bug>62662</bug>: Fix the corruption of web.xml output during JSP
compilation caused by the fix for <bug>53492</bug>. Patch provided by
Bernhard Frauendienst. (markt)
</fix>
</changelog>
</subsection>
<subsection name="Web applications">
<changelog>
<add>
Expand the information in the documentation web application regarding
the use of <code>CATALINA_HOME</code> and <code>CATALINA_BASE</code>.
Patch provided by Marek Czernek. (markt)
</add>
<fix>
<bug>62652</bug>: Make it clearer that the version of DBCP that is
packaged in Tomcat 9.0.x is DBCP 2. Correct the names of some DBCP 2
configuration attributes that changed between 1.x and 2.x. (markt)
</fix>
<add>
<bug>62666</bug>: Expand internationalisation support in the Manager
application to include the server status page and provide Russian
translations in addition to English. Patch provided by Artem Chebykin.
(markt)
</add>
</changelog>
</subsection>
<subsection name="Other">
<changelog>
<fix>
Switch the build script to use http for downloads from an ASF mirror
using the closer.lua script to avoid failures due to HTTPS to HTTP
redirects. (rjung)
</fix>
</changelog>
</subsection>
</section>
<section name="Tomcat 9.0.11 (markt)" rtext="2018-08-17">
<subsection name="Catalina">
<changelog>
<add>
Make the <code>isLocked()</code> method of the <code>LockOutRealm</code>
public and expose the method via JMX. (markt)
</add>
<add>
<bug>53387</bug>: Add support for regular expression capture groups to
the SSI servlet and filter. (markt)
</add>
<fix>
<bug>53411</bug>: Improve the handling of HTTP requests that do not
explicitly specify a host name when no default host is configured. Also
improve the tracking of changes to the default host as hosts are added
and removed while Tomcat is running. (markt)
</fix>
<fix>
Ensure that the HTTP Vary header is set correctly when using the CORS
filter and improve the cacheability of requests that pass through the
COPRS filter. (markt)
</fix>
<fix>
<bug>62527</bug>: Revert restriction of JNDI to the <code>java:</code>
namespace. (remm)
</fix>
<add>
Introduce a new class - <code>MultiThrowable</code> - to report
exceptions when multiple actions are taken where each action may throw
an exception but all actions are taken before any errors are reported.
Use this new class when reporting multiple container (e.g. web
application) failures during start. (markt)
</add>
<fix>
Correctly decode URL paths (<code>+</code> should not be decoded to a
space in the path) in the <code>RequestDispatcher</code> and the web
application class loader. (markt)
</fix>
<add>
Make logout more robust if JASPIC subject is unexpectedly unavailable.
(markt)
</add>
<fix>
<bug>62547</bug>: JASPIC <code>cleanSubject()</code> was not called on
logout when the authenticator was configured to cache the authenticated
Principal. Patch provided by Guillermo González de Agüero. (markt)
</fix>
<add>
<bug>62559</bug>: Add <code>jaxb-*.jar</code> to the list of JARs
ignored by <code>StandardJarScanner</code>. (markt)
</add>
<add>
<bug>62560</bug>: Add <code>oraclepki.jar</code> to the list of JARs
ignored by <code>StandardJarScanner</code>. (markt)
</add>
<add>
<bug>62607</bug>: Return a non-zero exit code from
<code>catalina.[bat|sh] run</code> if Tomcat fails to start. (markt)
</add>
<fix>
Use short circuit logic to prevent potential NPE in CorsFilter. (fschumacher)
</fix>
<scode>
Simplify construction of appName from container name in JAASRealm. (fschumacher)
</scode>
<scode>
Remove <code>ServletException</code> from declaration of
<code>Tomcat.addWebapp(String,String)</code> since it is never thrown.
Patch provided by Tzafrir. (markt)
</scode>
</changelog>
</subsection>
<subsection name="Coyote">
<changelog>
<scode>
Refactor HTTP date creation and parsing to reduce code duplication,
reduce the use of ThreadLocals and to increase the use of caching.
