| Links User Guide Reference Apache Tomcat Development | Apache Tomcat 6.0Changelog| Tomcat 6.0.51 (violetagg) | released 2017-03-16 |  | 
  | Jasper |  | 
    
      |  | 60613: Refactor code generated for JSPs to reduce the
        size of the code required for tags. (markt) |  | 
 | Other |  | 
    
      |  | Change Realm configuration in the default conf/server.xmlfile to use aorg.apache.catalina.realm.LockOutRealm.
        TheLockOutRealmis available since 6.0.19, but has
        not been configured by default. (kkolinko) |  |  | Update the packaged version of the Tomcat Native Library to 1.2.12 to
        pick up the latest Windows binaries built with OpenSSL 1.0.2k. (violetagg) |  |  | Update the NSIS Installer used to build the Windows installer to version
        3.01. (markt) |  |  | Refactor the build script and the NSIS installer script so that either
        NSIS 2.x or NSIS 3.x can be used to build the installer. This is
        primarily to re-enable building the installer on the Linux based CI
        system where the combination of NSIS 3.x and wine leads to failed
        installer builds. (markt) |  | 
 | 
 | Tomcat 6.0.49 (violetagg) | not released |  | 
  | Coyote |  | 
    
      |  | 57799: Remove useless sendfile check for NIO SSL. (remm) |  |  | 60409: When unable to complete sendfile request, ensure the
        Processor will be added to the cache only once. (markt/violetagg) |  | 
 | Jasper |  | 
    
      |  | 44294: Add support for varargs in UEL expressions. (markt) |  |  | 60356: Fix pre-compilation of JSPs that depend on nested tag
        files packaged in a JAR. (markt) |  |  | 60431: Improve handling of varargs in UEL expressions. Based
        on a patch by Ben Wolfe. (markt) |  |  | 60497: Restore previous tag reuse behavior following the use
        of try/finally. (remm) |  |  | Improve the error handling for simple tags to ensure that the tag is
        released and destroyed once used. (remm) |  |  | 60497: Follow up fix using a better variable name for the
        tag reuse flag. (remm) |  |  | Revert use of try/finally for simple tags. (remm) |  | 
 | Web applications |  | 
    
      |  | Correct a typo in Host Configuration Reference.
        Issue reported via comments.apache.org. (violetagg) |  |  | In the documentation web application, be explicit that clustering
        requires a secure network for all of the cluster network traffic.
        (markt) |  |  | Update the ASF logos to the new versions. (markt) |  | 
 | Other |  | 
    
      |  | Update the ASF logos used in the Apache Tomcat installer for Windows to
        use the new versions. (markt) |  | 
 | 
 | Tomcat 6.0.48 (violetagg) | released 2016-11-15 |  | 
  | Catalina |  | 
    
      |  | Correctly test for control characters when reading the provided shutdown
        password. (markt) |  |  | When configuring the JMX remote listener, specify the allowed types for
        the credentials. (markt) |  | 
 | Coyote |  | 
    
      |  | Correct the HTTP header parser so that DEL is not treated as a valid
        token character. (markt) |  |  | Add additional checks for valid characters to the HTTP request line
        parsing so invalid request lines are rejected sooner. (markt) |  | 
 | Web applications |  | 
    
      |  | Correct a typo in CGI How-To.
        Issue reported via comments.apache.org. (violetagg) |  | 
 | Extras |  | 
    
      |  | 55017: Add the ability to configure the RMI bind address when
        using the JMX remote listener. Patch provided by Alexey Noskov. (markt) |  |  | 56039: Enable the JmxRemoteLifecycleListener to work over
        SSL. Patch by esengstrom. (markt) |  |  | 56096: When the attribute rmiBindAddressof the
        JMX Remote Lifecycle Listener is specified it's value will be used when
        constructing the address of a JMX API connector server. Patch is
        provided by Jim Talbut. (markt) |  |  | 57377: Remove the restriction that prevented the use of SSL
        when specifying a bind address with the JMXRemoteLifecycleListener. Also
        enable SSL to be configured for the registry as well as the server.
        (markt) |  | 
 | 
 | Tomcat 6.0.46 (violetagg) | not released |  | 
  | Catalina |  | 
    
      |  | Log a warning message if a user tries to configure the default session
        timeout via the deprecated (and ignored) Manager.setMaxInactiveInterval()method. (markt) |  |  | Correct a regression introduced in 6.0.45 where the deprecated Manager.getMaxInactiveInterval()method returned the
        current default session timeout in minutes rather than seconds. (markt) |  |  | 58486: Expand memory leak protection to include additional
        issues identified related to XML parsing. (markt) |  |  | 59123: Close NamingEnumerationobjects used by
        theJNDIRealmonce they are no longer required.
        (fschumacher/markt) |  |  | 59138: Correct a false positive warning for ThreadLocal
        related memory leaks when the key class but not the value class has been
        loaded by the web application class loader. (markt) |  |  | 59269: Correct the implementation of PersistentManagerBaseso thatminIdleSwapfunctions as designed and sessions are swapped out to keep the active
        session count belowmaxActiveSessions. (markt) |  |  | 59247: Preload ResourceEntry as a workaround for security
        manager issues on some JVMs. (kkolinko/remm) |  |  | 59310: Do not add a Content-Length: 0header for
        custom responses toHEADrequests that do not set aContent-Lengthvalue. (markt) |  |  | 59449: In ContainerBase, ensure that the process
        to remove a child container is the reverse of the process to add one.
        Patch provided by Huxing Zhang. (markt) |  |  | RMI Target related memory leaks are avoidable which makes them an
        application bug that needs to be fixed rather than a JRE bug to work
        around. Therefore, start logging RMI Target related memory leaks on web
        application stop. Add an option that controls if the check for these
        leaks is made. Log a warning if running on Java 9 with this check
        enabled but without the command line option it requires. (markt) |  |  | 59708: Modify the LockOutRealm logic. Valid authentication
        attempts during the lock out period will no longer reset the lock out
        timer to zero. (markt) |  |  | By default, treat paths used to obtain a request dispatcher as encoded.
        This behaviour can be changed per web application via the dispatchersUseEncodedPathsattribute of the Context.
        (markt) |  |  | Provide a mechanism that enables the container to check if a component
        (typically a web application) has been granted a given permission when
        running under a SecurityManager without the current execution stack
        having to have passed through the component. Use this new mechanism to
        extend SecurityManager protection to the system property replacement
        feature of the digester. (markt) |  |  | When retrieving an object via a ResourceLink, ensure that
        the object obtained is of the expected type. (markt) |  |  | Switch the CGI servlet to the standard logging mechanism and remove
        support for the debug attribute. (markt) |  |  | Add a new initialisation parameter, envHttpHeaders, to
        the CGI Servlet to mitigate httpoxy
        (CVE-2016-5388) by default and to provide a mechanism that can be
        used to mitigate any future, similar issues. (markt) |  |  | When adding and removing ResourceLinks dynamically, ensure
        that the global resource is only visible via theResourceLinkFactorywhen it is meant to be. (markt) |  |  | Make timing attacks against the Realm implementations harder.
        (schultz/markt) |  |  | Ensure Digester.useContextClassLoaderis considered in
        case the class loader is used. (violetagg) |  |  | 60151: Improve the exception error messages when a ResourceLinkfails to specify the type, specifies an
        unknown type or specifies the wrong type. (markt) |  |  | Correct basePackageandPrivilegedFindResourceByName
        inSecurityClassLoadso that tomcat can
        successfully start with the Security Manager enabled. (csutherl) |  |  | Improve the access checks for linked global resources to handle the case
        where the current class loader is a child of the web application class
        loader. (markt) |  | 
 | Coyote |  | 
    
      |  | 58646: Correct a problem with sendfile that resulted in a
        Processor being added to the cache twice leading to broken responses.
        (markt) |  |  | Limit the default TLS ciphers for JSSE (BIO, NIO) and OpenSSL (APR) to
        those currently considered secure. (markt) |  |  | Add a new environment variable JSSE_OPTSthat is intended
        to be used to pass JVM wide configuration to the JSSE implementation.
        The default value is-Djdk.tls.ephemeralDHKeySize=2048which protects against weak Diffie-Hellman keys. (markt) |  |  | 59451: Correct Javadoc for MessageBytes. Patch
        provided by Kyohei Nakamura. (markt) |  |  | Ensure that requests with HTTP method names that are not tokens (as
        required by RFC 7231) are rejected with a 400 response. (markt) |  |  | 59904: Add a limit (default 200) for the number of cookies
        allowed per request. Based on a patch by gehui. (markt) |  |  | 60123: Avoid potential threading issues that could cause
        excessively large vales to be returned for the processing time of
        a current request. (markt) |  | 
 | Jasper |  | 
    
      |  | Fix a memory leak in the expression language implementation that caused
        the class loader of the first web application to use expressions to be
        pinned in memory. (markt) |  |  | 59654: Enforce the requirements of section 7.3.1 of the JSP
        specification regarding the permitted locations for TLD files. Patch
        provided by Huxing Zhang. (markt) |  |  | Catch and log any Exceptions during calls toServlet.destroy()when destroying the Servlet associated
        with a JSP page. (markt) |  |  | Improve the error handling for custom tags to ensure that the tag is
        returned to the pool or released and destroyed once used. (markt) |  | 
 | Web applications |  | 
    
      |  | 58935: Remove incorrect references in the documentation to
        using jar:file:URLs with the Manager application. (markt) |  |  | Correct the description of the ServletRequest.getServerPort()in Proxy How-To.
        Issue reported via comments.apache.org. (violetagg) |  |  | Fix a potential indefinite wait in the Comet Chat servlet in the
        examples web application. (markt) |  |  | Update in the documentation the link to the maven repository where
        Tomcat snapshot artifacts are deployed. (markt/violetagg) |  |  | Clarify in the documentation that calls to ServletContext.log(String, Throwable)orGenericServlet.log(String, Throwable)are logged at the
        SEVERE level. (violetagg) |  |  | Correct a typo in SSL/TLS Configuration How-To.
        Issue reported via comments.apache.org. (violetagg) |  |  | 58891: Update the SSL how-to. Based on a suggestion by
        Alexander Kjäll. (markt) |  |  | 59642: Mention the localDataSourcein theDataSourceRealmsection of the Realm How-To. (markt) |  |  | 60034: Correct a typo in the Manager How-To page of the
        documentation web application. (markt) |  |  | Add an example of using the classesToInitializeattribute
        of theJreMemoryLeakPreventionListenerto the documentation
        web application. Based on a patch by Cris Berneburg. (markt) |  |  | 60192: Correct a typo in the status output of the Manager
        application. Patch provided by  Radhakrishna Pemmasani. (markt) |  | 
 | Other |  | 
    
      |  | 58283: Change the default download location for libraries
        during the build process from /usr/share/javato${user.home}/temp. Patch provided by Ahmed Hosni. (markt) |  |  | 59031: When using the Windows uninstaller, do not remove the
        contents of any directories that have been symlinked into the Tomcat
        directory structure. (markt) |  |  | Modify the default tomcat-users.xmlfile to make it harder
        for users to configure the entries intended for use with the examples
        web application for the Manager application. (markt) |  |  | 59280: Update the NSIS Installer used to build the
        Windows Installers to version 2.51. (kkolinko) |  |  | 58626: Add support for a new environment variable
        ( USE_NOHUP) that causesnohupto be used when
        starting Tomcat. It is disabled by default except on HP-UX where it is
        enabled by default since it is required when starting Tomcat at boot on
        HP-UX. (markt) |  |  | Use the mirror network rather than the ASF master site to download the
        current ASF dependencies. (markt) |  |  | Update the packaged version of the Tomcat Native Library to 1.2.10 to
        pick up the latest Windows binaries built with OpenSSL 1.0.2j. (markt) |  | 
 | 
 | Tomcat 6.0.45 (jfclere) | released 2016-02-11 |  | 
  | Catalina |  | 
    
      |  | Back-port various improvements to the AprLifecycleListenerincluding the fix for 57021 that improves logging when the
        Tomcat-Native DLL fails to load. (markt) |  |  | 57154: Add support for web applications (Context elements)
        that do not have a docBase. This is intended for use when embedding,
        such as Tomcat unit tests, when a web application is configured
        programmatically and does not serve any files. Based on a patch
        provided by Huxing Zhang. (kkolinko) |  |  | 57741: Enable the CGI servlet to use the standard error page
        mechanism. Note that if the CGI servlet's debug init parameter is
        set to 10 or higher then the standard error page mechanism will be
        bypassed and a debug response generated by the CGI servlet will be
        returned instead. (markt) |  |  | 57896: Support defensive copying of "cookie" header so that
        unescaping double quotes in a cookie value does not corrupt original
        value of "cookie" header. This is an opt-in feature, enabled by org.apache.tomcat.util.http.ServerCookie.PRESERVE_COOKIE_HEADERororg.apache.catalina.STRICT_SERVLET_COMPLIANCEsystem property. (kkolinko) |  |  | 58031: Make the (first) reason parameter parsing failed
        available as a request attribute and then use it to provide a better
        status code via the FailedRequstFilter (if configured). (markt) |  |  | 58313: Fix concurrent access of encoders map when clearing
        encoders during Comet processing. (markt) |  |  | 58508: Escape role names when generating associated MBeans in
        case the role name contains characters not permitted in an MBean name.
        (markt) |  |  | 58582: Combined realm should perform background processing
        on its sub-realms. Based upon a patch provided by Aidan. (kkolinko) |  |  | Move the functionality that provides redirects for context roots and
        directories where a trailing /is added from the Mapper to
        theDefaultServlet. This enables such requests to be
        processed by any configured Valves and Filters before the redirect is
        made. This behaviour is configurable via themapperContextRootRedirectEnabledandmapperDirectoryRedirectEnabledattributes of the Context
        which may be used to restore the previous behaviour. (markt) |  |  | 58635: Enable break points to be set within agent code when
        running Tomcat with a Java agent. Based on a patch by Huxing Zhang.
        (markt) |  |  | Add the StatusManagerServletto the list of Servlets that
        can only be loaded by privileged applications. (markt) |  |  | Remove redundant copy of catalina.properties from o.a.c.startup.
        Generate this copy during the ant "compile" task. (kkolinko) |  |  | 58817: Fix ArrayIndexOutOfBoundsExceptioncaused byMapperListenerwhen ROOT context is being
        undeployed and mapperContextRootRedirectEnabled="false". (kkolinko) |  |  | 58836: Correctly merge query string parameters when
        processing a forwarded request where the target includes a query string
        that contains a parameter with no value. (markt/kkolinko) |  |  | Allow singleton server instance stored by ServerFactoryto be cleared.
        AllowResourceLinkFactoryto be initialized more than once.
        This is used by unit tests when running several copies of Tomcat
        sequentially in the same JVM.
        When running with a SecurityManager the initialization method ofResourceLinkFactoryis protected by requiring aRuntimePermission. (kkolinko) |  |  | Extend the feature available in the cluster session manager
        implementations that enables session attribute replication to be
        filtered based on attribute name to all session manager implementations.
        Note that configuration attribute name has changed from sessionAttributeFiltertosessionAttributeNameFilter. Apply the filter on load as
        well as unload to ensure that configuration changes made while the web
        application is stopped are applied to any persisted data. (markt) |  |  | Extend the session attribute filtering options to include filtering
        based on the implementation class of the value and optional WARNlevel logging if an attribute is filtered. These
        options are available for all of the Manager implementations that ship
        with Tomcat. When aSecurityManageris used filtering will
        be enabled by default. (markt) |  |  | 58946: Ensure that the request parameter map remains
        immutable when processing via a RequestDispatcher. (markt) |  | 
 | Coyote |  | 
    
      |  | Align the Java side of the tc-native connector with the Tomcat 7
        implementation to ease future maintenance. (markt) |  |  | 51503: Add additional validation that prevents a connector
        from starting if it does not have a valid port number. (kkolinko) |  |  | 52028: Add support for automatic binding to a free port by a
        connector if the special value of zero is used for the port. This is
        mainly useful in embedded and testing scenarios. (kkolinko) |  |  | 52926: Avoid NPE when an NIO Comet connection times out on
        one thread at the same time as it is closed on another thread.
        (markt/kkolinko) |  |  | 57943: Prevent the same socket being added to the cache
        twice. Patch based on analysis by Ian Luo / Sun Qi. (markt/kkolinko) |  |  | Improve HTTP header validation. (markt) |  | 
 | Jasper |  | 
    
      |  | Ignore engineOptionsClassandscratchdirwhen
        running under a security manager. (markt) |  | 
 | Web applications |  | 
    
      |  | 57971: Correct the documentation for the cluster
        configuration setting recoverySleepTime. (markt) |  |  | 58112: Update the documentation for using the Catalina tasks
        in an Apache Ant build file. (markt) |  |  | Improve the Javadoc for some of the APR socket read functions that have
        inconsistent behaviour for return values. (markt) |  |  | 58255: Document the Semaphore valve. Patch provided by
        Kyohei Nakamura. (markt) |  |  | 58631: Correct the continuation character use in the Windows
        Service How-To page of the documentation web application. (markt) |  |  | Correct some typos in the JNDI resources How-To. (markt) |  |  | Add a redirect to the web interface to the root of the Manager web
        application. (markt) |  |  | Don't create sessions unnecessarily in the Manager application. (markt) |  |  | Add a redirect to the web interface to the root of the Host Manager web
        application. (markt) |  |  | Don't create sessions unnecessarily in the Host Manager application.
        (markt) |  | 
 | Other |  | 
    
      |  | Ensure JULI adapters JAR in Tomcat extras package does not include
        the LogFactoryImpl[$*] classes. Based on patch provided by
        Benjamin Gandon. (kkolinko) |  |  | Convert test classes to JUnit 4. (kkolinko) |  |  | 58596: Clarify the description in RUNNING.txt of how
        environment variables are used. (markt) |  |  | Update the NSIS Installer used to build the Windows Installers to
        version 2.50. (markt/kkolinko) |  |  | Add framework for client-server unit tests, porting it from
        Tomcat 7. Add support for running the tests with Apache Ant. (kkolinko) |  |  | Update to Tomcat Native Library version 1.1.34. (jfclere) |  |  | Remove support for Intel Itanium CPU (i64, IA-64) in the Windows
        installer, as the current release of Tomcat Native does not have
        binaries for that processor architecture. (jfclere) |  | 
 | 
 | Tomcat 6.0.44 (jfclere) | released 2015-05-12 |  | 
  | Catalina |  | 
    