(markt)
</scode>
<fix>
<bug>56676</bug>: Add a default location for the native library, as
${catalina.home}/bin, which the testsuite already uses. (remm)
</fix>
<update>
<bug>60560</bug>: Add support for using an inherited channel to
the NIO connector. Based on a patch submitted by Thomas Meyer with
testing and suggestions by Coty Sutherland. (remm)
</update>
<fix>
<bug>62507</bug>: Ensure that JSSE based TLS connectors work correctly
with a DKS keystore. (markt)
</fix>
<fix>
Refactor code that adds an additional header name to the
<code>Vary</code> HTTP response header to use a common utility method
that addresses several additional edge cases. (markt)
</fix>
<fix>
<bug>62515</bug>: When a connector is configured (via setting
<code>bindOnInit</code> to <code>false</code>) to bind/unbind the server
socket during start/stop, close the socket earlier in the stop process
so new connections do not sit in the TCP backlog during the shutdown
process only to be dropped as stop completes. In this scenario new
connections will now be refused immediately. (markt)
</fix>
<fix>
<bug>62526</bug>: Correctly handle PKCS12 format key stores when the key
store password is configured to be the empty string. (markt)
</fix>
<fix>
<bug>62605</bug>: Ensure <code>ReadListener.onDataAvailable()</code> is
called when the initial request body data arrives after the request
headers when using asynchronous processing over HTTP/2. (markt)
</fix>
<fix>
<bug>62614</bug>: Ensure that
<code>WriteListener.onWritePossible()</code> is called after
<code>isReady()</code> returns <code>false</code> and the window size is
subsequently incremented when using asynchronous processing over HTTP/2.
(markt)
</fix>
</changelog>
</subsection>
<subsection name="Jasper">
<changelog>
<add>
<bug>53492</bug>: Make the Java file generation process multi-threaded.
By default, one thread will be used per core. Based on a patch by Dan
Fabulich. (markt)
</add>
<add>
<bug>62453</bug>: Add a performance optimisation for using expressions
in tags that depend on uninitialised tag attributes with implied scope.
Generally, using an explicit scope with tag attributes in EL is the best
way to avoid various potential performance issues. (markt)
</add>
<fix>
Correctly decode URL paths (<code>+</code> should not be decoded to a
space in the path) in the Jasper class loader. (markt)
</fix>
<fix>
<bug>62603</bug>: Fix a potential race condition when development mode
is disabled and background compilation checks are enabled. It was
possible that some updates would not take effect and/or
<code>ClassNotFoundException</code>s would occur. (markt)
</fix>
</changelog>
</subsection>
<subsection name="WebSocket">
<changelog>
<fix>
<bug>62596</bug>: Remove the limit on the size of the initial HTTP
upgrade request used to establish the web socket connection. (markt)
</fix>
</changelog>
</subsection>
<subsection name="Web applications">
<changelog>
<add>
<bug>62558</bug>: Add Russian translations for the Manager and Host
Manager web applications. Based on a patch by Ivan Krasnov. (markt)
</add>
<add>
Add documents for Static Membership service. (kfujino)
</add>
<add>
<bug>62561</bug>: Add advanced class loader configuration information
regarding the use of the Server and Shared class loaders to the
documentation web application. (markt)
</add>
</changelog>
</subsection>
<subsection name="Tribes">
<changelog>
<fix>
Ensures that the specified <code>rxBufSize</code> is correctly set to
receiver buffer size. (kfujino)
</fix>
<fix>
Correct the stop order of the Channel components. It stops in the
reverse order to that at startup. (kfujino)
</fix>
<add>
Added new StaticMembership implementation. This implementation does not
require any additional configuration of other
<code>ChannelInterceptors</code>. It works only with membership service.
(kfujino)
</add>
</changelog>
</subsection>
<subsection name="Other">
<changelog>
<update>
Support building with Java 9+ while preserving the Java 8 compatibility
at runtime (requires Ant 1.9.8 or later). (ebourg)
</update>
<update>
Update WSDL4J library to version 1.6.3 (from 1.6.2). (kkolinko)
</update>
<update>
Update JUnit library to version 4.12 (from 4.11). (kkolinko)
</update>
<update>
Downgrade CGLib library used for testing with EasyMock to version
2.2.2 (from 2.2.3) as version 2.2.3 is not available from Maven Central.
(markt)
</update>
<add>
Implement checksum checks when downloading dependencies that are used
to build Tomcat. (kkolinko)
</add>
<fix>
Fixed spelling. Patch provided by Jimmy Casey via GitHub. (violetagg)
</fix>
<update>
Update the internal fork of Apache Commons Pool 2 to 3e02523
(2018-08-09) to pick up some bug fixes and enhancements. (markt)
</update>
<update>
Update the internal fork of Apache Commons DBCP 2 to abc0484
(2018-08-09) to pick up some bug fixes and enhancements. (markt)
</update>
<fix>
Correct various spelling errors throughout the source code and
documentation. Patch provided by Kazuhiro Sera. (markt)
</fix>
</changelog>
</subsection>
</section>
<section name="Tomcat 9.0.10 (markt)" rtext="2018-06-25">
<subsection name="Catalina">
<changelog>
<fix>
<bug>62476</bug>: Use GMT timezone for the value of
<code>Expires</code> header as required by HTTP specification
(RFC 7231, 7234). (kkolinko)
</fix>
</changelog>
</subsection>
</section>
<section name="Tomcat 9.0.9 (markt)" rtext="not released">
<subsection name="Catalina">
<changelog>
<fix>
Treat the <code><mapped-name></code> element of a
<code><env-entry></code> in web.xml in the same way as the
<code>mappedName</code> element of the equivalent <code>@Resource</code>
annotation. Both now attempt to set the <code>mappedName</code> property
of the resource. (markt)
</fix>
<fix>
Correct the processing of resources with
<code><injection-target></code>s defined in web.xml. First look
for a match using JavaBean property names and then, only if a match is
not found, look for a match using fields. (markt)
</fix>
<fix>
When restoring a saved request with a request body after FORM
authentication, ensure that calls to the <code>HttpServletRequest</code>
methods <code>getRequestURI()</code>, <code>getQueryString()</code> and
<code>getProtocol()</code> are not corrupted by the processing of the
saved request body. (markt)
</fix>
<fix>
JNDI resources that are defined with injection targets but no value are
now treated as if the resource is not defined. (markt)
</fix>
<fix>
Ensure that JNDI names used for <code><lookup-name></code> entries
in web.xml and for <code>lookup</code> elements of
<code>@Resource</code> annotations specify a name with an explicit
<code>java:</code> namespace. (markt)
</fix>
<fix>
<bug>50019</bug>: Add support for <code><lookup-name></code>.
Based on a patch by Gurkan Erdogdu. (markt)
</fix>
<add>
Add the <code>AuthenticatedUserRealm</code> for use with CLIENT-CERT and
SPNEGO when just the authenticated user name is required. (markt)
</add>
<fix>
<bug>50175</bug>: Add a new attribute to the standard context
implementation, <code>skipMemoryLeakChecksOnJvmShutdown</code>, that
allows the user to configure Tomcat to skip the memory leak checks
usually performed during web application stop if that stop is triggered
by a JVM shutdown. (markt)
</fix>
<add>
<bug>51497</bug>: Add an option, <code>ipv6Canonical</code>, to the
<code>AccessLogValve</code> that causes IPv6 addresses to be output in
canonical form defined by RFC 5952. (ognjen/markt)
</add>
<add>
<bug>51953</bug>: Add the <code>RemoteCIDRFilter</code> and
<code>RemoteCIDRValve</code> that can be used to allow/deny requests
based on IPv4 and/or IPv6 client address where the IP ranges are defined
using CIDR notation. Based on a patch by Francis Galiegue. (markt)
</add>
<fix>
<bug>62343</bug>: Make CORS filter defaults more secure. This is the fix
for CVE-2018-8014. (markt)
</fix>
<fix>
Ensure that the web application resources implementation does not
incorrectly cache results for resources that are only visible as class
loader resources. (markt)
</fix>
<fix>
<bug>62387</bug>: Do not log a warning message if the file based
persistent session store fails to delete the file for a session when the
session is invalidated because the file has not been created yet.
(markt)
</fix>
<fix>
Make all loggers associated with Tomcat provided Filters non-static to
ensure that log messages are not lost when a web application is
reloaded. (markt)
</fix>
<fix>
Correct the manifest for the annotations-api.jar. The JAR implements the
Common Annotations API 1.3 and the manifest should reflect that. (markt)
</fix>
<fix>
Switch to non-static loggers where there is a possibility of a logger
becoming associated with a web application class loader causing log
messages to be lost if the web application is stopped. (markt)
</fix>
<add>
<bug>62389</bug>: Add the IPv6 loopback address to the default
<code>internalProxies</code> regular expression. Patch by Craig Andrews.