      |  | Correct typo in the message shown by HttpServlet for unexpected
        HTTP method. (kkolinko) |  |  | Allow to configure RemoteAddrValve and RemoteHostValve to
        adopt behavior depending on the connector port. Implemented
        by optionally adding the connector port to the string compared
        with the patterns allowanddeny. Configured
        usingaddConnectorPortattribute on valve. (rjung) |  |  | 56608: Fix IllegalStateException for JavaScript files when
        switching from Writer to OutputStream. The special handling of this case
        in the DefaultServlet was broken due to a MIME type change for
        JavaScript. (markt) |  |  | 57675: Correctly quote strings when using the extended
        access log. (markt) |  | 
 | Coyote |  | 
    
      |  | 57234: Make SSL protocol filtering to remove insecure
        protocols case insensitive. Correct spelling of
        filterInsecureProtocols method. (kkolinko/schultz) |  |  | CVE-2014-0230: Add a new system property org.apache.coyote.MAX_SWALLOW_SIZE(defaults to 2MB)
        that limits amount of data Tomcat will swallow if request body
        has not been fully read during normal request processing, e.g.
        for an aborted upload. (Note: in Tomcat 7 and later this feature is
        configured bymaxSwallowSizeattribute on a connector).
        When applying the limit to a connection try to read that many bytes
        first before closing the connection to give the client a chance to
        read the response.
        (markt) |  |  | 57544: Fix a potential infinite loop when preparing a kept
        alive HTTP connection for the next request. (markt) |  |  | 57570: Make the processing of chunked encoding trailing
        headers optional and disabled by default. (markt) |  |  | 57581: Change statistics byte counter in coyote Request
        object to be long to allow values above 2Gb. (kkolinko) |  |  | Update the minimum recommended version of the Tomcat Native library (if
        used) to 1.1.33. (markt) |  | 
 | Jasper |  | 
    
      |  | CVE-2014-7810:
        Do not use a privileged code block when evaluating EL expressions
        when running under a security manager, which allowed to bypass code
        restrictions. (markt/kkolinko) |  |  | Fix an issue with BeanELResolver when running under a security
        manager. Some classes may not be accessible but may have accessible
        interfaces. (markt) |  |  | Simplify code in ProtectedFunctionMapperclass of
        Jasper runtime. (kkolinko) |  | 
 | Web applications |  | 
    
      |  | Update documentation for CGI servlet. Recommend to copy the servlet
        declaration into web application instead of enabling it globally.
        Correct documentation for cgiPathPrefix. (kkolinko) |  |  | Improve Tomcat Manager documentation. Rearrange, add section on
        HTML GUI, document /expire command and Server Status page. (kkolinko) |  |  | 54143: Add display of the memory pools usage (including
        PermGen) to the Status page of the Manager web application. (kkolinko) |  |  | Fix several issues with status.xsdschema in Manager web
        application, testing it against actual output of StatusTransformer
        class. (kkolinko) |  |  | Align algorithm that generates anchor names in Tomcat documentation
        with Tomcat 7/8/9. No visible changes, but may help with future
        updates to the documentation. (kkolinko) |  |  | 56058: Add links to the AccessLogValve documentation for
        configuring reverse proxies and/or Tomcat to ensure that the desired
        information is used entered in the access log when Tomcat is running
        behind a reverse proxy. (markt) |  |  | 57503: Make clear that the JULI integration for log4j only
        works with log4j 1.2.x. (markt) |  |  | 57644: Update examples to use Apache Standard Taglib 1.2.5.
        (jboynes/kkolinko) |  |  | 57706: Clarify the documentation for the AJP connector to
        make clearer that when using tomcatAuthentication="false"the user provided by
        the reverse proxy will not be associated with any roles. (markt) |  |  | Correct the documentation for deployOnStartup to make clear that if a
        WAR file is updated while Tomcat is stopped and unpackWARs is true,
        Tomcat will not detect the changed WAR file when it starts and will not
        replace the unpacked WAR file with the contents of the updated WAR.
        (markt) |  |  | 57759: Add information to the keyAlias documentation to make
        it clear that the order keys are read from the keystore is
        implementation dependent. (markt) |  |  | 57864: Update the documentation web application to make it
        clearer that hex values are not valid for cluster send options. Based on
        a patch by Kyohei Nakamura. (markt) |  | 
 | Other |  | 
    
      |  | 57344: Provide sha1 checksum files for Tomcat downloads.
        (kkolinko) |  |  | 57558: Change catalina-tasks.xmlto use all
        jars in${catalina.home}/libto define Tomcat Ant
        tasks. This fixes a NoClassDefFoundError withvalidatetask. (kkolinko) |  |  | Update to Tomcat Native Library version 1.1.33 to pick up the Windows
        binaries that are based on OpenSSL 1.0.1m and APR 1.5.1. (markt) |  |  | 57801: Improve the error message in the start script in case
        the PID read from the PID file is already owned by a process. (rjung) |  | 
 | 
 | Tomcat 6.0.43 (markt) | released 2014-11-22 |  | 
  | Catalina |  | 
    
      |  | Assert that mapping result object is empty before performing mapping
        work in Mapper. (kkolinko) |  | 
 | Coyote |  | 
    
      |  | 53952: Add support for TLSv1.1 and TLSv1.2 for APR connector.
        Based upon a patch by Marcel Šebek. (schultz/jfclere) |  |  | 56780: Enable Tomcat to start when using SSL with an IBM JRE
        in strict SP800-131a mode. (markt/kkolinko) |  |  | 57102: Fix bug that meant sslEnabledProtocols setting was not
        recognised for the HTTPS NIO connector. (markt) |  |  | Disable SSLv3 by default for the APR/native HTTPS connector.
        (markt/schultz) |  |  | Do not increase remaining counter at end of stream in
        IdentityInputFilter. (kkolinko) |  |  | Disable SSLv3 by default (along with SSLv2 which was already disabled
        by default) in light of the recently announced POODLE vulnerability
        (CVE-2014-3566). (markt) |  |  | 57116: Do not fallback to default protocol list for HTTPS BIO
        connector if sslEnabledProtocolshas no matches. (markt) |  |  | Align calculation of default ciphers and default protocols for JSSE
        HTTPS connectors with Tomcat 7 which allows for per connector defaults
        based on the choice of sslProtocol. (markt/kkolinko) |  |  | 57703: Update the http-methoddefinition for
        web applications using a Servlet 2.5 descriptor as per Servlet 2.5 MR 6.
        (markt) |  | 
 | Web applications |  | 
    
      |  | Configure the Javadoc tool to read sources as ISO-8859-1, suppress
        timestamp comments and enable charset header. (kkolinko) |  |  | Correct typos in configuration samples on SSL Configuration page
        of Tomcat documentation. (kkolinko) |  | 
 | Other |  | 
    
      |  | 56079: The Apache Tomcat Windows service and the Apache
        Tomcat Windows service monitor application are now digitally
        signed. (markt/kkolinko) |  |  | 56988: Allow to use relative path in base.pathsetting when building Tomcat. (kkolinko) |  |  | Update documentation: the minimum version of Apache Ant required to
        build Tomcat is 1.8.0. (kkolinko) |  |  | 56596: Update to Tomcat Native Library version 1.1.32 to
        pick up the Windows binaries that are based on OpenSSL 1.0.1j and APR
        1.5.1. (markt) |  |  | Fix timestamps in Tomcat build to use 24-hour instead of 12-hour format
        and use UTC timezone. (kkolinko) |  | 
 | 
 | Tomcat 6.0.42 (jfclere) | not released |  | 
  | Catalina |  | 
    
      |  | 56600: In WebdavServlet: Do not waste time generating
        response for broken PROPFIND request. (kkolinko) |  |  | 56648: Reduce scope of synchronization when adding children to
       a container (e.g. adding a Context to a Host) to prevent blocking
       requests to other children while the new child starts. (markt) |  |  | 56684: Ensure that Tomcat does not shut down if the socket
        waiting for the shutdown command experiences a SocketTimeoutException. (markt) |  | 
 | Coyote |  | 
    
      |  | Fix CVE-2014-0227:
        Various improvements to ChunkedInputFilter including clean-up, i18n for
        error messages and adding an error flag to allow subsequent attempts at
        reading after an error to fail fast. (markt) |  |  | 56661:  Support using AJP request attribute AJP_LOCAL_ADDRto fixgetLocalAddr(). (rjung) |  | 
 | Jasper |  | 
    
      |  | 43001: Enable the JspC Ant task to set the JspC option mappedFile. (kkolinko) |  |  | 56334: Fix a regression in EL parsing when quoted string
        follows a whitespace. (markt) |  |  | 56560: Fix NoClassDefFoundError when using Jasper Ant task
        defined by catalina-tasks.xmlfile. Patch provided by
        M Gemmell. (kkolinko) |  |  | 56561: Avoid NoSuchElementExceptionwhile
        handling attributes with empty string value. (violetagg) |  |  | 56612: Correctly parse consecutive escaped single quotes when
        used in an EL expression. (markt) |  |  | Use if { ... } else if { ... }rather than multipleif { ... }for alternative branches in the JSP parser.
        (kkolinko) |  |  | Fix a potential resource leak in JDTCompiler when checking whether
        a resource is a package. Reported by Coverity Scan. (fschumacher) |  | 
 | Other |  | 
    
      |  | 56606: When creating tomcat-users.xmlin the
        Windows Installer, use the new attribute name for the name of the user.
        (markt) |  |  | 56829: Add the ability for users to define their own values
        for _RUNJAVAand_RUNJDBenvironment
        variables. Be more strict with executable filename on Windows
        (s/java/java.exe/). Based on a patch by Neeme Praks. (markt/kkolinko) |  |  | 56608: When deploying an external WAR, add watched resources
        in the expanded directory based on whether the expanded directory is
        expected to exist rather than if it does exist. |  |  | When triggering a reload due to a modified watched resource, ensure
         that multiple changed watched resources only trigger one reload rather
         than a series of reloads. |  | 
 | 
 | Tomcat 6.0.41 (markt) | released 2014-05-23 |  | 
  | Jasper |  | 
    
      |  | 56529: Avoid NoSuchElementExceptionwhile handling
        attributes with empty string value in custom tags. Based on a patch
        provided by Hariprasad Manchi. (violetagg/kkolinko) |  | 
 | 
 | Tomcat 6.0.40 (markt) | not released |  | 
  | Catalina |  | 
    
      |  | 56027: Add more options for managing FIPS mode in the
        AprLifecycleListener. (schultz/kkolinko) |  |  | 56082: Fix a concurrency bug in JULI's LogManager
        implementation. (markt) |  |  | 56236: Enable Tomcat to work with alternative Servlet and
        JSP API JARs that package the XML schemas in such as way as to require
        a dependency on the JSP API before enabling validation for web.xml.
        Tomcat has no such dependency. (markt) |  |  | Change the default value of the xmlBlockExternalattribute
        of Context elements. It is nowtrue. (kkolinko) |  |  | Don't log to standard out in SSLValve. (kkolinko/markt) |  |  | Use StringBuilder in DefaultServlet. (kkolinko) |  |  | 56275: Allow web applications to be stopped cleanly even if
        filters throw exceptions when their destroy() method is called.
        (markt/kkolinko) |  |  | Fix CVE-2014-0096:
        Redefine the globalXsltFileinitialisation parameter of the
        DefaultServlet as relative to CATALINA_BASE/conf or CATALINA_HOME/conf.
        Prevent user supplied XSLTs used by the DefaultServlet from defining
        external entities. (markt) |  |  | Add a work around for validating XML documents (often TLDs) that use
        just the file name to refer to refer to the JavaEE schema on which they
        are based. (kkolinko) |  |  | 56369: Ensure that removing an MBean notification listener
        reverts all the operations performed when adding an MBean notification
        listener. (markt) |  |  | Fix CVE-2014-0119:
        Only create XML parsing objects if required and fix associated potential
        memory leak in the default Servlet.
        Ensure that a TLD parser obtained from the cache has the correct value
        of blockExternal.
        Extend XML factory, parser etc. memory leak protection to cover some
        additional locations where, theoretically, a memory leak could occur.
        (markt/kkolinko) |  |  | Add the org.apache.namingpackage to the packages requiring
        code to have thedefineClassInPackagepermission when
        running under a security manager. (markt) |  |  | Add the org.apache.naming.resourcespackage to the packages
        requiring code to have theaccessClassInPackagepermission
        when running under a security manager. (markt) |  |  | Make the naming context tokens for containers more robust. Require
        RuntimePermission when introducing a new token. (markt/kkolinko) |  | 
 | Coyote |  | 
    
      |  | Fix CVE-2014-0075:
        Improve processing of chuck size from chunked headers. Avoid overflow
        and use a bit shift instead of a multiplication as it is marginally
        faster. (markt/kkolinko) |  |  | Fix CVE-2014-0099:
        Fix possible overflow when parsing long values from a byte array.
        (markt) |  |  | 56363: Update to version 1.1.30 of Tomcat Native library.
        The minimum required version of this library for APR connector is now
        1.1.30. (kkolinko) |  | 
 | Jasper |  | 
    
      |  | Change the default behaviour of JspC to block XML external entities by
        default. (kkolinko) |  |  | Restore the validateXml option to Jasper that was previously renamed
        validateTld. Both options are now supported. validateXml controls the
        validation of web.xml files when Jasper parses them and validateTld
        controls the validation of *.tld files when Jasper parses them. (markt) |  |  | 54475: Add Java 8 support to SMAP generation for JSPs. Patch
        by Robbie Gibson. (markt) |  |  | 56010: Don't throw an IllegalArgumentExceptionwhenJspFactory.getPageContextis used withJspWriter.DEFAULT_BUFFER. Based on a patch by Eugene Chung.
        (markt) |  |  | 56265: Do not escape values of dynamic tag attributes
        containing EL expressions. (kkolinko) |  |  | 56283: Add support for running Tomcat 6 with
        ecj-P20140317-1600.jar (as drop-in replacement for ecj-4.3.1.jar). Add
        support for value "1.8" for the compilerSourceVMandcompilerTargetVMoptions. Note that ecj-P20140317-1600.jar
        can only be used when running with Java 6 or later. The "1.8" options
        make sense only when running with Java 8 (or later). (kkolinko) |  |  | 56334: Fix a regression in the handling of back-slash
        escaping introduced by the fix for 55735. (markt/kkolinko) |  |  | Correct the handling of back-slash escaping in the EL parser and no
        longer require that \$or\#must be followed
        by{in order for the back-slash escaping to take effect.
        (markt) |  | 
 | Cluster |  | 
    
      |  | Refactor AbstractReplicatedMapand related classes to
        enable Tomcat 6 to be compiled using Java 8. (markt) |  | 
 | Web applications |  | 
    
      |  | 56093: Documentation for SSLValve. (markt/kkolinko) |  |  | Correct documentation on Windows service options, aligning it with
        Apache Commons Daemon documentation. (kkolinko) |  |  | Add support for version-major,version-major-minortags in documentation XSLT, to simplify
        documentation backports. (kkolinko) |  |  | Fix target and rel attributes on links in documentation. They were
        lost during XSLT transformation. (kkolinko) |  | 
 | Other |  | 
    
      |  | Remove svn keywords (such as $Id) from source files and documentation.
        (kkolinko) |  |  | Improvements to the Windows installer, to align it with installing
        the service with service.bat. Use explicit memory sizes
        (--JvmMs 128 Mb and --JvmMx 256 Mb). Specify log directory path
        when ininstalling, so that the log file is written to the Tomcat logs
        directory, instead of "%SystemRoot%\System32\LogFiles\Apache".
        (kkolinko) |  |  | 49993, 56143: Improve service.batscript. Allow it to be launched from non-UAC console. The UAC prompt
        will be shown only once. Now there is no need to run the command shell
        with elevated privileges. Improve check forJAVA_HOMEand add support forJRE_HOME. Warn if neither "client"
        nor "server" JVM is found. Align classpath, display name and other
        options with theexeinstaller. Make command names
        case-insensitive. Update documentation. (kkolinko) |  | 
 | 
 | Tomcat 6.0.39 (markt) | released 2014-01-31 |  | 
  | Catalina |  | 
    
      |  | 55166: Fix regression that broke XML validation when running
        on some Java 5 JVMs. (kkolinko) |  | 
 | Coyote |  | 
    
      |  | Make the HTTP NIO connector tolerant of whitespace in the individual
        values used for the ciphers attribute. (markt) |  |  | Remove dependency introduced on the jsp-api.jar as part of the XML
        validation changes introduced in 6.0.38. (markt) |  | 
 | Jasper |  | 
    
      |  | Correct several errors in jspxml Schema and DTD. (kkolinko) |  | 
 | Cluster |  | 
    
      |  | Remove an empty TestTwoPhaseCommit test from Tribes. (kkolinko) |  | 
 | Web applications |  | 
    
      |  | Fix broken link in Jasper How-To documentation. (markt) |  |  | Align index.html and index.jsp in ROOT web application. Correct links
        to specifications and to the Tomcat mailing lists. (kkolinko) |  |  | Remove second copy of RUNNING.txt from the full-docs distribution. Some
        unpacking utilities can't handle multiple copies of a file with the same
        name in a directory. (kkolinko) |  | 
 | Other |  | 
    
      |  | Update sample Eclipse IDE project: use JUnit 4 library and prefer a
        Java 5 JDK when several JDKs are configured. Cleanup the Ant build
        files. (kkolinko) |  |  | Correct Maven dependencies for individual JAR files. (markt) |  | 
 | 
 | Tomcat 6.0.38 (markt) | not released |  | 
  | Catalina |  | 
    
      |  | Ensure that when Tomcat's anti-resource locking features are used
        that the temporary copy of the web application and not the original is
        removed when the web application stops. (markt/kkolinko) |  |  | 55019: Fix a potential exception when accessing JSPs while
        running under a SecurityManager. (jfclere) |  |  | 55052: Make JULI's LogManager to additionally look for
        logging properties without prefixes if the property cannot be found with
        a prefix. (kkolinko) |  |  | 55266: Ensure that the session ID is parsed from the request
        before any redirect as the session ID may need to be encoded as part of
        the redirect URL. (markt) |  |  | 55404: Log warnings about using security roles in web.xml as
        warnings. (markt) |  |  | 55268: Added optional --service-start-wait-time
        command-line option to change service start wait time from default
        of 10 seconds. (schultz) |  |  | Correctly associate the default resource bundle with the English locale
        so that requests that specify an Accept-Language of English ahead of
        French, Spanish or Japanese get the English messages they asked for.
        (markt) |  |  | Add missing JavaEE 5 XML schema definitions. (markt) |  |  | When Catalina parses TLD files, always use a namespace aware parser to
        be consistent with how Jasper parses TLD files. The tldNamespaceAwareattribute of the Context is now ignored.
        (markt) |  |  | As per section SRV.14.4.3 of the Servlet 2.5 specification, a namespace
        aware, validating parser will be used when processing *.tldandweb.xmlfiles if the system propertyorg.apache.catalina.STRICT_SERVLET_COMPLIANCEis set totrue. (markt) |  |  | Fix CVE-2014-0033:
        Ensure that sessions IDs are not parsed from URLs for Contexts where disableURLRewritingistrue. (markt) |  |  | Fix CVE-2013-4590:
        Add an option to the Context to control the blocking of XML external
        entities when parsing XML configuration files and enable this blocking
        by default when a security manager is used. The block is implemented via
        a custom resolver to enable the logging of any blocked entities. (markt) |  |  | 56016: When loading resources for XML schema validation, take
        account of the possibility that servlet-api.jar and jsp-api.jar may not
        be loaded by the same class loader. Patch by Juan Carlos Estibariz.
        (markt) |  | 
 | Coyote |  | 
    
      |  | 52811: Fix parsing of Content-Type header in HttpServletResponse.setContentType(). Introduces a new HTTP
        header parser that follows RFC2616. (markt) |  |  | 54691: Add configuration attribute "sslEnabledProtocols"
        to HTTP connector and document it. (Internally this attribute has
        been already implemented but not documented, under names "protocols"
        and "sslProtocols". Those names of this attribute are now deprecated).
        (schultz) |  |  | 54947: Fix the HTTP NIO connector that incorrectly rejected a
        request if the CRLF terminating the request line was split across
        multiple packets. Patch by Konstantin Preißer. (markt) |  |  | 55228: Allow web applications to set a HTTP Date header.
        (markt) |  |  | Fix CVE-2013-4286:
        Better adherence to RFC2616 for content-length headers. (markt) |  |  | Fix CVE-2013-4322: Add support for limiting the size of chunk extensions
        when using chunked encoding. (markt) |  |  | 55749: Improve the error message when SSLEngine is disabled
        in the AprLifecycleListener and SSL is configured for an APR/native
        connector. (markt) |  |  | Avoid possible NPE if a content type is specified without a character set.
        (markt) |  | 
 | Jasper |  | 
    
      |  | 55198: Ensure attribute values in tagx files that include EL
        and quoted XML characters are correctly quoted in the output. (markt) |  |  | 55671: Consistently use the configuration option name genStringAsCharArrayrather than a mixture ofgenStrAsCharArrayandgenStringAsCharArraybut
        retain support forgenStrAsCharArrayas in initialisation
        parameter for the JSP servlet to retain backwards compatibility with
        existing configurations. (markt) |  |  | 55691: Fix javax.el.ArrayELResolverto correctly
        handle the case where the base object is an array of primitives. (markt) |  |  | 55973: Fix processing of XML schemas when validation is
        enabled in Jasper. (kkolinko) |  | 
 | Web applications |  | 
    
      |  | Add documentation for o.a.c.tribes.group.interceptors.TcpFailureDetector.
        (kfujino) |  |  | Complete the documentation for MessageDispatch15Interceptor. (kfujino) |  |  | Add to cluster document a description of notifyLifecycleListenerOnFailureandheartbeatBackgroundEnabled. (kfujino) |  |  | 55746: Add documentation on the allRolesModeto
        theCombinedRealmandLockOutRealm. Patch by
        Cédric Couralet. (markt) |  |  | Fix the sample configuration of StaticMembershipInterceptorin order to prevent warning log. uniqueId must be 16 bytes. (kfujino) |  |  | 55119: Avoid CVE-2013-1571 when generating Javadoc. (markt) |  | 
 | Other |  | 
    
      |  | Update Maven Central location used to download dependencies at build
        time to be repo.maven.apache.org. (kkolinko) |  |  | 55663: Minor correction to the wording of the NOTICE files to
        align them with the
        requirements
        for NOTICE files. (violetagg) |  |  | Add @sincemarkers to the common annotations classes and
        fix a few specification compliance issues. (markt) |  |  | Update to Eclipse JDT Compiler 4.3.1. (markt) |  |  | Update the Apache Jakarta JSTL implementation used by the examples web
        application to 1.1.2. (markt) |  | 
 | 
 | Tomcat 6.0.37 (jfclere) | released 2013-05-03 |  | 
  | Catalina |  | 
    
      |  | 52055: Ensure that filters are recycled. (markt/kkolinko) |  |  | 52184: Reduce log level for invalid cookies. (markt) |  |  | 53481: Added support for SSLHonorCipherOrder to allow
        the server to impose its cipher order on the client. Based on a patch
        provided by Marcel Šebek. (schultz) |  |  | 54044: Correct bug in timestamp cache used by logging
        (including the access log valve) that meant entries could be made with
        an earlier timestamp than the true timestamp. (markt) |  |  | Fix CVE-2013-2067:
        In FormAuthenticator: If it is configured to change Session IDs,
        do the change before displaying the login form. (kkolinko) |  |  | 54054: Do not share shell environment variables between
        multiple instances of the CGI servlet. (markt) |  |  | 54087: Correctly handle (ignore) invalid If-Modified-Since
        header rather than throwing an exception. (markt/kkolinko) |  |  | 54220: Ensure the ErrorReportValve only generates an error
        report if the error flag on the response has been set. (markt) |  |  | Fix memory leak of servlet instances when running with a
        SecurityManager and either init() or destroy() methods fail
        or the servlet is a SingleThreadModel one, and of filter instances
        if their destroy() method fails with an Error. (kkolinko) |  |  | 54382: Fix NPE when SSI processing is enabled and an empty
        SSI directive is present. (markt) |  |  | 54483: Correct one of the Spanish translations. Based on a
        suggestion from adinamita. (kkolinko) |  |  | 54527: Synchronize conf/web.xml mime mapping with Tomcat 7.
        (markt) |  | 
 | Coyote |  | 
    
      |  | 54248: Ensure that byte order marks are swallowed when using
        a Reader to read a request body with a BOM for those encodings that
        require byte order marks. (markt) |  |  | 54324: Allow APR connector to disable TLS compression
        if OpenSSL supports it. (schultz) |  |  | 54456: Ensure that if a client aborts a request when sending
        a chunked request body that this is communicated correctly to the client
        reading the request body. (markt) |  |  | Update the native component of the APR/native connector to 1.1.27 and
        make that version the recommended minimum version. (kkolinko) |  | 
 | Jasper |  | 
    
      |  | 54615:  Tomcat 6 doesn't build against ecj 4.x (kkolinko) |  | 
 | Cluster |  | 
    
      |  | 54045: Make sure getMembers() returns available member when
        TcpFailureDetector works in static cluster. (kfujino) |  | 
 | Web applications |  | 
    
      |  | 22278: Add a commented out sample configuration of RemoteAddrValvetoMETA-INF/context.xmlfiles of the Manager and Host Manager applications. (kkolinko) |  |  | 54080: Clarify documentation for initial value of internalProxiesattribute ofRemoteIpValve.
        (schultz/kkolinko) |  |  | 54198: Clarify that HttpServletResponse.sendError(int)results in an HTML
        response by default. (markt) |  |  | 54207: Correct JNDI factory package name in Javadoc for org.apache.naming.java.javaURLContextFactory. (markt) |  | 
 | Other |  | 
    
      |  | Add sample Apache Commons Daemon JSVC wrapper script bin/daemon.sh that
       can be used with /etc/init.d. (kkolinko) |  |  | In the build configuration: introduce property "tomcat.output" that is
        used to specify location of the build output directory. This simplifies
        configuration if someone wants to move the outputdirectory
        elsewhere (e.g. out of the source tree). (kkolinko) |  |  | 54390: Use 'java_home' on Mac OS X to auto-detect JAVA_HOME.
        (schultz) |  |  | 54601: Change catalina.sh to consistently use LOGGING_MANAGER
          variable to configure logging, instead of modifying JAVA_OPTS one.
          (kkolinko) |  |  | 54890: Update to Apache Commons Daemon 1.0.15. (mturk) |  | 
 | 
 | Tomcat 6.0.36 (jfclere) | released 2012-10-19 |  | 
  | Catalina |  | 
    
      |  | 48692: Provide option to parse application/x-www-form-urlencodedPUT requests. (schultz) |  |  | 50306: New StuckThreadDetectionValve to detect requests that
        take a long time to process, which might indicate that their processing
        threads are stuck. Based on a patch provided by TomLu. (kkolinko) |  |  | 50570: Enable FIPS mode to be set in AprLifecycleListener.
        Based upon a patch from Chris Beckey. Note that this mode requires
        tomcat-native 1.1.23 or later linked to a FIPS-capable OpenSSL library,
        which one has to build by themselves. (schultz/kkolinko) |  |  | Improve synchronization and error handling in AprLifecycleListener.
        Do not allow to change SSL options if SSL has already been initialized.
        (schultz/kkolinko) |  |  | 52225: Fix ClassCastException when adding an alias for an
        existing host via JMX. (kkolinko) |  |  | 52293: Correctly handle the case when antiResourceLockingis enabled at the Context level whenunpackWARsis disabled at the Host level. Correctly
        handle multi-level contexts whenantiResourceLockingis enabled. Patch by Justin Miller. (kkolinko) |  |  | Do not throw IllegalArgumentException from parseParameters() call
        when chunked POST request is too large, but treat it like an IO error.
        The FailedRequestFilterfilter can be used to detect this
        condition. (kkolinko) |  |  | 52384: Do not fail with parameter parsing when debug logging
        is enabled. (kkolinko) |  |  | Do not flag extra '&' characters in parameters as parse errors.
        (kkolinko) |  |  | 52488: Correct typos: exipre -> expire. Based on a patch by
        prockter. (markt) |  |  | Reduce log level for the message about hitting maxParameterCountlimit from WARN to INFO.
        Fix limit comparison to allow exactlymaxParameterCountparameters, as documentation says, instead of(maxParameterCount-1). (kkolinko) |  |  | Slightly improve performance of UDecoder.convert(). Align %2fhandling between implementations. (kkolinko) |  |  | Add denyStatusattribute toRequestFilterValve(RemoteAddrValve,RemoteHostValvevalves).
        It allows to use different HTTP response code when rejecting denied
        request. E.g. 404 instead of 403. (kkolinko) |  |  | Add SetCharacterEncodingFilter(similar to the one
        contained in the examples web application) to theorg.apache.catalina.filterspackage so that it is
        available for all web applications. (kkolinko) |  |  | 52500: Added configurable mechanism to retrieve user names
        from X509 client certificates. Based on a patch provided by
        Michael Furman. (schultz/kkolinko) |  |  | 52719: Fix a theoretical resource leak in the JAR validation
        that checks for non-permitted classes in web application JARs. (markt) |  |  | 52830: Correct JNDI lookups when using javax.naming.Nameto identify the resource rather than ajava.lang.String. (markt) |  |  | 52850: Extend memory leak prevention and detection code to
        work with IBM as well as Oracle JVMs. Based on a patch provided by
        Rohit Kelapure. (kkolinko) |  |  | 52996: In StandardThreadExecutor:
        Add the ability to configure a job queue size
        (maxQueueSizeattribute).
        Add a variant of execute method that allows to specify a timeout for
        how long we want to try to add something to the queue.
        Based on a patch by Rüdiger Plüm. (kkolinko) |  |  | 53047: If a JDBCRealm or DataSourceRealm is configured for
        an all roles mode that only requires authorization (and no roles) and no
        role table or column is defined, don't populate the Principal's roles.
        (markt/kkolinko) |  |  | 53050: Fix handling of entropy value when initializing
        session id generator in session manager. Based on proposal by
        Andras Rozsa. (kkolinko) |  |  | 53056: Add APR version number to tcnative version INFO log
        message. (schultz) |  |  | 53057: Add OpenSSL version number INFO log message when
        initializing. (schultz) |  |  | 53071: Use the message from the Throwable for the error
        report generated by the ErrorReportValveif none was
        specified viasendError(). Use the standard text for HTTP
        error codes. (markt/rjung) |  |  | 53230: Change session managers to throw
        TooManyActiveSessionsException instead of IllegalStateException
        when the maximum number of sessions has been exceeded and a new
        session will not be created. (schultz/kkolinko) |  |  | 53267: Ensure that using the GC Daemon Protection feature of
        the JreMemoryLeakPreventionListenerdoes not trigger a
        full GC every hour. (markt/kkolinko) |  |  | 53531: Fix ExpandWar.expand to check the return value of
        File.mkdir and File.mkdirs. (schultz) |  |  | Make the CSRF nonce cache in CsrfPreventionFilterserializable so that it can be replicated across a cluster and/or
        persisted across Tomcat restarts. (markt) |  |  | 53584: Ignore path parameters when comparing URIs for FORM
        authentication. This prevents users being prompted twice for passwords
        when logging in when session IDs are being encoded as path parameters.
        (markt) |  |  | CVE-2012-3439:
        Various improvements to the DIGEST authenticator including
        52954, the disabling caching of an authenticated user in the
        session by default, tracking server rather than client nonces and better
        handling of stale nonce values. (markt) |  |  | CVE-2012-3546: Fix bypass of security constraint checks with FORM
        authentication. Remove unneeded processing in RealmBase.
        (kkolinko) |  |  | 53800: FileDirContext.list()did not provide
        correct paths for subdirectories. Patch provided by Kevin Wooten.
        (kkolinko) |  |  | 53830: Better handling of Manager.randomFiledefault value on Windows. (kkolinko) |  |  | CVE-2012-4431: Fix bypass of CsrfPreventionFilterwhen
        there is no session. Improve session management in the filter.
        (kkolinko) |  | 
 | Coyote |  | 
    
      |  | 42181: Better handling of edge conditions in chunk header
        processing. (kkolinko) |  |  | 51477: Support all SSL protocol combinations in the APR/native
        connector. This only works when using the native library version 1.1.21
        or later. (rjung) |  |  | 52055 (comment 14): Correctly reset ChunkedInputFilter.needCRLFParseflag when the filter
        is recycled. (kkolinko) |  |  | 52606: Ensure replayed POST bodies are available when using
        AJP. (markt) |  |  | 52858, CVE-2012-4534: Fix high CPU load with SSL, NIO and
        sendfile when client breaks the connection before reading all the
        requested data.
        (fhanik/kkolinko) |  |  | 53119: Prevent buffer overflow errors being reported when a
        client disconnects before the response has been fully written from an
        AJP connection using the APR/native connector. (kkolinko) |  |  | CVE-2012-2733:
        Improve InternalNioInputBuffer.parseHeaders(). (kkolinko) |  |  | Implement maxHeaderCountattribute on Connector.
        It is equivalent of LimitRequestFields directive of
        Apache HTTPD.
        Default value is 100. (kkolinko) |  |  | In JkCoyoteHandler connector for AJP/1.3 protocol
        (in JkMain.setProperty()):
        Fix setting of properties when connector has already started for
        properties that have aliases. E.g. it now allows to changemaxHeaderCountattribute on Connector MBean via JMX.
        (kkolinko) |  |  | 53725: Fix possible corruption of GZIP'd output. (kkolinko) |  | 
 | Jasper |  | 
    
      |  | 48097 (comment 7), 53366 (comment 1):
        If JSP page unexpectedly fails to initialize PageContext instance,
        write exception to the logs instead of silent swallowing. (kkolinko) |  |  | 52335: Only handle <\%and not\%as escaped in template text. (markt) |  |  | 52666: Correct coercion order in EL when processing the
        equality and inequality operators. (markt) |  |  | 53001: Revert the fix for 46915 since the use case
        described in the bug is invalid since it breaks the EL specification.
        (markt) |  |  | 53032: Modify JspCso it extendsorg.apache.tools.ant.Taskenabling it to work with features
        such as namespaces within build.xml files. (markt) |  | 
 | Cluster |  | 
    
      |  | Replicate principal in ClusterSingleSignOn. (kfujino) |  |  | 53513: Fix race condition between the processing of session
        sync message and transfer complete message. (kfujino) |  |  | 53606: Fix potential NPE in TcpPingInterceptor.
        Based on a patch by F. Arnoud. (markt) |  |  | 53607: To avoid NPE, set TCP PING data to ChannelMessage.
        Patch provided by F.Arnoud (kfujino) |  |  | Fix a behavior of TcpPingInterceptor#useThread.
        Do not start a ping thread when useThread is set to false. (kfujino) |  | 
 | Web applications |  | 
    
      |  | 52243: Improve windows service documentation to clarify how
        to include #and/or;in the value of an
        environment variable that is passed to the service. (markt) |  |  | 52515: Make it clear in the Realm how-to in the documentation
        web application that digested password storage when using DIGEST
        authentication requires that MD5 digests are used. (markt) |  |  | 52641: Remove mentioning of ldap.jar from docs.
        Patch provided by Felix Schumacher. (rjung) |  |  | Remove obsolete bug warning from windows service
        documentation page. (rjung) |  |  | 52983: Remove unnecessary code that makes switching to
        other authentication methods difficult. (markt) |  |  | 53158: Fix documented defaults for DBCP.
        Patch provided by ph.dezanneau at gmail.com. (rjung) |  |  | Update JavaSE documentation links to point to the current
        docs.oracle.com site, instead of obsolete ones (download.oracle.com,
        java.sun.com). (kkolinko) |  |  | 53289: Clarify ResourceLinkexample that
        uses DataSource.getConnection(username, password) method. Not all
        data source implementations support it. (kkolinko) |  |  | Prevent the custom error pages for the Manager and Host Manager
        applications from being accessed directly. Configure custom
        pages for error codes 401 and 403 in Host Manager application.
        (markt/kkolinko) |  |  | Correct documentation for enableLookupsattribute
        of a Connector. By default DNS lookups are disabled. (kkolinko) |  |  | Fix several HTML markup errors in servlets of examples web application.
        (kkolinko) |  |  | Change the index page of ROOT webapp to mention "manager-gui" role
        instead of "manager" one. (kkolinko) |  |  | 53473: Correct the allowed values for the SSI option isVirtualWebappRelativewhich aretrueorfalse. (markt) |  |  | 53664: Minor JNDI Howto document enhancement concerning mail
        properties. Patch provided by Mark Eggers. (schultz) |  |  | 53601: Clarify that to build Apache Tomcat 6 from sources
        a Java 5 JDK is recommended. (kkolinko) |  |  | 53793: Change links on the list of applications in the
        Manager to point to /appname/instead of/appname. (kkolinko) |  | 
 | Other |  | 
    