(markt)
</add>
<fix>
In the <code>RemoteIpValve</code> and <code>RemoteIpFilter</code>,
correctly handle the case when the request passes through one or more
<code>trustedProxies</code> but no <code>internalProxies</code>. Based
on a patch by zhanhb. (markt)
</fix>
<fix>
Correct the logic in <code>MBeanFactory.removeConnector()</code> to
ensure that the correct Connector is removed when there are multiple
Connectors using different addresses but the same port. (markt)
</fix>
<fix>
Make <code>JAASRealm</code> mis-configuration more obvious by requiring
the authenticated Subject to include at least one Principal of a type
specified by <code>userClassNames</code>. (markt)
</fix>
</changelog>
</subsection>
<subsection name="Coyote">
<changelog>
<fix>
Correct a regression in the error page handling that prevented error
pages from issuing redirects or taking other action that required the
response status code to be changed. (markt)
</fix>
<fix>
Consistent exception propagation for NIO2 SSL close. (remm)
</fix>
<fix>
Followup sync fix for NIO2 async IO blocking read/writes. (remm)
</fix>
<fix>
Log an error message if the AJP connector detects the the reverse proxy
is sending AJP messages that are too large for the configured
<code>packetSize</code>. (markt)
</fix>
<fix>
Relax Host validation by removing the requirement that the final
component of a FQDN must be alphabetic. (markt)
</fix>
<fix>
<bug>62371</bug>: Improve logging of Host validation failures. (markt)
</fix>
<fix>
Fix a couple of unlikely edge cases in the shutting down of the
APR/native connector. (markt)
</fix>
<fix>
Add missing handshake timeout for NIO2. (remm)
</fix>
<fix>
Correctly handle a digest authorization header when the user name
contains an escaped character. (markt)
</fix>
<fix>
Correctly handle a digest authorization header when one of the hex
field values ends the header with in an invalid character. (markt)
</fix>
<fix>
Correctly handle an invalid quality value in an
<code>Accept-Language</code> header. (markt)
</fix>
<docs>
<bug>62423</bug>: Fix SSL docs CRL attribute typo. (remm)
</docs>
<fix>
Improve IPv6 validation by ensuring that IPv4-Mapped IPv6 addresses do
not contain leading zeros in the IPv4 part. Based on a patch by Katya
Stoycheva. (markt)
</fix>
<fix>
Fix <code>NullPointerException</code> thrown from <code>
replaceSystemProperties()</code> when trying to log messages. (csutherl)
</fix>
<fix>
Avoid unnecessary processing of async timeouts. (markt)
</fix>
</changelog>
</subsection>
<subsection name="Jasper">
<changelog>
<add>
<bug>50234</bug>: Add the capability to generate a web-fragment.xml file
to JspC. (markt)
</add>
<fix>
<bug>62080</bug>: Ensure that all reads of the current thread's context
class loader made by the UEL API and implementation are performed via a
<code>PrivilegedAction</code> to ensure that a
<code>SecurityException</code> is not triggered when running under a
<code>SecurityManager</code>. (mark)
</fix>
<fix>
<bug>62350</bug>: Refactor
<code>org.apache.jasper.runtime.BodyContentImpl</code> so a
<code>SecurityException</code> is not thrown when running under a
SecurityManger and additional permissions are not required in the
<code>catalina.policy</code> file. This is a follow-up to the fix for
<bug>43925</bug>. (kkolinko/markt)
</fix>
<fix>
Enable JspC from Tomcat 9 to work with Maven JspC compiler plug-ins
written for Tomcat 8.5.x. Patch provided by Pavel Cibulka. (markt)
</fix>
<fix>
Update web.xml, web-fragment.xml and web.xml extracts generated by JspC
to use the Servlet 4.0 version of the relevant schemas. (markt)
</fix>
</changelog>
</subsection>
<subsection name="Cluster">
<changelog>
<fix>
Remove duplicate calls when creating a replicated session to reduce the
time taken to create the session and thereby reduce the chances of a
subsequent session update message being ignored because the session does
not yet exist. (markt)
</fix>
<add>
Add the method to send a message with a specified sendOptions. (kfujino)
</add>
<fix>
When sending the <code>GET_ALL_SESSIONS</code> message, make sure that
sends with asynchronous option in order to avoid ack timeout. Waiting to
receive the <code>ALL_SESSION_DATA</code> message should be done with
<code>waitForSendAllSessions</code> instead of ACK. (kfujino)
</fix>
</changelog>
</subsection>
<subsection name="WebSocket">
<changelog>
<update>
Use NIO2 API for websockets writes. (remm)
</update>
<fix>
When decoding of path parameter failed, make sure to throw
<code>DecodeException</code> instead of throwing
<code>ArrayIndexOutOfBoundsException</code>. (kfujino)
</fix>
<fix>
Improve the handling of exceptions during TLS handshakes for the
WebSocket client. (markt)
</fix>
<fix>
Enable host name verification when using TLS with the WebSocket client.