      |  | 49402, 52124: Fix Maven publishing script:
        make sure it finds tomcat-juli.jar and use later version of
        wagon-ssh. (jfclere) |  |  | Update Apache Commons Daemon to 1.0.10. It resolves 52548
        which meant that services created with service.bat did not set the catalina.homeandcatalina.basesystem
        properties. (markt, kkolinko) |  |  | Update Apache Commons Pool to 1.5.7. (kkolinko) |  |  | 52579: Add a note about Sun's Charset.decode() bug to the
        RELEASE-NOTES file. (kkolinko) |  |  | 52805: Update to Eclipse JDT Compiler 3.7.2. (kkolinko) |  |  | Update the native component of the APR/native connectors to 1.1.23
        and take advantage of the simplified distribution. (kkolinko) |  |  | When building a Windows installer do not copy whole "res" folder to
        output/dist, but only the files that we need. Apply fixcrlf filter
        only after the files are copied, so that INSTALLLICENSEfile had correct line ends. (kkolinko) |  |  | Remove res/License.rtf. The file that is actually shown
        by the Windows installer isres/INSTALLLICENSE.
        (kkolinko) |  |  | Improve RUNNING.txt. (kkolinko) |  |  | Align the script that deploys Maven jars for Tomcat
        ( res/maven/mvn-pub.xml) with the Tomcat 7 version,
        making full use of Nexus. (markt) |  |  | 53034: Add project.urlandproject.licensessections to the POMs for the Maven
        artifacts. (kkolinko) |  |  | 53454: Return correct content-length header for HEAD requests
        when content length is greater than 2GB. (markt) |  | 
 | 
 | Tomcat 6.0.34 (jfclere) | not released |  | 
  | Catalina |  | 
    
      |  | 51550: Display an error page rather than an empty response
        for an IllegalStateException caused by too many active sessions. (markt) |  |  | 51640: Improve the memory leak prevention for leaks
        triggered by java.sql.DriverManager. (markt/kkolinko) |  |  | 51688: JreMemoryLeakPreventionListener now protects against
        AWT thread creation. (schultz) |  |  | 51758: The digester (used for processing XML files) used the
        logger name org.apache.commons.digester.Digesterrather
        than the expectedorg.apache.tomcat.util.digester.Digester.
        The digester has been changed to use the expected logger name.
        (kkolinko) |  |  | 51862: Added a classesToInitializeattribute toJreMemoryLeakPreventionListenerto allow pre-loading of configurable
        classes to avoid some classloader leaks. (slaurent) |  |  | 51872: Ensure that the access log always uses the correct
        value for the remote IP address associated with the request and that
        requests with multiple errors do not result in multiple entries in
        the access log. (markt) |  |  | Allow to overwrite the check for distributability
        of session attributes by session implementations. (rjung) |  |  | Provide the log format "OneLineFormatter" for JULI that provides the same
        information as the default plus thread name but on a single line.
        (markt/rjung) |  |  | Ensure that the memory leak protection for the HttpClient keep-alive
        always operates even if the thread has already stopped. (markt) |  |  | 51940: Do not limit saving of request bodies during FORM
        authentication to POST requests since any HTTP method may include a
        request body. Based on a patch by Nicholas Sushkin. (kkolinko) |  |  | 52091: Address performance issues related to lock contention
        in StandardWrapper. Based on patch provided by Taiki Sugawara.
        (kkolinko) |  |  | In GenericPrincipal, SerializablePrincipal: Do not sort lists of roles
        that have only one element. (kkolinko) |  |  | Make configuration issue for CsrfPreventionFilter result in the
        failure of the filter rather than just a warning message. (kkolinko) |  |  | Ensure changes to the configuration of RemoteAddrValve and
        RemoteHostValve via JMX are thread-safe. (kkolinko) |  |  | Make configuration issue for RemoteAddrValve and
        RemoteHostValve result in the failure of the valve rather than
        just a warning message. (kkolinko) |  |  | In RequestFilterValve(RemoteAddrValve,RemoteHostValve): refactor value matching logic into
        separate method and expose this new methodisAllowedthrough JMX. (kkolinko) |  |  | Improve performance of parameter processing for GET and POST requests.
        Also add an option to limit the maximum number of parameters processed
        per request. This defaults to 10000. Excessive parameters are ignored.
        Note that FailedRequestFiltercan be used to reject the
        request if some parameters were ignored. (markt/kkolinko) |  |  | New filter FailedRequestFilterthat will reject a request
        if there were errors during HTTP parameter parsing. (kkolinko) |  | 
 | Coyote |  | 
    
      |  | 50394: Return -1 from read operation instead of throwing an
        exception when encountering an EOF with the HTTP APR connector.
        (kkolinko) |  |  | 51698: Fix CVE-2011-3190. Prevent AJP message injection.
        (markt) |  |  | Detect incomplete AJP messages and reject the associated request if one
        is found. (markt) |  |  | 51794: Fix race condition in NioEndpoint selector. Patch
        provided by dlord. (fhanik) |  |  | 51905: Fix infinite loop in AprEndpoint shutdown if
        acceptor unlock fails. Reduce timeout before forcefully closing
        the socket from 30s to 10s. (kkolinko) |  |  | 52121: Fix possible output corruption when compression is
        enabled for a connector and the response is flushed. Test
        case provided by David Marcks. (kkolinko) |  |  | Replace unneeded call that iterated events queue in NioEndpoint.Poller.
        (kkolinko) |  |  | Improve MimeHeaders.toString(). (kkolinko) |  |  | Allow the BIO HTTP connector to be used with SSL when running under Java
        7. (markt) |  |  | Improve multi-byte character handling in all connectors. (rjung) |  | 
 | Jasper |  | 
    
      |  | 51220: Correct copy/paste error in original commit for this
        issue. (markt) |  |  | 52091: Address performance issues related to log creation
        in TagHandlerPool. Patch provided by Taiki Sugawara. (markt) |  | 
 | Cluster |  | 
    
      |  | 51736: Make rpcTimeout configurable in BackupManager. 
        (kfujino) |  |  | New cluster manager attribute sessionAttributeFilterallows to filter which session attributes are replicated using a
        regular expression applied to the attribute name. (rjung) |  |  | Avoid an unnecessary session ID change notice. 
        Notice of changed session ID by JvmRouteBinderValve is unnecessary to 
        BackupManager. In BackupManager, change of session ID is replicated by 
        the call of a setId() method. (kfujino) |  |  | Fix unneeded duplicate resetDeltaRequest()call inDeltaSession.setId(String). (kkolinko) |  |  | When Context manager does not exist, no context manager message is 
        replied in order to avoid timeout (default 60 sec) of 
        GET_ALL_SESSIONS sync phase. (kfujino) |  | 
 | Web applications |  | 
    
      |  | Correct the documentation for the connectionLinger attribute of the HTTP
        connector. (markt) |  |  | Show build date and version in the header on every documentation
        page. (kkolinko) |  |  | 52049: Improve setup instructions for running as a Windows
        service: correct information on how a JRE is identified and selected.
        (markt) |  |  | 52172: Clarify Tomcat build instructions. Patch provided
        by bmargulies. (kkolinko) |  | 
 | Other |  | 
    
      |  | Update the native component of the APR/native connectors to 1.1.22.
        (markt) |  |  | Update the recommended version of the native component of the APR/native
        connectors to 1.1.22. (kkolinko) |  |  | Update the Eclipse compiler (used for JSPs) to 3.7. (markt) |  |  | Correct two typos in the Windows installer. (kkolinko) |  |  | 52059: In Windows uninstaller: Do not forget to remove
        Tomcat keys from 32-bit registry on deinstallation. (kkolinko) |  | 
 | 
 | Tomcat 6.0.33 (jfclere) | released 2011-08-18 |  | 
  | Catalina |  | 
    
      |  | Allow to search the virtual paths before the webapp or after it. (rjung) |  |  | 27988: Improve reporting of missing files. (markt) |  |  | 28852: Add URL encoding where missing to parameters in URLs
        presented by Ant tasks to the Manager application. Based on a patch by
        Stephane Bailliez. (markt) |  |  | 46252: Allow to specify character set to be used to write
        the access log in AccessLogValve. (kkolinko) |  |  | 48863: Provide an warning if there is a problem with a class
        path entry but use debug level logging if it is expected due to catalina
        home/base split. (kkolinko) |  |  | 49180: Add an option to disable file rotation in JULI
        FileHandler. (kkolinko) |  |  | 50189: Once the application has finished writing to the
        response, prevent further reads from the request since this causes
        various problems in the connectors which do not expect this. (markt) |  |  | 50700: Ensure that the override attribute of context
        parameters is correctly followed. (markt) |  |  | 50734: Return 404 rather than 400 for requests to the ROOT
        context when no ROOT context is deployed. Patch provided by Violeta
        Georgieva. (markt) |  |  | 50751: When authenticating with the JNDI Realm, only attempt
        to read user attributes from the directory if attributes are required.
        (markt) |  |  | 50752: Fix typo in debug message in org.apache.catalina.startup.Embedded. (markt) |  |  | 50855: Fix NPE on AuthenticatorBase.register() when debug
        logging is enabled. (markt) |  |  | Correctly format the timestamp reported by version.[sh|bat]. (markt) |  |  | Remove unnecessary whitespace from MIME mapping entries in global
        web.xml file. (markt) |  |  | 51042: Don't trigger session creation listeners when a
        session ID is changed as part of the authentication process. (markt) |  |  | 51119: Add JAAS authentication support to the
        JMXRemoteLifecycleListener. Patch provided by Neil Laurance. (markt) |  |  | Implement display of multiple request headers in AccessLogValve:
        print not just the value of the first header, but of the all of them,
        separated by commas. (kkolinko) |  |  | Correct the SSLValve so it returns the SSL key size as an Integer rather
        than as a String. (markt) |  |  | 51162: Prevent possible NPE when removing a web application.
        (markt) |  |  | 51249: Improve system property replacement code
        in ClassLoaderLogManager of Tomcat JULI to cover some corner cases.
        (kkolinko) |  |  | 51315: Fix IAE when removing an authenticator valve from a
        container. Patch provided by Violeta Georgieva. (markt) |  |  | 51324: Improve handling of exceptions when flushing the
        response buffer to ensure that the doFlush flag does not get stuck in
        the enabled state. Patch provided by Jeremy Norris. (kkolinko) |  |  | 51348: Fix possible NPE when processing WebDAV locks. (markt) |  |  | Add a container event that is fired when a session's ID is changed,
        e.g. on authentication. (markt) |  |  | Fix CVE-2011-2204. Prevent user passwords appearing in log files if a
        runtime exception (e.g. OOME) occurs while creating a new user for a
        MemoryUserDatabase via JMX. (markt) |  |  | 51400: Avoid jvm bottleneck on String/byte[] conversion
        triggered by a JVM bug. Based on patches by Dave Engberg and Konstantin
        Preißer. (markt) |  |  | 51403: Avoid NPE in JULI FileHandler if formatter is
        misconfigured. (kkolinko) |  |  | Create a directory for access log or error log (in AccessLogValve and
        in JULI FileHandler) automatically when it is specified as a part of
        the file name, e.g. in the prefixattribute. Earlier this
        happened only if it was specified with thedirectoryattribute. (kkolinko) |  |  | Log a failure if access log file cannot be opened. Improve i18n
        of messages. (kkolinko) |  |  | Improve handling of URLs with path parameters and prevent incorrect 404
        responses that could occur when path parameters were present.
        The method getRequestURI()was fixed to comply with
        specification (chapter SRV.3.1 of Servlet Spec. 2.5, javadoc) and now
        returns original request URI line from a HTTP request including any
        path parameters (such as jsessionid). See issues 51833 and
        53584.
        (kkolinko/markt) |  |  | 51473: Fix concatenation of values in SecurityConfig.setSecurityProperty(). (kkolinko) |  |  | 51509: Fix potential concurrency issue in CSRF prevention
        filter that may lead to some requests failing that should not. (markt) |  |  | 51588: Make it easier to extend the AccessLogValve to add
        support for custom elements. (markt) |  |  | Unregister DataSource MBeans when web application stops. (kfujino) |  |  | CVE-2011-1184: Add additional configuration options to the DIGEST
        authenticator. (markt) |  | 
 | Coyote |  | 
    
      |  | Reduce level of log message for invalid URL parameters from WARNING to
        INFO. (kkolinko) |  |  | 48208: Provide an option to specify a custom trust manager
        for BIO and NIO HTTP connectors using SSL. Based on a patch by Luciana
        Moreira. (markt) |  |  | 49595: Protect against crashes when using the APR/native
        connector. (jfclere) |  |  | 49929: Make sure flush packet is not send after END_RESPONSE
        packet. (mturk/markt) |  |  | 50887: Enable the provider to be configured when generating
        SSL certs. Based on a patch by pknopp. (markt) |  |  | 51073: Throw an exception and do not start the APR connector
        if it is configured for SSL and an invalid value is provided for
        SSLProtocol. (markt) |  |  | Fix CVE 2011-2526. Protect against infinite loops (HTTP NIO) and crashes
        (HTTP APR) if sendfile is configured to send more data than is available
        in the file. (markt) |  |  | Prevent NPEs when a socket is closed in non-error conditions after
        sendfile processing when using the HTTP NIO connector. (markt) |  |  | 51515: Prevent immediate socket close when comet is used over
        HTTPS. (markt) |  | 
 | Jasper |  | 
    
      |  | 36362: Handle the case where tag file attributes (which can
        use any valid XML name) have a name which is not a Java identifier.
        (markt) |  |  | 47371: Correctly coerce the empty string to zero when used as
        an operand in EL arithmetic. Patch provided by gbt. (markt) |  |  | 50726: Ensure that the use of the genStringAsCharArray does
        not result in String constants that are too long for valid Java code.
        (markt) |  |  | 50895: Don't initialize classes created during the
        compilation stage. (markt) |  |  | 51124: Make Tomcat more robust if an OOME occurs. Usually
        after an OOME all bets are off but this change appears to help some
        users and the description of a 'recoverable' OOME in the bug
        is a plausible one. Based on a patch by Ramiro. (markt) |  |  | 51177: Ensure Tomcat's MapELResolver and ListELResolver
        always return Object.classforgetType()as
        required by the EL specification. (markt) |  |  | Correct possible threading issue in JSP compilation when development
        mode is used. (markt) |  |  | 51220: Add a system property to enable tag pooling with JSPs
        that use a custom base class. Based on a patch by Dan Mikusa. (markt) |  |  | Broaden the exception handling in the EL Parser so that more failures to
        parse an expression include the failed expression in the exception
        message. Hopefully, this will help track down the cause of
        51088. (markt) |  |  | Improve error reporting of Jasper compilation. (schultz) |  | 
 | Cluster |  | 
    
      |  | 50646: Fix cluster message data corruption if message size
        exceeds the underlying buffer size. Patch provided by Olivier Costet.
        (markt) |  |  | 50771: Ensure HttpServletRequest#getAuthType() returns the 
        name of the authentication scheme if request has already been 
        authenticated. (kfujino) |  |  | 50950: Correct possible NotSerializableException for an
        authenticated session when running with a security manager. (markt) |  |  | 51306: Avoid NPE when handleSESSION_EXPIRED is processed 
        while handleSESSION_CREATED is being processed. (kfujino) |  |  | The change in session ID is notified to the container event listener on 
        the backup node in cluster. This notification is controlled by 
        notifyContainerListenersOnReplication. (kfujino) |  | 
 | Web applications |  | 
    
      |  | 41498: Add the allRolesMode attribute to the Realm
        configuration page in the documentation web application. (markt) |  |  | 48997: Fixed some typos and improve cross-referencing to the
        HTTP Connector and APR documentation with the SSL How-To page of the
        documentation web application. (markt) |  |  | 50804: Update links for Servlet 2.5 and JSP 2.1 Javadoc.
        (markt) |  |  | Improve class loading documentation and logging documentation.
        (kkolinko) |  |  | Configure Security Manager How-To to include a copy of the actual
        conf/catalina.policy file when the documentation is built, rather
        than maintaining a copy of its content. (kkolinko) |  |  | 51147: Fix deployment via HTML Manager that was broken by
        addition of CRSF protection. Patch provided by Alexis Hassler. (markt) |  |  | 51156: Ensure session expiration option is available in
        Manager application was running web applications that were defined in
        server.xml. (markt) |  |  | Correct the log4j configuration settings when defining conversion
        patterns in the documentation web application. (markt) |  |  | Update Maven repository information in the documentation to reflect
        current usage. (markt) |  |  | 51346: Update the documentation web application to make clear
        the circumstances in which the RequestDumperValve will consume the
        request's InputStream. Based on a patch by pid. (markt) |  |  | 51443: Document the notifySessionListenersOnReplication
        attribute for the DeltaManager. (markt) |  |  | 51516: Correct documentation web application to show correct
        system property name for changing the name of the SSO session cookie.
        (markt) |  |  | Update documentation to be even more explicit about the implications
        of setting the pathattribute on aContextelement inserver.xml. (markt/kkolinko) |  | 
 | Other |  | 
    
      |  | Clarify error messages in *.sh files to mention that if a script is
        not found it might be because execute permission is needed. (kkolinko) |  |  | 33262, 40510, 50949, 51135:
        Various improvements to the Windows installer to be able to install
        several copies of Tomcat 6 side by side. Allow to configure service
        name, connector and shutdown ports. Allow to choose whether to install
        Start menu shortcuts and Apache Tomcat monitor application for all
        users or for the current one only. Improve auto-detection of JAVA_HOME
        for 64-bit Windows platforms: autoselect 32-bit JRE if it exists and
        64-bit one is not available. Improve server.xml file handling.
        Fix uninstallation icon. (markt/kkolinko) |  |  | 50854: Add additional entries to the default catalina.policy
        file to support running the manager web application from CATALINA_HOME
        or CATALINA_BASE. (markt) |  |  | Update default download sources to use the central Apache Maven 2
        repository as some libraries have been removed from the central Apache
        Maven 1 repository. (kkolinko) |  |  | 51155: Add comments to @deprecated tags that have none. Patch
        provided by sebb. (kkolinko) |  |  | 51309: Correct logic in catalina.sh stop when using a PID
        file to ensure the correct message is shown. Patch provided by Caio
        Cezar. (markt) |  |  | Update Apache Commons Pool to 1.5.6. (kkolinko) |  |  | Update Apache Commons Daemon to 1.0.7. (kkolinko) |  |  | At build time use two alternative download locations for components
        downloaded from apache.org. (kkolinko) |  | 
 | 
 | Tomcat 6.0.32 (jfclere) | released 2011-02-03 |  | 
  | Catalina |  | 
    
      |  | 48822: Include context name in reload and stop log statements.
        Based on the patch provided by Marc Guillemot. (kkolinko) |  |  | 50673: Improve Catalina shutdown when running as a service.
        Do not call System.exit(). (kkolinko) |  |  | 50689: Provide 100 Continue responses at appropriate points
        during FORM authentication if client indicates that they are expected.
        (kkolinko) |  |  | Improve HTTP specification compliance in support of Accept-Languageheader. This protects from known exploit
        of the Oracle JVM bug that triggers a DoS, CVE-2010-4476. (kkolinko) |  | 
 | Coyote |  | 
    
      |  | 49795: Backport AprEndpoint shutdown improvements, to make
        it more robust. (mturk/kkolinko) |  |  | 50325: When the JVM indicates support for RFC 5746, disable
        Tomcat's allowUnsafeLegacyRenegotiationconfiguration
        attribute and use the JVM configuration to control renegotiation.
        (markt) |  |  | 50631: InternalNioInputBuffer should honor maxHttpHeadSize. (kkolinko) |  |  | 50651: Fix NPE in InternalNioOutputBuffer.recycle().
        (kkolinko) |  | 
 | Cluster |  | 
    
      |  | Be consistent with locks on sessionCreationTiming,
        sessionExpirationTiming in DeltaManager.resetStatistics(). (kkolinko) |  | 
 | 
 | Tomcat 6.0.31 (jfclere) | not released |  | 
  | Catalina |  | 
    
      |  | 49543: Allow Tomcat to use shared data sources with per
        application credentials. (fhanik) |  |  | 50205: Add the deployIgnorePaths attribute to the Host
        element. Based on a patch by Jim Riggs. (markt/kkolinko) |  |  | 50413: Additional fix that ensures the error page is served
        regardless of any Range headers in the original request. (kkolinko) |  |  | 50550: When a new directory is created (e.g. via WebDAV)
        ensure that a subsequent request for that directory does not result in a
        404 response. (markt/kkolinko) |  |  | Provide session creation and destruction rate metrics in the session
        managers. (markt) |  |  | 50606: Improve CGIServlet: Provide support for specifying
        empty value for the executableinit-param. Provide support
        for explicit additional arguments for the executable. Those were
        broken when implementing fix for bug 49657. (kkolinko) |  |  | 50620: Stop exceptions that occur during Session.endAccess()from preventing the normal completion
        ofRequest.recycle(). (markt) |  | 
 | Coyote |  | 
    
      |  | Remove a huge memory leak in the NIO connector introduced by the fix
        for 49884. (markt) |  | 
 | Cluster |  | 
    
      |  | 50600: Prevent a ConcurrentModificationExceptionwhen removing a WAR file via the FarmWarDeployer. (markt) |  | 
 | 
 | Tomcat 6.0.30 (jfclere) | released 2011-01-13 |  | 
  | General |  | 
    
      |  | Filter input of manager app servlets. (kkolinko) |  |  | 43960: Expose available property of StandardWrapper via JMX.
        (markt) |  |  | Update to Commons Daemon 1.0.5. (mturk) |  |  | Switch to using the Eclipse compiler JAR directly rather than creating
        it from the larger JDT download. (markt) |  |  | Allow the off-line building of the extras package. (markt) |  |  | Update to Commons Pool 1.5.5. (markt) |  |  | 49728, 50084: Improve PID file handling when
        another process is managing the PID file and Tomcat does not have write
        access. (markt) |  |  | 49909, 50201: Provide a mechanism to log requests
        rejected before they reach the AccessLogValve to appear in the access
        log. (markt/kkolinko) |  | 
 | Catalina |  | 
    
      |  | 38113: Provide a system property that enables a strict
        interpretation of the specification for getQueryString()when an empty query string is provided by the user agent. (markt) |  |  | Return a copy of the current URLs for the WebappClassLoaderto prevent modification. This facilitated, although it wasn't the root
        cause, CVE-2010-1622. (markt) |  |  | 48837: Extend thread local memory leak detection to include
        classes loaded by subordinate class loaders to the web
        application's class loader such as the Jasper class loader.
        Patch provided by Sylvain Laurent. (kkolinko) |  |  | 48973: Avoid creating a SESSIONS.ser file when stopping an 
        application if there's no session. Patch provided by Marc Guillemot.
        (slaurent) |  |  | 49030: Failure during start of one connector should not leave
        some connectors started and some ignored. (kkolinko) |  |  | 49195: Don't report an error when shutting down a Windows
        service for a Tomcat instance that has a disabled shutdown port. (markt) |  |  | 49209: Fix problem with JDBC driver memory leak prevention
        when running under a security manager. Patch provided by Sylvain
        Laurent. (markt) |  |  | 49613: Improve performance when using SSL for applications
        that make multiple class to Request.getAttributeNames().
        Patch provided by Sampo Savolainen. (markt) |  |  | 49657: Handle CGI executables with spaces in the path.
        (markt) |  |  | 49667: Ensure that using the JDBC driver memory leak
        prevention code does not cause a one of the memory leaks it is meant to
        avoid. (markt) |  |  | 49749: Respect httpOnlysetting of Context
        when creating SSO cookie. (markt) |  |  | Provide better web application state information via JMX. (markt) |  |  | 49811: Add an option to disable URL rewriting on a per
        Context basis. The option name is disableURLRewriting.
        (markt) |  |  | 49856: Expose the executor name for the connector via JMX.
        (markt) |  |  | 49915: Make error more obvious, particularly when accessed
        via JConsole, if StandardServer.storeConfig() is called when there is
        no StoreConfig implementation present. (markt) |  |  | 49965: Use correct i18n resources for StringManager in
        JAASRealm. (kkolinko) |  |  | 49987: Fix potential data race in the population of the
        Servlet Context initialisation parameters. (markt) |  |  | Code clean-up. Avoid some casts in StandardContext. (markt) |  |  | Add security policy and token poller protection to the JRE memory leak
        protection provided in Tomcat 6. (markt/kkolinko) |  |  | 50026: Add support for mapping the default servlet to URLs
        other than /. (timw) |  |  | 50128: Improve exception handling in PersistentManagerBase
        when running with a security manager. (kkolinko) |  |  | 50131: Avoid possible NPE in debug output in PersistentValve.
        Patch provided by sebb. (kkolinko) |  |  | 50138: Fix threading issues in org.apache.catalina.security.SecurityUtil. (markt) |  |  | Add a new filter, org.apache.catalina.filters.CsrfPreventionFilter,
        to provide generic cross-site request forgery (CSRF)
        protection for web applications. (markt) |  |  | Make sure Contexts defined in server.xml pick up any configClasssetting from the parent Host. (markt) |  |  | 50222: Modify memory leak prevention code so it pins the
        system class loader in memory rather than than the common class loader,
        which is better for embedded systems. (schultz) |  |  | Make memory leak prevention code that clears ThreadLocal instances more
        robust against objects with toString()methods that throw
        exceptions. (markt) |  |  | 50282: Load javax.security.auth.login.ConfigurationwithJreMemoryLeakPreventionListenerto avoid memory leak
        when stopping a webapp that would use JAAS.
        (slaurent) |  |  | 50413: Ensure 304s are not returned when using static files
        as error pages. (markt) |  |  | 50453: Correctly handle multiple X-Forwarded-Forheaders in the RemoteIpValve. Patch provided by Jim Riggs. (markt) |  |  | 50459: Fix thread/classloader binding issues in
        StandardContext. (slaurent) |  |  | 50527: Improve an error message shown by HttpServlet. (markt) |  |  | 50556: Improve JreMemoryLeakPreventionListener to prevent
        a potential class loader leak caused by a thread spawned when the class com.sun.jndi.ldap.LdapPoolManageris initialized and the 
        system propertycom.sun.jndi.ldap.connect.pool.timeoutis 
        set to a value greater than 0. (slaurent) |  |  | 50642: Move the sun.net.www.http.HttpClientkeep-alive thread memory leak protection from the 
        JreMemoryLeakPreventionListener to the WebappClassLoader since the
        thread that triggers the memory leak is created on demand. (markt) |  | 
 | Coyote |  | 
    
      |  | 47913: Return the IP address rather than null for getRemoteHost()with the APR connector if the IP address
        does not resolve. (markt) |  |  | Avoid a NPE for APR connector unlockAccept with default soTimeout.
        (mturk) |  |  | 48545: Allow JSSE trust stores to be used without providing
        a password. Based on a patch by smmwpf54. (kkolinko) |  |  | 48738: Add support for flushing gzipped output. Based on a
        patch by Jiong Wang. (markt) |  |  | Avoid a NPE in the DeltaManager when a parallel request invalidates the
        session before the current request has a chance to send the replication
        message. (markt) |  |  | 48925: request.getLocalAddr()returnsnullwhen using the default Jk AJP/1.3 connector. (rjung) |  |  | 49497: Stop accepting new requests (inc keep-alive) once the
        BIO connector is paused and the current request has finished processing.
        (markt) |  |  | 49521: Disable scanning for a free port in Jk AJP/1.3
        connector by default. Do not change maxPortfield value of ChannelSocket
        in itssetPort()andinit()methods. Add
        support formaxPortattribute on aConnectorelement as a synonym forchannelSocket.maxPort. (kkolinko) |  |  | 49625: Ensure Vary header is set if response may be
        compressed rather than only setting it if it is compressed. (markt) |  |  | 49730: Fix race condition in StandardThreadExecutor that can
        lead to long delays in processing requests. Patch provided by Sylvain
        Laurent. (markt) |  |  | 49860: Add support for trailing headers in chunked HTTP
        requests. The header length is limited to 8192 by default and the limit
        can be changed via a system property. (markt/kkolinko) |  |  | 49972: Fix potential thread safe issue when formatting dates
        for use in HTTP headers. (markt) |  |  | 50072: NIO connector can mis-read request line if not sent in
        a single packet. (markt/kkolinko) |  |  | Improve recycling of processors in Http11NioProtocol. (kkolinko) |  |  | 50273: Provide a workaround for an HP-UX issue that can
        result in large numbers of SEVERE log messages appearing in the logs as
        a result of normal operation. (markt) |  |  | Make SSL certificate encoding algorithm consistent between connectors by
        using the JVM default for all connectors. This also fixes an issue with
        the NIO connector on IBM JVMs. (markt) |  |  | 50467: Protected against NPE triggered by a race condition
        that causes the NIO poller to fail, preventing the processing of further
        requests. (markt) |  | 
 | Jasper |  | 
    
      |  | 49217: Ensure that identifiers used in EL meet the
        requirements of the Java Language Specification. This check is off by
        default and can be enabled by setting a system property. (markt) |  |  | 49555: Correctly handled Tag Libraries where functions are
        defined in static inner classes. (markt) |  |  | 49665: Provide better information including JSP file name and
        location when a missing file is detected during TLD handling. Patch
        provided by Ted Leung. (markt) |  |  | 49985: Fix thread safety issue in EL parser. (markt) |  |  | 49986: Fix thread safety issue in JSP reloading. (timw)) |  |  | 49998: Make jsp:root detection work with single quoted
        attributes as well. (timw) |  |  | 50066: Compile a recursive tag file if it depends on a JAR.
        Patch provided by Sylvain Laurent. (markt) |  |  | 50078: Fix threading issues in EL caches and make cache sizes
        configurable. Threading patch provided by Takayoshi Kimura. (markt) |  |  | 50105: When processing composite EL expressions use Enum.name()rather thanEnum.toString()as
        required by the EL specification. (markt) |  |  | 50228: Improve recycling of BodyContentImpl.
        This avoids keeping a cached reference to a webapp-provided Writer
        used in JspFragment.invoke() calls. (kkolinko) |  |  | 50460: Fix memory leak in JspDocumentParser triggered by
        first access to a jspx page. (kkolinko) |  |  | 50500: Use correct coercions (as per the EL spec) for
        arithmetic operations involving string values containing '.',
        'e' or 'E'. Based on a patch by Brian Weisleder.
        (markt) |  | 
 | Cluster |  | 
    
      |  | 49343: When ChannelException is thrown, remove listener from
        channel. (kfujino) |  |  | Add Null check when CHANGE_SESSION_ID message received. (kfujino) |  |  | When a cluster node disappears when using the backup manager, handle the
        failed ping message rather than propagating the exception (which just
        logs the stack trace but doesn't do anything to deal with the failure).
        (markt) |  |  | 49905: Fix potential memory leak when using asynchronous
        session replication. (markt) |  |  | 49924: When non-primary node changes into a primary node,
        make sure isPrimarySession is changed to true. (kfujino) |  |  | Add support for maxActiveSessionsattribute to
        BackupManager. (kfujino) |  |  | Improve sending an access message in DeltaManager.
        Use maxInactiveIntervalnot of the Manager, but of the session. 
        IfmaxInactiveIntervalis negative, the access message is not
        being sent. (kfujino) |  |  | 50547: Add time stamp for CHANGE_SESSION_ID message and 
        SESSION_EXPIRED message. (kfujino) |  | 
 | Web applications |  | 
    
      |  | 49585: Update JSVC documentation to reflect new packaging
        of Commons Daemon. (markt) |  |  | Configure the Manager web application to use the new CSRF protection. To
        take advantage of this protection, the managerrole must be
        removed from all users and the newmanager-guiandmanager-scriptroles used instead. (markt) |  |  | Configure the Host Manager web application to use the new CSRF
        protection. To take advantage of this protection, the adminrole
        must be removed from all users and the newadmin-guiandadmin-scriptroles used instead. (markt) |  |  | 50303: Update JNDI how-to to reflect new JavaMail and JAF
        download locations and that JAF is now included in Java SE 6. (markt) |  |  | CVE-2010-4172: Multiple XSS in Manager application. (markt/kkolinko) |  |  | Improve Tomcat Logging documentation. (kkolinko) |  |  | 50242: Provide a sample log4j  configuration that more
        closely matches the default JULI configuration. Patch provided by
        Christopher Schultz. (kkolinko) |  |  | 50294: Add more information to documentation regarding format
        of configuration files. Patch provided by Luke Meyer. (markt) |  |  | Configure the Manager and Host-Manager web applications to use HttpOnly
        flag for their session cookies. (kkolinko) |  |  | 50316: Fix display of negative values in the Manager web
        application. (kkolinko) |  |  | Improve documentation of database connection factory. (rjung) |  | 
 | Other |  | 
    
      |  | 48716: Do not call reset if the default LogManager is in use.
        (markt) |  |  | Use native line endings for example Eclipse configuration files in
        source distribution. (markt) |  |  | 49428: Add a work-around for the known namespace issues for
        some Microsoft WebDAV clients. Based on the patch provided by
        Panagiotis Astithas. (kkolinko) |  |  | 49861: Fix formatting of log messages in JXM remote listener.
        Do not use commas when printing RMI port numbers. (markt) |  |  | 50140: Don't ignore a user specified install directory
        on 64-bit platforms when using the Windows installer. (markt) |  |  | 50552: Avoid NPE that hides error message when using Ant
        tasks. (schultz) |  |  | Numerous improvements to the Windows installer: update install/uninstall
        icons, create an installation log, allow 32-bit JVMs to be selected when
        installing on a 64-bit platform, replace the .ini files with the script
        equivalents, use the new manager and host-manager roles, provide the
        ability to edit the roles for the added user, add support for the /?command line switch, clean up fully after installation,
        add DetailPrint statements for operations that may take time and
        improve the descriptions of the components. (kkolinko, mturk, markt) |  | 
 | 
 | Tomcat 6.0.29 (jfclere) | released 2010-07-22 |  | 
  | Catalina |  | 
    
      |  | 48960: Add a new option to the SSI Servlet and SSI Filter to
        allow the disabling of the execcommand. This is now
        disabled by default. Based on a patch by Yair Lenga. (markt) |  |  | 49551: Allow default context.xml location to be specified
        using an absolute path. (markt) |  |  | 49598: When session is changed and the session cookie is
        replaced, ensure that the new Set-Cookie header overwrites the old
        Set-Cookie header. (markt) |  |  | Fix order when listing Webapp loader search URLs. (rjung) |  |  | Add support for *.jarpattern in VirtualWebappLoader.
        (kkolinko) |  | 
 | 
 | Tomcat 6.0.28 (jfclere) | released 2010-07-09 |  | 
  | Catalina |  | 
    
      |  | Arrange filter logic. (jfclere) |  |  | 49230: Enhance JRE leak prevention listener with protection
        for the keep-alive thread started by sun.net.www.http.HttpClient. Patch provided by Rob Kooper.
        (markt) |  |  | 49351: Fix possible NPE when embedding and no name is
        specified for the Service. (markt) |  |  | 49424: Avoid NPE if client provides no data with a chunked
        POST request. (markt) |  |  | 49414: Improve diagnostic of memory leaks.
        Differentiate between request threads and application
        created threads when warning about still running threads when an
        application stops. (markt) |  |  | 49443: Fix RemoteIpValve documentation. Use remoteIpHeader
        rather than remoteIPHeader consistently. (markt) |  |  | Add property searchExternalFirstto WebappLoader.
        If set, the external repositories will be searched before
        the WEB-INF ones. (rjung) |  | 
 | Cluster |  | 
    
      |  | 49445: When session ID is changed after authentication,
        ensure the DeltaManager replicates the change in ID to the other nodes
        in the cluster. (kfujino) |  | 
 | Web applications |  | 
    
      |  | 49213: Grant permissions required by manager application when
        running under a security manager. (markt/kkolinko) |  |  | 49436: Correct documented default for readonlyattribute of the UserDatabase component. (markt) |  | 
 | 
 | Tomcat 6.0.27 (jfclere) | not released |  | 
  | General |  | 
    
      |  | Update DBCP to 1.3. (markt) |  | 
 | Catalina |  | 
    
      |  | Fix CVE-2010-1157. Prevent possible disclosure of host name or IP
        address via the HTTP WWW-Authenticate header when using BASIC or DIGEST
        authentication. (markt) |  |  | Include context name when reporting memory leaks to aid root cause
        identification. (markt) |  |  | Improve exception handling on session de-serialization to assist in
        identifying the root cause of 48007. (kkolinko) |  |  | 48379: Make session cookie name, domain and path configurable
        per context. (markt) |  |  | 48589: Make JNDIRealm easier to extend. Based on a patch by
        Candid Dauth. (markt/kkolinko) |  |  | 48629: Allow user names as well as DNs to be used with the
        nested role search. Add roleNested to the documentation. Patch provided
        by Felix Schumacher. (markt) |  |  | 48661: Make error page behavior consistent, regardless of how
        the error page is defined. If a response has been committed, always
        include the error page. (markt) |  |  | 48729: Return roles defined by both userRoleName and roleName
        mechanisms. Patch provided by 'eric'. Also make user's role list
        immutable.(markt) |  |  | 48760: Fix potential multi-threading issue in static resource
        serving where multiple threads could try to use the same
        InputStream. (markt) |  |  | 48790: Fix thread safety issue in the count of the maximum
        number of active session. (markt/kkolinko) |  |  | 48793: Make catalina.sh more robust to different return
        values on different platforms. Patch provided by Thomas GL. (markt) |  |  | 48840: Swallow output (if any) from use of cd when determining
        $CATALINA_HOME in catalina.sh and tool-wrapper.sh scripts. Based on patch
        provided by mdietze. (markt/kkolinko) |  |  | 48895: Make clearing of ThreadLocals that are causing memory
        leaks on web application stop, reload or undeploy configurable since the
        process of clearing them is not thread-safe. (markt) |  |  | 48903: Fix deadlock in webapp class loader. (rjung) |  |  | 48971: Make stopping of leaking Timer threads optional and
        disabled by default. (markt) |  |  | 48976: Document JAVA_ENDORSED_DIRS in start-up scripts. Patch
        provided by Laurent Vaills. (markt) |  |  | 48983: Improve debug logging for situations when RemoteIpValveis bypassed. Patch provided by Cyrille Le
        Clerc. (markt) |  |  | 49018: Fix processing of time argument in the Expire sessions
        action in the Manager web application. (kkolinko) |  |  | 49116: If session is already invalid, expire session to
        prevent memory leak. (kfujino) |  |  | 49158: Ensure only one session cookie is returned for a
        single request. (markt/fhanik) |  |  | 49245: Fix session expiration check in cross-context
        requests. (markt) |  |  | 49398: ByteChunk.indexOf(String, int, int, int) could not
        find a string of length 1. (kkolinko) |  |  | Fix possible overflows when calculating session statistics. (kkolinko) |  |  | Log unexpected exceptions when providing access to web application
        resources in ApplicationContext. (kkolinko) |  |  | Improve exception handling in CatalinaShutdownHook. (kkolinko) |  |  | Expose properties of VirtualWebappLoader and WebappClassLoader via JMX.
        (rjung) |  | 
 | Coyote |  | 
    