(markt)
</fix>
</changelog>
</subsection>
<subsection name="Web applications">
<changelog>
<fix>
<bug>62395</bug>: Clarify the meaning of the connector attribute
<code>minSpareThreads</code> in the documentation web application.
(markt)
</fix>
<fix>
Correct the documentation for the <code>allowHostHeaderMismatch</code>
attribute of the standard HTTP Connector implementations. (markt)
</fix>
</changelog>
</subsection>
<subsection name="Tribes">
<changelog>
<fix>
Ensure that the correct default value is returned when retrieve unset
properties in <code>McastService</code>. (kfujino)
</fix>
<add>
Make <code>MembershipService</code> more easily extensible. (kfujino)
</add>
</changelog>
</subsection>
<subsection name="jdbc-pool">
<changelog>
<fix>
When <code>logValidationErrors</code> is set to true, the connection
validation error is logged as <code>SEVERE</code> instead of
<code>WARNING</code>. (kfujino)
</fix>
</changelog>
</subsection>
<subsection name="Other">
<changelog>
<fix>
Ensure that Apache Tomcat may be built from source with Java 11. (markt)
</fix>
<add>
<bug>52381</bug>: Add OSGi metadata to JAR files. (markt)
</add>
<fix>
<bug>62391</bug>: Remove references to <code>javaw.exe</code> as this
file is not required by Tomcat and the references prevent the use of the
Server JRE. (markt)
</fix>
<update>
Update the packaged version of the Tomcat Native Library to 1.2.17 to
pick up the latest Windows binaries built with APR 1.6.3 and OpenSSL
1.0.2o. (markt)
</update>
<update>
<bug>62458</bug>: Update the internal fork of Commons Pool 2 to dfef97b
(2018-06-18) to pick up some bug fixes and enhancements. (markt)
</update>
<update>
Update the internal fork of Commons DBCP 2 to 2.4.0. (markt)
</update>
</changelog>
</subsection>
</section>
<section name="Tomcat 9.0.8 (markt)" rtext="2018-05-03">
<subsection name="Catalina">
<changelog>
<fix>
<bug>62263</bug>: Avoid a <code>NullPointerException</code> when the
<code>RemoteIpValve</code> processes a request for which no Context can
be found. (markt)
</fix>
<add>
<bug>62258</bug>: Don't trigger the standard error page mechanism when
the error has caused the connection to the client to be closed as no-one
will ever see the error page. (markt)
</add>
<fix>
Register MBean when DataSource Resource <code>
type="javax.sql.XADataSource"</code>. Patch provided by Masafumi Miura.
(csutherl)
</fix>
<fix>
Fix a rare edge case that is unlikely to occur in real usage. This edge
case meant that writing long streams of UTF-8 characters to the HTTP
response that consisted almost entirely of surrogate pairs could result
in one surrogate pair being dropped. (markt)
</fix>
<add>
Update the internal fork of Apache Commons BCEL to r1829827 to add early
access Java 11 support to the annotation scanning code. (markt)
</add>
<fix>
<bug>62297</bug>: Enable the <code>CrawlerSessionManagerValve</code> to
correctly handle bots that crawl multiple hosts and/or web applications
when the Valve is configured on a Host or an Engine. (fschumacher)
</fix>
<fix>
<bug>62309</bug>: Fix a <code>SecurityException</code> when using JASPIC
under a <code>SecurityManager</code> when authentication is not
mandatory. (markt)
</fix>
<fix>
<bug>62329</bug>: Correctly list resources in JAR files when directories
do not have dedicated entries. Patch provided by Meelis Müür. (markt)
</fix>
<add>
Collapse multiple leading <code>/</code> characters to a single
<code>/</code> in the return value of
<code>HttpServletRequest#getContextPath()</code> to avoid issues if the
value is used with <code>HttpServletResponse#sendRedirect()</code>. This
behaviour is enabled by default and configurable via the new Context
attribute <code>allowMultipleLeadingForwardSlashInPath</code>. (markt)
</add>
<fix>