      |  | 48839: Correctly handle HTTP header folding in the NIO
        connector. Patch suggested by Richa Baronia. (markt) |  |  | 48843: Prevent possible deadlock for worker allocation in
        connectors. (kkolinko) |  |  | 48843: Fix handling of add queues in AprEndpoint.Poller and
        AprEndpoint.Sendfile. Do not miss wakeups. (kkolinko) |  |  | 48862: Add support for the backlog parameter to the AJP
        connector. (pero/markt) |  |  | 48917: Correct name of mod_jk module in ApacheConfig. Patch
        provided by Todd Hicks. (markt) |  |  | 49095: AprEndpoint did not wakeup acceptors during shutdown
        when deferAccept option was enabled. Based on a patch provided by
        Ruediger Pluem. (kkolinko) |  |  | Use chunked encoding for http 1.1 requests with no content-length
        (regardless of keep-alive) so client can differentiate between complete
        and partial responses. (markt) |  |  | Correct the SSL session timeout attribute name so the code agrees with
        the documentation. (markt) |  |  | CoyotePrincipal now implements Serializable. (fhanik) |  |  | Enable the BIO AJP connector to run under a security manager. (markt) |  | 
 | Jasper |  | 
    
      |  | 45015: Correct a regression in quote handling caused by the
        re-factoring of attribute parsing. (markt) |  |  | 48701: Add a system property to allow disabling enforcement
        of JSP.5.3. The specification recommends, but does not require, this
        enforcement. (kkolinko) |  |  | 48737: Don't assume paths that start with /META-INF/... are
        always in JARs. This is not true for some IDEs. Patch provided by
        Fabrizio Giustina. (markt) |  |  | 49081: Correctly handle EL expressions of the form #${...}.
        (markt) |  |  | 49196: Avoid NullPointerException in PageContext.getErrorData()
        if an error-handling JSP page is called directly. (markt) |  | 
 | Cluster |  | 
    
      |  | 48717: When a node joins a cluster and it receives all the
        current sessions, ensure the sessionCreated event is fired if the
        Manager is configured to replicate session events. (markt) |  |  | 48934: Previous fix to handle dropped connections incorrectly
        permanently disabled session replication. (fhanik) |  |  | 49051: memberAlive is not called if member has not already
        existed in membership. (kfujino) |  |  | 49151: Avoid ClassCastException in BackupManager#stop.
        (kfujino) |  |  | 49170: Do not send duplicated session. (kfujino) |  |  | Add missing messages and ensure cluster listeners log messages to
        correct logger. (markt) |  | 
 | Web applications |  | 
    
      |  | Use underscores instead of spaces in anchor names in Tomcat
        documentation. (kkolinko) |  |  | Add support for displaying the Spring Security user name (if present) in
        the Manager application. (markt) |  |  | Improve the ChatServlet Comet example
        (/examples/jsp/chat/). (kkolinko) |  | 
 | Other |  | 
    
      |  | Update to Commons Daemon 1.0.2. Use service launcher (procrun)
      from the Commons Daemon release. Do not keep a copy of it in our source
      tree. (mturk/kkolinko) |  |  | Update to NSIS 2.46. (kkolinko) |  |  | 48990: Fix the skip.installerbuild property
        so if set, only the Windows installer is skipped. (markt) |  |  | 49178: Provide in catalina.policy an example of additional
        permissions that might be needed for code located in $CATALINA_BASE/lib. (markt) |  |  | 49236: Do not use indexing when packing Tomcat JARs.
        (kkolinko) |  |  | Remove unused code from org.apache.tomcat.util.buf classes. (kkolinko) |  |  | Rearrange tomcat-juli.jar permissions and wrap long lines in the conf/catalina.policyfile, to make the text more readable
        when cited in documentation. (kkolinko) |  |  | Do not evaluate the execute.installerproperty when building
        a release. Theskip.installerproperty is used instead.
        (kkolinko) |  | 
 | 
 | Tomcat 6.0.26 (jfclere) | released 2010-03-11 |  | 
  | Catalina |  | 
    
      |  | Close security hole in unreleased 6.0.25 by ensuring new find leaks
        functionality is protected by a security constraint. (kkolinko) |  |  | 48831: Improve logging shutdown behaviour. Use Catalina's
        shutdown hook to shutdown JULI. This enables them to be shutdown in the
        correct order. Do not shutdown global handlers several times.
        (markt/kkolinko) |  | 
 | Coyote |  | 
    
      |  | 48584: Prevent the APR connector logging an error if the
        acceptor fails during shutdown since this is expected. (mturk) |  |  | 48660: Using compression should not overwrite any Vary header
        set by a web application. (markt) |  | 
 | Jasper |  | 
    
      |  | 48371: Ensure generated servlet mappings are inserted at the
        correct location when using JspC and allow the option that controls this
        to be configured on the command line. Also allow the encoding of web.xml
        to be configured when using JspC and deprecate some unused JspC methods.
        (markt/kkolinko) |  |  | 48498: Avoid ArrayIndexOutOfBoundsException triggered by a
        Java 6/7 XML parser bug. (markt/kkolinko) |  |  | 48668: Additional fixes to ensure deferred syntax is handled
        correctly. (kkolinko) |  |  | 48827: Correct a regression in the fix for 47977
        that caused an incorrect non-empty body error to be reported for valid
        JSP documents. (markt) |  | 
 | Web applications |  | 
    
      |  | Make changelog.xml be directly rendered as HTML by certain browsers.
        (kkolinko) |  |  | Add support for automated generation of TOC tables and for links to svn
        revisions to tomcat-docs.xsl in documentation. (kkolinko/fhanik) |  |  | Move Manager application JSPs that are not intended to be accessed
        directly under the WEB-INF directory. (kkolinko) |  |  | Improve the messages displayed by the find leaks diagnostic in the
        Manager application. (kkolinko) |  | 
 | Other |  | 
    
      |  | Encode all property files using ascii escaped UTF-8. Also fixes
        deployment problem when using French locale. (jfclere/rjung) |  | 
 | 
 | Tomcat 6.0.25 (jfclere) | not released |  | 
  | Catalina |  | 
    
      |  | 48039: Return immediately if start() is called on an already
        started StandardService. (markt) |  |  | 48109: Ensure InputStream is closed on error condition in web
        application class loader. (markt) |  |  | 48179: Clean up dead code that was used to read tldCache
        file. (kkolinko) |  |  | 48318: Handle case where WebDAV resource is in directory
        listing but is not accessible. (markt) |  |  | 48384: Add a per context xslt option for directory listings.
        Make the fallback options work as described in the documentation.
        (markt) |  |  | 48577: Filter URL when displaying missing included page.
        (markt) |  |  | 48612: Prevent exception on shutdown if the address attribute
        is specified for a connector. (markt) |  |  | 48613: Further fixes to ensure APRLifecycleListener is only
        used if defined in server.xml. (fhanik) |  |  | 48614: Correct JULI log file buffering so default behaviour
        is no buffering. (fhanik) |  |  | 48625: Provide an option to exit if an error occurs during
        the initialization phase. (fhanik) |  |  | 48645: Use specified encoding rather than null in calls to RequestUtil.URLDecode(byte[] bytes, String enc)(markt) |  |  | 48653: Force request.secure and request.scheme to falseandhttpif the X-Forwarded-Proto header
        has the value http. Patch provided by Cyrille Le Clerc. (markt) |  |  | 48678: Remove duplicate server field from org.apache.catalina.startup.Catalina. (markt) |  |  | 48694: Remove potential deadlock in web application class
        loader. (markt) |  |  | 48716: Provide additional configuration options for JULI.
        (markt) |  |  | 48726: Prevent OOME when uploading large WAR files with the
        deployer. Patch provided by adam. (markt) |  |  | Improve memory leak protection by safely stopping threads started via java.util.Timerthat an application starts but fails to
        stop and by clearing references retained due to the use ofjava.util.ResourceBundle. (markt) |  |  | Modify ThreadLocal memory leak detection to not report false positives
        and to simplify implementation. (markt/kkolinko) |  |  | Basic memory leak detection was added to the standard Host
        implementation and exposed via JMX to detect memory leaks on web
        application reload. (markt/kkolinko) |  | 
 | Coyote |  | 
    
      |  | Update the native/APR library version bundled with Tomcat to 1.1.20.
        (kkolinko) |  | 
 | Jasper |  | 
    
      |  | Add some debug logging to the compiler where exceptions were previously
        swallowed. (markt) |  |  | 48170: Remove unnecessary synchronization that is causing
        issues under load. (markt) |  |  | 48580: Prevent AccessControlException if first access is to a
        JSP that uses a FunctionMapper. (markt) |  |  | 48582: Avoid NPE on background compilation failure. (markt) |  |  | 48616: Don't declare or synchronize scripting variables for
        JSP fragments since they are scriptless. This is an alternative fix for
        42390 that avoids both the original problem and the
        regression in the first fix. (kkolinko) |  |  | 48627: Fix regression in re-factored EL parsing. Keep
        literals as literals and handle deferredSyntaxAllowedAsLiteral.
        (kkolinko) |  |  | 48668: When parsing JSPs only parse EL as EL if EL is enabled
        else strings such as ${ will be silently dropped. (markt) |  |  | Various EL TCK failures. (markt) |  | 
 | Cluster |  | 
    
      |  | Force a disconnect if an error occurs during replication such as
        a firewall dropping the connection. (fhanik) |  | 
 | Web applications |  | 
    
      |  | Add new "Find leaks" command to the Manager application. It allows to
        detect web applications that have caused memory leaks on stop,
        reload or undeploy. (markt/kkolinko) |  | 
 | Other |  | 
    
      |  | Ensure files in conf directory have CRLF line endings when using the
        Windows installer. (kkolinko) |  |  | Allow special characters recognized by the Windows command-line shell to
        be present in the names of CATALINA_HOME/_BASE and the current directory
        used to call the Tomcat scripts. (kkolinko) |  |  | Don't use @Deprecated annotations in javax.servlet.jsp.JspContextsince the specification does
        not include them in the API definition. (markt) |  |  | Improve the information in the JAR manifest files. (markt) |  | 
 | 
 | Tomcat 6.0.24 (jfclere) | released 2010-01-21 |  | 
  | Catalina |  | 
    
      |  | Correct TCK failures with security manager caused by the original fix
        for 47774. (markt) |  | 
 | Other |  | 
    
      |  | Remove broken link in README.html. (jfclere) |  |  | Add .noticefiles to the set of files that have their line
        endings changed. (markt) |  |  | .zipdistributions should have windows line endings.
        (markt) |  | 
 | 
 | Tomcat 6.0.23 (jfclere) | not released |  | 
  | Catalina |  | 
    
      |  | 47774: Ensure web application class loader is used when
        calling session listeners. (markt) |  |  | 48006: Add additional information to the optional
        X-Powered-By header to align with the content suggested in the Servlet
        specification. (markt) |  |  | 48345: Sessions timed out too early when using
        PersistentManager. Patch provided by Keiichi Fujino. (markt) |  |  | 48398: Make objects used as locks final to ensure correct
        operation. Patch provided by sebb. (markt) |  |  | 48417: Update French translations. Patch provided by André
        Warnier. (markt/kkolinko) |  |  | 48421: Fix file descriptor and potential memory leak when a
        web application uses a local logging.properties file. Allow a web
        application's log files to be deleted once the web application has been
        stopped. (markt) |  |  | 48454: Ensure stderr is completely read before terminating
        the CGI process. Patch provided by Markus Grieder. (markt) |  |  | 48516: Prevent NPE in JNDIRealm if requested user does not
        exist. Patch provided by Kevin Conaway. (markt) |  |  | Fix implementation of log buffer size and provide a cleaner interface.
        (fhanik/kkolinko) |  | 
 | Coyote |  | 
    
      |  | Update version of native bundled in Windows installer to 1.1.19. (mturk) |  |  | Update recommended version for native to 1.1.19. (rjung) |  |  | 48004: All web applications to set the http Serverheader. (markt) |  |  | 48470: Ensure Tomcat does not lock up if shut down under
        load. (markt) |  | 
 | Jasper |  | 
  
    |  | 47977: Using a body with a tag that has an empty body should
      cause an error. (markt) |  |  | 48112: Correct handling of } character in literals when parsing
      expressions. This also improves the fix for 47413. (markt) |  | 
 | Web applications |  | 
    
      |  | 48530: Add information on the Manager Server Status page to
        the Manager How-To in the documentation webapp. Based on a patch by
        Arnaud Espy. (markt) |  |  | 48532: Add information to the BIO/NIO SSL configuration page
        in the documentation web application to specify how the defaults for the
        various trust store attributes are determined. (markt) |  | 
 | Other |  | 
    
      |  | Remove hard coded version numbers and instead apply version filter
        already defined in ant scripts. (rjung) |  |  | 47609: Correct regression in previous fix. (markt) |  |  | 48464: Provide an option to specify the command window title
        in catalina.bat on Windows. Patch provided by LiuYan. (markt) |  |  | Add some missing deprecation markers for javax.servlet.jsp.JspContext. (markt/kkolinko) |  | 
 | 
 | Tomcat 6.0.22 (jfclere) | not released |  | 
  | Catalina |  | 
    
      |  | Log errors if a web application starts a thread but fails to stop the
        thread when the web application stops or is reloaded. Failure to stop a
        thread is very likely to result in a memory leak. (markt) |  |  | Provide an option to stop any threads a web application starts but fails
        to stop when the web application stops or is reloaded. Using this option
        is very likely to result in instability and should be viewed as a last
        resort in development and is not recommended at all in production.
        (markt) |  |  | Log errors if a web application creates a ThreadLocal but fails to clear
        it when the web application stops or is reloaded. Failure to clear a
        ThreadLocal is very likely to result in a memory leak. (markt) |  |  | Clear any unintentional references remaining in sun.rmi.transport.Targetwhen the web application stops or
        is reloaded. Failure to clear these is very likely to result in a memory
        leak. (markt) |  | 
 | Coyote |  | 
    
      |  | Remove unneeded line from the method that normalizes decodedURI.
        (kkolinko) |  | 
 | Other |  | 
    
      |  | Correct MD5 generation in the build process. (jfclere/kkolinko) |  |  | 47609: Provide fail-safe EOL conversion for build process.
        Based on patches by sebb/kkolinko. (markt) |  | 
 | 
 | Tomcat 6.0.21 (jfclere) | not released |  | 
  | Catalina |  | 
    
      |  | Fix issues with expression language when running under a
        SecurityManager. (markt) |  |  | Remove duplicate mime-mapping entries in web.xml. Re-order entries
        alphabetically to make it easier to identify duplicates. (markt) |  |  | Use a more sensible default (webapps) for a Host's appBase.
        (markt/idarwin) |  |  | 37794: Support the parsing of parameters from chunked POSTs.
        (markt) |  |  | 37984: Strip {MD5} as well as {SHA} if present in digest
        passwords in LDAP directories. (markt) |  |  | 38352: Allow JSPs to write to the directory defined by javax.servlet.context.tempdirwhen running under a security
        manager. (markt) |  |  | 39231: Call LoginContext.logout() when using JAAS realm and
        session expires. (markt/kkolinko) |  |  | 40380: Fix potential synchronization issue in
        StandardSession.expire(). (markt) |  |  | 41059: Reduce chances of errors when ENABLE_CLEAR_REFERENCES
        is used. Patch provided by Curt Arnold. (markt) |  |  | 43343: Fix additional concurrency issues identified with the
        persistent session manager. (markt) |  |  | 44041: Fix threading issue in WebappClassLoader that can lead
        to duplicate class definition under high load. (markt/fhanik) |  |  | 44943: Use the same engine name in server.xml comments to
        reduce copy and pastes issues. (markt/kkolinko) |  |  | 45255: Provide protection against session fixation by
        changing session ID automatically on authentication. (markt/kkolinko) |  |  | 45403: Add additional checks on web application deployment
        and do not swallow IO errors. (kkolinko) |  |  | 45785: Additional fix required for the extension validator.
        Based on a patch by Rolf Wojtech. (markt) |  |  | 46908: Try and support java encoding names when using an xml
        parser provided via the endorsed mechanism. (markt) |  |  | 46967: Better handling of errors when trying to use
        Manager.randomFile. Based on a patch by Kirk Wolf. (markt) |  |  | 47046: Unregister all MBeans, including when non-default
        engine names are used. (markt) |  |  | Use native2ascii to ensure non-ASCII characters in property files are
        handled correctly in all circumstances. (markt) |  |  | 47050: Remove unnecessary filtering of error messages.
        (markt) |  |  | 47080: Fix NPE in RealmBase when uri is null. (markt) |  |  | 47158: Fix some thread safety issues in the AccessLogValve.
        (markt) |  |  | 47228: Correct French translations. Patch provided by sebb.
        (markt) |  |  | 47299: Simplify code and make embedding easier. (markt) |  |  | 47316: Allow different values for Service name and Engine
        name. This corrects a regression introduced by the fix for
        42707. (markt) |  |  | 47343: Editing context.xml for a directory should not delete
        the directory. This was a regression caused by the fix for
        42747. (markt) |  |  | 47364: Improve Javadoc for
        org.apache.catalina.connector.Request.getAttributeNames() to include
        information on the handling of Tomcat's internal request attributes.
        (markt) |  |  | 47451: Don't throw an NPE if the various response.setHeader()
        methods are called with null header name, zero length header name or
        null value. Silently ignore the calls in the same way they are ignored
        if the response has already been committed. (markt) |  |  | 47462: Allow individual web applications to override metadata
        complete if set in the global web.xml. Patch provided by Keiichi Fujino.
        (markt) |  |  | 47495: Provide a more meaningful error message is server.xml
        is not readable and exit immediately if a server cannot be created.
        (funkman/kkolinko) |  |  | 47518: Correct reference in Valve Javadoc that referred to an
        old method. Patch provided by Christopher Schultz. (markt) |  |  | 47537: Return an error page rather than a zero length 200
        response if the forward to the login or error page fails during FORM
        authentication. (markt) |  |  | 47718: Fix file descriptor leak on context stop/reload. Patch
        provided by George Sexton. (markt) |  |  | 47796: Fix OpenEJB integration. Reset annotation processor on
        context stop. (markt) |  |  | 47826: Correct error in debug message in
        org.apache.catalina.Bootstrap (markt) |  |  | 47836: Clear cached TLD information on context reload.
        (markt) |  |  | 47841: When using the CombinedRealm, if one of the nested
        Realms fails to start, skip that Realm rather than preventing the
        CombinedRealm from starting. (markt) |  |  | 47881: Fix processing of startd and stopd arguments. Patch
        provided by Qingyang Xu. (kkolinko) |  |  | 47918: Correct mbean descriptors for the host deployer. Patch
        provided by Uwe Günther. (markt) |  |  | 47930: Fix thread safety issues on session swap-in in the
        persistent session manager. (markt/kkolinko) |  |  | 47976: Correct usage message and Javadoc for org.apache.catalina.startup.Catalina. (markt) |  |  | 47997: Ensure the NamingContextListener applies to all naming
        contexts, not just the global one. Patch provided by Michael Allman.
        (markt) |  |  | 48049: Fix copy and paste error so NamingContext.destroySubContext()works correctly.
        Patch provided by gingyang.xu (markt) |  |  | 48097: Make WebappClassLoader to do not swallow
        AccessControlException. (kkolinko) |  |  | 48097: Avoid throwing an AccessControlException which can
        lead to a NoClassDefFoundError on first access of first jsp.
        (kkolinko/markt) |  |  | 48257: Correct error in Spanish translations. Patch provided
        by Guillermo Gutiérrez. (markt) |  |  | 48306, 48307: Correct French translations. Patches
        provided by Marc Paquette. (markt) |  |  | 48322: Single quote characters are not HTTP separators and
        should not be treated as such in the cookie handling. (markt) |  |  | 48413: Correct some French translations. Patch provided by
        André Warnier. (markt) |  |  | Deprecate the caseSensitiveoption on theStandardContextwhich will be removed in Tomcat 7 onwards.
        (markt) |  |  | Log deployments consistently for WAR, directory and descriptor
        deployments. (markt) |  |  | Better logging for parameter decoding issues to help identify broken
        requests. (markt) |  |  | Update Apache Commons Pool from 1.4 to 1.5.4. This update includes
        various fixes to prevent deadlocks, reduces synchronization and makes
        object allocation occur fairly - i.e. objects are allocated to threads
        in the order that the threads request them. This update fixes a number
        of issues in Tomcat's built-in copy of DBCP. (markt) |  |  | Allow log file encoding to be configured for JULI FileHandler. (kkolinko) |  |  | Provide debug logging for JNDI lookups. (markt) |  |  | Correct JDBC driver de-registration on web application stop and fix NPE
        that is exposed by the fix. (markt) |  |  | Ensure JDBC driver de-registration works with a security manager.
        (markt) |  |  | 48214: Ensure JDBC driver de-registration is not too zealous.
        (markt) |  |  | Various JNDI realm improvements for Active Directory. These include the
        ability to specify a default role, optional handling for nested roles
        and an option to ignore PartialResultExceptions (markt). |  |  | Expose Servlet Filters via JMX. Based on a patch by Xie Xiaodong as part
        of GSOC2009. (markt) |  |  | Tomcat now uses the Platform MBean server by default so all MBeans
        registered by Tomcat will be exposed via JMX (eg via JConsole) without
        requiring any additional configuration. (markt) |  |  | The JMX Remote Lifecycle Listener allows the ports used by JMX to be
        fixed, making it easier to configure firewalls to all JMX traffic to
        pass through. Part of the extras package. (markt) |  |  | Make context deployment error message for fixDocBase() more meaningful.
        (markt) |  |  | Add an additional permission required by JULI when running under newer
        JDKs and a security manager. (markt) |  |  | Remove unnecessary reference to tomcat-coyote.jar from the bootstrap JAR
        manifest. (kkolinko) |  |  | Use correct method to create URLs in VirtualWebappLoader. (kkolinko) |  |  | Provide a new listener to protect against a memory leak caused by a
        change in the Sun JRE from version 1.6.0_15 onwards. Also include
        protection against locked JAR files, memory leaks triggered by
        XML parsing and the GC Daemon. (markt) |  |  | Don't swallow exceptions in ApplicationContextFacade.doPrivileged()
        (kkolinko) |  |  | Close resource stream in WebappClassLoader after read error. (pero) |  |  | Include attribute name into the text of Non-serializable exception
        that might be thrown by Session.setAttribute() in distributable
        applications. (mturk) |  |  | Add RemoteIpValve, a port of mod_remoteip. Patch provided by Cyrille Le
        Clerc. (markt) |  |  | Allow per instance configuration of JULI or log4j for core Tomcat
        logging when using CATALINA_BASE. (markt/kkolinko) |  |  | Prevent NPE in JULI during shutdown when resources try to log messages
        after JULI has been shutdown. (fhanik/kkolinko) |  |  | Make the JULI FileHandler easier to extend. (fhanik) |  |  | Make buffer size for FileHandler configurable. (fhanik) |  |  | Make JULI FileHandler thread safe. (fhanik) |  |  | Provide an option to disable buffering in the JULI FileHandler.
        (kkolinko) |  |  | Ensure log messages are not lost on shutdown. (markt) |  |  | 44679: Provide an option to allow the equals character in
        unquoted cookie values. (markt) |  |  | Add support for a connectionTimeout parameter to the JNDIRealm. (markt) |  |  | Various (un)deployment related improvements including better handling of
        failed (un)deployment, additional checking for valid zip entries that
        don't make sense in a WAR and improved validation of WAR file names.
        (markt) |  | 
 | Coyote |  | 
    
      |  | Implement socket.unlockTimeoutattribute for NIO connector. |  |  | Update version of native bundled in Windows installer
        to 1.1.18. (kkolinko) |  |  | Update minimum required version for native to 1.1.17. (rjung) |  |  | 46950: Fix doing SSL renegotiation when a resource with CLIENT-CERT
        auth is requested. (markt) |  |  | Align tcnative native and Java method names. (rjung) |  |  | Dont report thread count from connector if an external executor is used. |  |  | 39637: Enable the AJP connectors to correctly handle client
        certificate chains. Patch by Patrik Schnellmann. (markt) |  |  | 46985: Clean up code and remove impossible condition.
        (markt/kkolinko) |  |  | 47225: Fix error in calculation of a buffer length in the
        mapper. (markt) |  |  | 47320: Don't rely on the platform default encoding being
        suitable to parse the session ID. (markt) |  |  | 47499: Don't swallow bind exceptions. (markt) |  |  | 47744: Prevent a medium term memory leak if using SSL with
        the JSSE provider and also using a security manager. Based on a patch by
        Greg Vanore. (markt) |  |  | 47963: Ensure that any HTTP status messages are compliant
        with RFC2616. (markt/kkolinko) |  |  | 47987: Limit size of not found resources cache. (markt) |  |  | 48009: Protect against the situation where editing a
        context.xml file may result in the file disappearing for a very short
        time. (markt) |  |  | Use correct connector attribute (SSLEnabled) rather than secure to
        determine if SSL should be used. (fhanik) |  |  | Provide a workaround for CVE-2009-3555, the TLS renegotiation issue, for
        the default Blocking IO Java connector. |  |  | 48252: Fix stack overflow exception when setting jkHome on
        NIO connector. (fhanik) |  |  | 48311: Only the APR lifecycle listener should try and
        initialise APR. (markt) |  | 
 | Jasper |  | 
    
      |  | 38797: Fix a regression in the previous patch for
        37933. (markt) |  |  | 38897: Add uri of broken TLD to error message to aid
        debugging. (markt) |  |  | 41661: Fix thread safety issue with JspConfig.init() (markt) |  |  | 41824: Need to use canonical rather than binary form when
        writing code. (markt) |  |  | 42390: Fix compilation issue with some nested tag files and
        simple tags. (kkolinko/markt) |  |  | 43656: Correctly coerce nullto zero when the
        target type isNumber. (markt) |  |  | 46907: Don't swallow input stream when debug logging is
        enabled. (markt) |  |  | 47318: Process directives found in include preludes and
        codas. (markt) |  |  | 47331: Treat uninterpreted tags as template text for JSP.2.2.
        (markt) |  |  | 47413: Ensure expressions of the form "${a}${b}"
        are correctly coerced to String. (kkolinko) |  |  | 47453: Handle void return types for deferred methods.
        (funkman) |  |  | Remove the code that auto-detects the value for compilerSourceVM,
        compilerTargetVM options of Jasper, because we know that this version
        of Tomcat cannot run on JDK 1.4 and thus the value is always "1.5".
        (kkolinko) |  |  | Change default values for JDK version compliance options of JspC
        (-source and -target when running from command line)
        to be "1.5", to be the same as the ones used by Jasper servlet.
        (kkolinko) |  |  | Make constants in the TagHandlerPool really constant. (markt) |  |  | When development mode is enabled and a JSP is deleted, ensure next
        request for that JSP is consistent with the JSP having been removed.
        (markt/kkolinko) |  |  | 48019: Be more careful about skipping content that does not
        need to be parsed. (markt) |  |  | Better handling of exception in JSP if parsed JSP source is not
        available. (markt) |  | 
 | Cluster |  | 
    
      |  | DeltaSession needs endAccess so that CrossContext replication works. (pero) |  |  | DeltaManager needs to replicate changed attributes even if session
        gets invalidated. Otherwise session listeners will not see the right
        data on the secondary nodes. (rjung) |  |  | Spurious startup errors during session transfer.
        Sessions get transferred, but node still waits until timeout. (rjung) |  |  | Perform deserialization events with context class loader. (fhanik) |  |  | 47515: Correctly replicate timestamp during startup. (fhanik) |  |  | 47478: Call replication listeners when using BackupManager. (fhanik) |  |  | 47369: Reset data diff after replication. (fhanik) |  |  | 40551: Enable the JvmRouteBinderValve to work with
        PersistentManagers as well as clustering. Based on a patch by Chris
        Chandler. (markt) |  |  | 47342: Fix potential NPE on replicated context start. Patch
        provided by Keiichi Fujino. (markt) |  |  | 47389: DeltaManager doesn't do session replication if
        notifySessionListenersOnReplication=false.
        Patch by Keiichi Fujino. (fhanik) |  |  | 47502: Don't replicate session attributes known not to be
        serializable. (funkman) |  |  | 47554: Include httpOnly attribute when re-writing session
        cookie after fail over. (markt) |  |  | 47799: Enable the domain to be configured for Membership and
        DomainFilterInterceptor. Patch provided by Keiichi Fujino. (markt) |  |  | 48113: Display IP addresses using 0 to 255 rather than -128
        to +127. Based on a patch by Quintin Beukes. (fhanik/kkolinko) |  | 
 | Web applications |  | 
    
      |  | 41564: Add some documentation on installing Tomcat as a
        service on operating systems with User Account Control, e.g. Vista.
        (markt) |  |  | 47161: Report thread count correctly in Manager when executors
        are used and return -1 when it can not easily be determined. (markt) |  |  | 47235: Remove use of autoReconnect from MySQL examples.
        (markt) |  |  | 47324: Fix submit URL for session list page so it works
        behind a reverse proxy. Patch provided by Maik Jablonski. (markt) |  |  | 47425: Add crlFile attribute to the SSL configuration
        documentation. (markt) |  |  | 47444: Remove Jakarta references from the documentation.
        (markt) |  |  | 47656: Add information to documentation on system property
        replacement in configuration files. (markt) |  |  | 47705: Fix division by zero error in the manager when trying
        to expire sessions when the session timeout is set to infinite.
        (funkman) |  |  | Fix display of session information pages of Manager application
        in Internet Explorer. (kkolinko) |  |  | Do not reuse windows (tabs) for session detail pages in Manager
        application. (kkolinko) |  |  | 47769: Clarify the JNDI docs with respect to use of
        <resource-ref> and related elements, specifically when they are
        required and when they may be omitted. (markt) |  |  | 48381: Add information on how Tomcat treats host names to the
        host configuration documentation. (markt) |  | 
 | Other |  | 
    
      |  | 37847: Make location and filename of catalina.out configurable
        in catalina.sh. (fhanik) |  |  | 37848: Re-fix not outputting info messages when there is no
        terminal. (markt) |  |  | 39194: Make classpath configuration consistent in the startup
        scripts. (markt/kkolinko) |  |  | Update Tomcat Windows service application (procrun) to version 2.0.5.
        It contains a fix for issue 41538 (mturk) |  |  | 40786: Include 64-bit Windows service wrapper in
        distributions. Update the Windows installer to automatically use the
        correct binary on 64-bit machines. (markt) |  |  | Update Windows Installer to use NSIS 2.45. They say that this version
        provides support for the upcoming Microsoft Windows 7. (kkolinko) |  |  | Don't add blank lines to end of files when fixing line-endings for
        tar.gz distribution. (markt) |  |  | Use explicit encoding during filtering operations when building Tomcat
        for distribution. (kkolinko) |  |  | Remove references to unused commons-collections from the build scripts.
        (markt) |  |  | Fix download task check for commons-pool and commons-dbcp in the
        build scripts. (kkolinko) |  |  | Include deployer-howto.html into the deployer distributive. (kkolinko) |  |  | 47149: Build scripts: Explicitly specify encoding when
        compiling. (kkolinko) |  |  | 47267: Ensure release notes displayed by Windows installer
        have CRLF line-endings regardless of which OS the install package is
        built on. (markt/kkolinko) |  |  | Include NOTICE, LICENSE and manifest files in all Tomcat JARs and add a
        mechanism to the build process to enable these files to be customised
        per JAR as required. (markt) |  |  | 47699: Provide better handling of PID files. (markt) |  |  | 47824: Make Servlet API an optional dependency for JULI when
        using Maven. (markt) |  |  | Add support for per instance (using $CATALINA_BASE) log4j.properties
        files, JDBC drivers etc by adding ${catalina.base}/lib and
        ${catalina.base}/lib/*.jar to the start of the common loader class
        path. (markt) |  |  | Correct CVE-2009-3548. When installed via the Windows installer and
        using defaults, don't create an administrative user with a blank
        password. Additionally, the administrative user is only created if the
        manager or host-manager web applications are selected for installation.
        (markt) |  |  | Further improvements to the administrative user name and password
        handling in the Windows installer. (kkolinko) |  | 
 | 
 | Tomcat 6.0.20 (remm) | released 2009-06-03 |  | 
  | Catalina |  | 
    
      |  | 42579: Handle both relative and absolute search results in
        the JNDIRealm. Patch provided by Brandon DuRette. (markt) |  |  | 46562: Close shtml files after processing to allow other
        processes to modify the files. (markt) |  |  | 46815: Make the MemoryUserDatabase read-only by default.
        (markt) |  |  | 46816: Align session manager mbean descriptor with
        implementation. (markt) |  |  | Fix a typo in the OPTIONS response from the default servlet. (markt) |  |  | 46822: Remove unnecessary object creation from
        StandardContext. Patch provided by Anthony Whitford. (markt) |  |  | 46866: Better initialisation of Random objects. (markt) |  |  | 46875: Catch and handle possible IllegalStateExceptions
        in CometConnectionManagerValve related to session expiration. (markt) |  |  | Correct some errors reported when testing the WebDAV servlet with the
        Litmus test suite. (markt) |  |  | 46933: Update StringManager to use Java 5 features. Patch
        provided by Jens Kapitza. (markt) |  |  | 46990: Fix synchronization issues reported by FindBugs. Patch
        provided by Sebb. (markt) |  | 
 | Coyote |  | 
    
      |  | Allow huge request body packets for AJP13. (rjung) |  |  | 45026: Never return an empty HTTP status reason phrase.
        mod_jk and httpd 2.x do not like that. (rjung) |  |  | Set remote port for AJP connectors from the optional request
        attribute AJP_REMOTE_PORT. (rjung) |  |  | Update tc-native to 1.1.16 (markt) |  |  | 46982: Correct reporting of DST offset in access logs.
        (markt) |  |  | 46984: Invalid characters in HTTP request method now result
        in a 400 response. (markt) |  |  | 46991: Fix AJP connector always reporting bytes received as
        zero. (markt) |  | 
 | Jasper |  | 
    
      |  | 37929: Fix invalidated session causing pageContext methods to
        fail. (markt) |  |  | 41606: Prevent double initialisation of JSPs. Patch provided
        by Chris Halstead. (markt) |  |  | 46354: ArrayIndexOutOfBoundsException when using
        org.apache.jasper.runtime.BodyContentImpl.LIMIT_BUFFER=true
        Patch provided by Konstantin Kolinko. (markt) |  |  | 46909: Only include semi-colon in type attribute for
        <jsp:plugin> when it is required. (markt) |  |  | 47013: Use system property rather than hard-coded string for
        pre-compilation flag. (markt) |  | 
 | Cluster |  | 
    
      |  | A node should ignore its own heartbeat messages. (rjung) |  | 
 | Web applications |  | 
    
      |  | 46509: Use correct link on error page in JSP security
        example. Patch provided by Michael Moody. (markt) |  |  | 46599: Document known DAEMON issue. (markt) |  |  | 46807: Correct docs for configuration of tag pooling. (markt) |  |  | 46924: Clarify behaviour when auto deployment is enabled and
        a WAR, directory or context file is deleted or updated. (markt) |  |  | 46958: All xml manager status output to work regardless of
        context path. (markt) |  | 
 | Other |  | 
    
      |  | 46351: Refactor the build script. Patch provided by Marc
        Guillemot. (markt) |  |  | 46910: Properties files corrupted by build process. (remm) |  |  | 46915: When resolving ResourceBundle properties, don't claim
        to have resolved the property unless we really have resolved it. (markt) |  |  | Fix .pdf and .exe corruption in -src.tar.gz distribution. (markt) |  |  | Enable running Tomcat directly from the build directory on linux
        systems. (markt) |  | 
 | 
 | Tomcat 6.0.19 (remm) | not released |  | 
  | Catalina |  | 
    