Improve handling of overflow in the UTF-8 decoder with supplementary
characters. (markt)
</fix>
</changelog>
</subsection>
<subsection name="Coyote">
<changelog>
<fix>
Correct off-by-one error in thread pool that allowed thread pools to
increase in size to one more than the configured limit. Patch provided
by usc. (markt)
</fix>
<fix>
Prevent unexpected TLS handshake failures caused by errors during a
previous handshake that were not correctly cleaned-up when using the NIO
or NIO2 connector with the <code>OpenSSLImplementation</code>. (markt)
</fix>
<add>
<bug>62273</bug>: Implement configuration options to work-around
specification non-compliant user agents (including all the major
browsers) that do not correctly %nn encode URI paths and query strings
as required by RFC 7230 and RFC 3986. (markt)
</add>
<fix>
Fix sync for NIO2 async IO blocking read/writes. (remm)
</fix>
</changelog>
</subsection>
<subsection name="Jasper">
<changelog>
<update>
Update the Eclipse Compiler for Java to 4.7.3a. (markt)
</update>
<update>
Allow <code>9</code> to be used to specify Java 9 as the compiler source
and/or compiler target for JSP compilation. The Early Access value of
<code>1.9</code> is still supported. (markt)
</update>
<add>
Add support for specifying Java 10 (with the value <code>10</code>) as
the compiler source and/or compiler target for JSP compilation. (markt)
</add>
<fix>
<bug>62287</bug>: Do not rely on hash codes to test instances of
<code>ValueExpressionImpl</code> for equality. Patch provided by Mark
Struberg. (markt)
</fix>
</changelog>
</subsection>
<subsection name="WebSocket">
<changelog>
<fix>
<bug>62301</bug>: Correct a regression in the fix for <bug>61491</bug>
that didn't correctly handle a final empty message part in all
circumstances when using <code>PerMessageDeflate</code>. (markt)
</fix>
<fix>
<bug>62332</bug>: Ensure WebSocket connections are closed after an I/O
error is experienced reading from the client. (markt)
</fix>
</changelog>
</subsection>
<subsection name="Other">
<changelog>
<fix>
Avoid warning when running under Cygwin when the
<code>JAVA_ENDORSED_DIRS</code> environment variable is not set. Patch
provided by Zemian Deng. (markt)
</fix>
</changelog>
</subsection>
</section>
<section name="Tomcat 9.0.7 (markt)" rtext="2018-04-07">
<subsection name="Catalina">
<changelog>
<fix>
<bug>51195</bug>: Avoid a false positive report of a web application
memory leak by clearing <code>ObjectStreamClass$Caches</code> of classes
loaded by the web application when the web application is stopped.
(markt)
</fix>
<fix>
<bug>52688</bug>: Add support for the <code>maxDays</code> attribute to
the <code>AccessLogValve</code> and <code>ExtendedAccessLogValve</code>.
This allows the maximum number of days for which rotated access logs
should be retained before deletion to be defined. (markt)
</fix>
<fix>
Ensure the MBean names for the <code>SSLHostConfig</code> and
<code>SSLHostConfigCertificate</code> are correctly formed when the
<code>Connector</code> is bound to a specific IP address. (markt)
</fix>
<fix>
<bug>62168</bug>: When using the <code>PersistentManager</code> honor a
value of <code>-1</code> for <code>minIdleSwap</code> and do not swap
out sessions to keep the number of active sessions under
<code>maxActive</code>. Patch provided by Holger Sunke. (markt)
</fix>
<fix>
<bug>62172</bug>: Improve Javadoc for
<code>org.apache.catalina.startup.Constants</code> and ensure that the
constants are correctly used. (markt)
</fix>
<fix>
<bug>62175</bug>: Avoid infinite recursion, when trying to validate
a session while loading it with <code>PersistentManager</code>.
(fschumacher)
</fix>
<fix>
Ensure that <code>NamingContextListener</code> instances are only
notified once of property changes on the associated naming resources.
(markt)
</fix>
<add>
<bug>62224</bug>: Disable the <code>forkJoinCommonPoolProtection</code>
of the <code>JreMemoryLeakPreventionListener</code> when running on Java
9 and above since the underlying JRE bug has been fixed. (markt)
</add>
</changelog>
</subsection>
<subsection name="Coyote">
<changelog>
<fix>
Avoid potential loop in APR/Native poller. (markt)
</fix>
<fix>
Ensure streams that are received but not processed are excluded from the
tracking of maximum ID of processed streams. (markt)
</fix>
<fix>
Refactor the check for a paused connector to consistently prevent new
streams from being created after the connector has been paused. (markt)
</fix>
<fix>
Improve debug logging for HTTP/2 pushed streams. (markt)
</fix>
<fix>
The OpenSSL engine SSL session will now ignore invalid accesses. (remm)
</fix>
<fix>
<bug>62177</bug>: Correct two protocol errors with HTTP/2
<code>PUSH_PROMISE</code> frames. Firstly, the HTTP/2 protocol only
permits pushes to be sent on peer initiated requests. Secondly, pushes
must be sent in order of increasing stream ID. These restriction were
not being enforced leading to protocol errors at the client. (markt)
</fix>
</changelog>
</subsection>
<subsection name="Web applications">
<changelog>
<add>
Add document for <code>FragmentationInterceptor</code>. (kfujino)
</add>
<add>
Document how the roles for an authenticated user are determined when the
<code>CombinedRealm</code> is used. (markt)
</add>
<fix>
<bug>62163</bug>: Correct the Tomcat Setup documentation that
incorrectly referred to Java 7 as the minimum version rather than Java
8. (markt)
</fix>
</changelog>
</subsection>
<subsection name="Tribes">
<changelog>
<fix>
Add JMX support for <code>FragmentationInterceptor</code> in order to
prevent warning of startup. (kfujino)
</fix>
</changelog>
</subsection>
<subsection name="jdbc-pool">
<changelog>
<fix>
Ensure that <code>SQLWarning</code> has been cleared when connection
returns to the pool. (kfujino)
</fix>
<add>
Enable clearing of <code>SQLWarning</code> via JMX. (kfujino)
</add>
<fix>
Ensure that parameters have been cleared when
<code>PreparedStatement</code> and/or <code>CallableStatement</code> are
cached. (kfujino)
</fix>
<fix>
Enable PoolCleaner to be started even if <code>validationQuery</code>
is not set. (kfujino)
</fix>
</changelog>
</subsection>
<subsection name="Other">
<changelog>
<update>
Update the build script so MD5 hashes are no longer generated for
releases as per the change in the ASF distribution policy. (markt)
</update>
<fix>
<bug>62164</bug>: Switch the build script to use TLS for downloads from
SourceForge and Maven Central to avoid failures due to HTTP to HTTPS
redirects. (markt)
</fix>
<add>
Always report the OS's umask when launching the JVM. (schultz)
</add>
<add>
Add managed connections package to the package renamed DBCP 2 to provide
a complete DBCP 2 in Tomcat. (remm)
</add>
</changelog>
</subsection>
</section>
<section name="Tomcat 9.0.6 (markt)" rtext="2018-03-08">
<subsection name="Catalina">
<changelog>
<fix>
<bug>43866</bug>: Add additional attributes to the Manager to provide
control over which listeners are called when an attribute is added to
the session when it has already been added under the same name. This is
to aid clustering scenarios where <code>setAttribute()</code> is often
called to signal that the attribute value has been mutated and needs to
be replicated but it may not be required, or even desired, for the
associated listeners to be triggered. The default behaviour has not been
changed. (markt)
</fix>
<fix>
Minor optimization when calling class transformers. (rjung)
</fix>
<add>
Pass errors triggered by invalid requests or unavailable services to the
application provided error handling and/or the container provided error
handling (<code>ErrorReportValve</code>) as appropriate. (markt)
</add>
<add>
<bug>41007</bug>: Add the ability to specify static HTML responses for
specific error codes and/or exception types with the
<code>ErrorReportValve</code>. (markt)
</add>
<fix>
Prevent Tomcat from applying gzip compression to content that is already
compressed with brotli compression. Based on a patch provided by burka.
(markt)
</fix>
<fix>
<bug>62090</bug>: Null container names are not allowed. (remm)
</fix>
<fix>
<bug>62104</bug>: Fix programmatic login regression as the
NonLoginAuthenticator has to be set for it to work (if no login method
is specified). (remm)
</fix>
<fix>
<bug>62117</bug>: Improve error message in <code>catalina.sh</code> when
calling <code>kill -0 <pid></code> fails. Based on a suggestion
from Mark Morschhaeuser. (markt)
</fix>
<fix>
<bug>62118</bug>: Correctly create a JNDI <code>ServiceRef</code> using
the specified interface rather than the concrete type. Based on a
suggestion by Ángel Álvarez Páscua. (markt)