      |  | Manager application prints FAIL if application was deployed but failed to start (fhanik) |  |  | When shutdown port is disabled, print user friendly message and not a stack trace. (fhanik) |  |  | 37458: Correct sync issue that leads to NPE in rare
        circumstances. Patch provided by Konstantin Kolinko. (markt) |  |  | 38553: Return 401 rather than 400 if client does not present
        a certificate CLIENT-CERT authentication. (markt) |  |  | 38570: When checking docBase against appBase, make sure we
        check for an exact match against the appBase. (markt) |  |  | 39013: When testing for invalid docBase, test for an exact
        match with the appBase dir. (markt) |  |  | 39396: Don't include TRACE in OPTIONS response unless we
        know it hasn't been disabled in the connector. (markt) |  |  | 42747: Ensure context.xml takes effect on first deployment
        for WAR and DIR deployments. context.xml is now copied to
        CATALINA_BASE/<engine name>/<host name> for DIR as well as
        WAR deployments. (markt) |  |  | 43071: Start poller before acceptor (r719267) |  |  | Fix read/write timeout of async comet operations
        (r719264) |  |  | Implement async close behaviour for Comet/NIO.
        No-op for APR (same behavior as before)
        (r719262) |  |  | Default thread count for HTTP connectors is 200. (r713186) |  |  | Comet should always invoke END and properly invoke READ (r713174) |  |  | Fix class cast exception when shutting down a replicated context but no cluster has been configured in server.xml (r713177) |  |  | Dererence socket when its no longer used. Frees up socket buffers and memory. No functional change. (r713175) |  |  | Correct wrong "No role found" debug message,
        logged in RealmBase even if a role was found. (rjung) |  |  | 44809: Improve AprLifecycleListener Error Messages. (jfclere) |  |  | Log AccessControlException for context specific logging.properties
        during startup with security manager. (rjung) |  |  | 41407: Add CLIENT-CERT support to the JAAS Realm. (markt) |  |  | 42409: Make custom and standard error page handling
        consistent by using resetBuffer() which will not alter previously set
        headers. (markt) |  |  | 42673: Fix SSI virtual includes for multi-level contexts.
        Patch provided by Peter Jodeleit. (markt) |  |  | 42707: Make adding a host alias via JMX take effect
        immediately. (markt) |  |  | 43656: Correct regression in previous fix for this bug. Patch
        provided by Nils Eckert. (markt) |  |  | 45419: Set Accept-Ranges for static resources served by
        DefaultServlet. (markt) |  |  | 45441: Correctly map filters for FORWARD and INCLUDE. (markt) |  |  | 45447: Convert Spanish resource files to use UTF-8 and provide
        translations where previously missing. Patch provided by Jesus Marin.
        (markt) |  |  | 45453: Remove potential race condition in JDBC Realm.
        Based on a patch by Santtu Hyrkk. (markt) |  |  | 45576: Add DIGEST support to the JAAS Realm. (markt) |  |  | 45585: Allow Tomcat to start if using $CATALINA_BASEbut not JULI. Patch based on a suggestion by
        Ian Ward Comfort. (markt) |  |  | The JAAS Realm did not assign roles to authenticated users. (markt) |  |  | Provide full stacktrace and message when the ErrorReportValveClass can't
        be instantiated. (funkman) |  |  | 45608: Make allocated servlet count synchronized to ensure
        the correct allocated servlet count is available during shutdown.
        (markt) |  |  | 45628: When checking MANIFEST dependencies, JARs without
        dependencies should allows be considered to be full-filled. (markt) |  |  | 45735: Improve ETag handling. (remm) |  |  | 45785: Ignore directories named xxx.jar in WEB-INF/lib.
        (markt) |  |  | 45823: Log missing request headers as '-' not 'null'. Based
        on a patch by Per Landberg. (markt) |  |  | 45825: Correctly handle annotations in parent classes. Based
        on a patch by Florent Benoit. (markt) |  |  | 45906: Further ETag handling improvements. Patch provided by
        Chris Hubick. (markt) |  |  | Add the CombinedRealm that enables authentication to be attempted
        against multiple realms. (markt) |  |  | Add the LockOutRealm that enables a standard Realm to be wrapped with
        the functionality to lock out a user after too many failed logins.
        (markt) |  |  | Make the upper size limit of the static resource cache configurable
        since the default of cacheMaxSize/20gave too high a value
        for large caches. (markt) |  |  | Fix HTML decoding error in SSI processing. (markt) |  |  | Fix cast error in JULI log factory. (markt) |  |  | Fix some thread safety issues in date formatting. (markt) |  |  | Fix a String comparison bug in the digester property replacement that
        resulted in non-optimal operation. (markt) |  |  | Correct handle multi-level contexts defined using context.xml files.
        (markt) |  |  | 45933: Don't use xml parser from web-app to process tld
        files. (markt) |  |  | 45951: Support changing of JSESSIONID cookie name and
        jsessionid path parameter name. Based on a patch by Jean-frederic Clere.
        (markt) |  |  | 46011: Make Principal accessible (if set) via Subject.getSubject(AccessController.getContext())when
        processing filters. Based on a patch by tsveg1. (markt) |  |  | 46075: When uploading files, don't create buffers at the
        maximum configured size. Use the default size and let the buffers grow
        to the maximum size if necessary. (markt) |  |  | 46085: Fix a rare thread safety issue with session
        expiration. (markt) |  |  | 46096:  Support annotation processing whilst running under a
        security manager. (markt) |  |  | The invoker servlet has been deprecated and will be removed in Tomcat 7
        onwards. (markt) |  |  | 46105:  Correctly set URI encoding when replaying a request
        after FORM authentication. (markt) |  |  | Remove unnecessary reference to commons-logging from the bootstrap JAR
        manifest. (markt) |  |  | 46232: Enabled the XMl parser to be over-ridden using the
        standard endorsed mechanism. (markt) |  |  | 46261: Treat %2F in a context name literally rather than
        converting it (inconsistently) to '/' - that is what '#' is for. (markt) |  |  | 46298: Throw an SQLException with a useful message rather
        than a NPE if the URL for the JDBCRealm is invalid. Based on a patch by
        Owen Jacobson. (markt) |  |  | 46304: Further fixes to make Principal accessible (if set)
        via Subject.getSubject(AccessController.getContext())when
        processing filters. (markt) |  |  | 46403: Provide a workaround for an IE and Safari bug that
        means the Max-Age attribute of a cookie is ignored. (markt) |  |  | 46408: Fix invalid cast in security utility package. (markt) |  |  | Remove duplicate normalisation implementations and make normalise
        behaviour consistent throughout code base. (markt) |  |  | 46683: Fix typo in French localisation file name for the
        org.apache.catalina.loader package. (markt) |  |  | 46606: Make the max DEPTH for a WebDAV request configurable.
        The default is still 3. (markt) |  |  | 44382: Add support for using httpOnly for session cookies.
        This is disabled by default. (markt/fhanik) |  |  | Fix possible NCDFE when using FORM authentication. (jfclere) |  |  | Fix possible synchronisation bottleneck in cookie creation. (markt) |  |  | Fix various spelling errors reported on the mailing lists. (markt) |  |  | Make the logging manager and properties file configurable via
        environment variables. (fhanik) |  | 
 | Coyote |  | 
    
      |  | 45154:
        Implement SEND_FILE behavior for SSL connections using NIO (fhanik) |  |  | Fix file descriptor leak during NIO send file behavior. (fhanik) |  |  | Implement usage of keyAlias attribute for NIO, previously attribute was ignored. (fhanik) |  |  | Prevent server from calling close on an already closed NIO socket. One that had timed out. (fhanik) |  |  | Fix bug with SEND_FILE behavior in NIO. Send file would delay until selector timed out, even though socket was ready to be written. (fhanik) |  |  | Fix possible NPE in NioEndpoint.java (fhanik) |  |  | Update tc-native to 1.1.15 in build.properties.default (jfclere) |  |  | 43327: Socket bind fails when using APR on a system with IPv6
        enabled but no explicit IPv6 address configured. (markt/jfclere) |  |  | 44285: Make the SSL session cache size and timeout
        configurable. (markt) |  |  | 45074: Add configuration parameters to enable the tuning
        of sendfile and poller thread count in the APR HTTP connector. Patch
        provided by Alex Barclay. (jfclere/markt) |  |  | 45528: Add detection for invalid SSL configuration to prevent
        infinite logging loop on start-up. (markt) |  |  | 45591: NPE on start-up failure in some cases. Based on a
        patch by Matt Passell. (markt) |  |  | 46077: Expose deferAccept for configuration. Patch provided
        by Michael Leinartas. (markt) |  |  | Don't swallow input if we know the connection is going to be closed. (billbarker) |  |  | 46125: Return a status code of 400 if the request headers are
        too large. (markt) |  |  | Make certain that classes are first loaded by trusted code when working in a sandbox. (billbarker) |  |  | Log a message if we reach maxThreads in a connector thread pool. (markt) |  |  | Enable the thread pool limits to be modified via JMX. (markt) |  |  | Fix HTTP/1.0 redirects handling with APR AJP connector. (remm) |  |  | 46666: keepAliveTimeout should be used regardless of setting
        of disableUploadTimeout. (markt) |  | 
 | Jasper |  | 
    
      |  | 36923: Treat EL expressions as template text if EL
        expressions are disabled. (markt) |  |  | 37515: Support 1.6 and 1.7 as source and target for
        compilation. (markt) |  |  | ClassCastException in EL ExpressionBuilder. (rjung) |  |  | Use more generics in EL to improve type safety. (rjung) |  |  | Use a lookahead to remove potential ambiguity in EL parsing. (markt) |  |  | Correct typo in JSP EL examples. (markt) |  |  | 38197: Take account of jsp:attribute elements when pooling
        tags. (markt) |  |  | 42077: Ensure the iterator returned by
        javax.el.CompositeELResolver#getFeatureDescriptor() skips any null
        FeatureDescriptors. Patch provided by Mathias Broekelmann. (markt) |  |  | 42693: Fix JSP generation error with recursive tag file
        structure. (markt) |  |  | 45427: Correctly handle unmatched quotes in EL expressions.
        (markt) |  |  | 45511: The failure of the emptykeyword was a
        regression caused by the previous fix for 42565. The original
        fix for 42565 has been reverted and a new fix applied.
        (markt) |  |  | 45648: Don't trim the last character when parsing the EL
        namespace. (markt) |  |  | 45666: Prevent infinite loop on include. (markt) |  |  | 45691: Prevent generation of duplicate variable names when
        generating code for JSPs. (markt) |  |  | Correct signed/unsigned conversion error in ASCII parsing. (markt) |  |  | Fix various edge-cases when parsing EL, particularly inside attribute
        values. Note that the Expert Group has confirmed that JSP.1.6 takes
        precedence over JSP.1.3.10. Therefore EL in attributes must be escaped
        twice. (markt) |  |  | 46047: Include the path to the JAR when recording
        dependencies that are located inside a JAR file. Patch provided by
        Cédric Mailleux. (markt) |  |  | 46381: Composite expressions used for attribute values must
        be coerced to Strings. (markt) |  |  | 46397: Don't pool tag instances that implement JspIdConsumer.
        (markt) |  |  | 46462: Limit package test to just the o.a.jsp package to
        allow use of packages such as o.a.jspwiki. (markt) |  |  | 46471: Fix naming clash when tags in different libraries have
        the same name. (markt) |  |  | 46564: Make page encoding check for tagx compilation
        case-insensitive. (markt) |  | 
 | Cluster |  | 
    
      |  | Prevent NPE for ReplicationValve (pero) |  |  | Provide TCP only start-up option when using static membership. (fhanik) |  |  | Document the multicast recovery options. (fhanik) |  |  | 45261: Add a new SimpleCoordinator for tribes provided by
        Robert Newson. (markt) |  |  | 45618: Make sure NIO selector is closed when no longer used.
        Unlikely to be an issue in normal usage. (markt) |  |  | 45851: Fix out of order message processing issues with the
        FarmWarDeployer. (markt) |  |  | Fix small memory leak in FarmWarDeployer. (markt) |  |  | 46357: Corrected test for host's parent must be an engine.
        (markt) |  |  | Fix so that JvmrouteBinderValve can rewrite session suffix with parallel
        requests from same client. (pero) |  | 
 | Web applications |  | 
    
      |  | 45940: Correct name of username attribute for JDBC resources
        in JNDI how to. (markt) |  |  | 46035: Fix multiple typos in monitoring how to. (markt) |  |  | 46067: Fix typos in Advanced IO how to. (markt) |  |  | 46115: Correct Manager UI to show that path is required when
        using the deploy command. (markt) |  |  | 46121: Add note to manager documentation regarding possible
        naming clash with new Ant 1.7 resources datatype and how to avoid it.
        (markt) |  |  | Remove unsed parameters from Native/APR example connector configuration
        in docs. (markt) |  |  | Use CSS based solution for printer-friendly docs. Patch provided by
        vitezslav.smid as part of GSoc with additional work by Tim Funk. (markt) |  |  | Update the FAQ linsk in the docs to refer to the wiki. Use xlst task
        rather than style task to generate docs. (funkman/markt) |  |  | Document the LifecycleListeners. (markt) |  |  | Fix broken URL mapping in the examples. (markt) |  |  | 46563: Update doc for correct default for pollerThreadCount.
        (markt) |  |  | 46600: Document maxKeepAliveRequests for the NIO connector.
        (markt) |  |  | Fix CVE-2009-0781. XSS in calendar example. (markt) |  | 
 | Other |  | 
    
      |  | 41861: Update service name to Apache Tomcat 6 to prevent
        conflicts with previous major Tomcat versions. (markt/rjung) |  |  | 45852: Add special handling for cp932 (aka ms932) when
        creating tomcat-users.xml with Windows installer. (markt) |  |  | 45878: Restore manifest, licence and notice files to the jsp
        and servlet jars. (markt) |  |  | 45879: Move NOTICE file from documentation webapp to the
        installation directory. (markt) |  |  | Add a workaround for DBCP-191. Tomcat will now build without error on a
        1.6 JDK but because it does this by skipping DBCP, release builds must
        be generated with a 1.5 JDK. (costin/markt) |  |  | 46366: Correct information in RUNNING.txt regarding use of
        CATALINA_HOME and CATALINA_BASE. (markt) |  |  | Use more useful JPDA defaults in catalina.bat. (markt) |  |  | Correct error in 2.5 web-app XSD. |  | 
 | 
 | Tomcat 6.0.18 (remm) | released 2008-07-31 |  | 
  | Catalina |  | 
    
      |  | 42727: Correctly handle request lines that are exact
        multiples of 4096 in length. Patch provided by Will Pugh. (markt) |  |  | 42678: Only ignore docBase if it really is a subdir of
        appBase. Patch provided by juergen. (markt) |  |  | 42722: Possible NPE in CGI Servlet. (markt) |  |  | 45285: Look for annotations in class hierarchy. (markt) |  |  | Add additional checks for URI normalization. (remm) |  | 
 | Jasper |  | 
    
      |  | 42565: Make EL ternary expression without space before colon
        work. Patch provided by Lucas Galfaso. (markt) |  | 
 | Web applications |  | 
    
      |  | 45323: Add note that context.xml files can only contain a
        single Context element. (markt) |  | 
 | Cluster |  | 
    
      |  | 45317: Properly document and log the value of the state transfer timeout flag (fhanik) |  | 
 | Other |  | 
    
      |  | 45332: Specify the correct encoding (the current Windows code
        page) rather than assuming UTF-8 when creating tomcat-users.xml with the
        Windows installer. (markt) |  | 
 | 
 | Tomcat 6.0.17 (remm) | not released |  | 
  
  | Catalina |  | 
    
      |  | 45272: Put in work around for Internet Explorer not accepting a quoted Path: value using the Set-Cookie header (fhanik) |  |  | APR connector now adds connection to poller after using send file.
        (remm) |  |  | Add ManagerBase session getLastAccessedTimestamp and
        getCreationTimestamp for better remote JMX access. (pero) |  |  | Expose alwaysSend flag for message dispatch interceptor. (fhanik) |  |  | 29936: Create digesters and parsers earlier so we aren't
        using the webapp class loader when we create them. (markt) |  |  | 42662: Properly resolve reflection proxies during session
        replication. (fhanik) |  |  | 42750: Request line should be tolerant of multiple
        whitespaces. (markt/fhanik) |  |  | 42934: Change the order of events on context start so contextInitialized()event is fired beforesessionDidActivate(). The spec isn't 100% clear on the
        required order but this seems more logical than the current behaviour.
        (markt) |  |  | 43079: Fix identification of suspicious URL patterns. Patch
        provided by John Kew. (markt) |  |  | 43080: Log suspicious URL patterns to the correct web app.
        (markt) |  |  | 43117: Setting an empty workDir could result in all of
        CATALINA_HOME being deleted. Patch provided by Takayuki Kaneko. (markt) |  |  | 43142: Don't assume a directory named xxx.war is a war file.
        (markt) |  |  | 43150: Allow Tomcat to start correctly when installed on a
        path that contains a # character. (markt) |  |  | The fix for 43285 had the side-effect of coercing nullvalues to zero. This side-effect has been made
        configurable with a system property,org.apache.el.parser.COERCE_TO_ZEROwhich defaults totrue. Patch provided by Nils Eckert. (markt) |  |  | 43343: Correctly handle requesting a session we are in the
        middle of persisting. Based on a suggestion by Wade Chandler. (markt) |  |  | 43425: Make annotations spec compliant. Patch provided by
        Dain Sundstrom. (markt) |  |  | 43470: Fix various class cast exceptions. Based on a patch
        by Lucas Galfaso. (markt) |  |  | 43578: Fix startup when installation path contains a space.
        Patch provided by Ray Sauers. (markt) |  |  | 43683: Fix 404 that could occur if a Servlet is accessed
        while the context is reloading. (markt) |  |  | ExtendedAccessLogValve cs-uri not print empty querystring. (pero) |  |  | ServletContext.getResource("noslash/resource") only requires forward
        slash if STRICT_SERVLET_COMPLIANCE flag is set to true. This mimics the
        behavior of 6.0.15 and earlier. (fhanik) |  |  | 44021: Add support for using the # character to define
        multi-level contexts in WARs and directories in the appBase. (markt) |  |  | 44282: Fix TRACE level class loader logging message when a
        security manager is used. (markt) |  |  | 44337: Dir listing crashes if no readme-file present.
        (funkman) |  |  | If listener declared in web.xml, only add it once. (funkman) |  |  | Fix NPE when iterating through sessions for expiration. (fhanik/jim) |  |  | 44380: Don't scan non-file URLs for TLDs. Patch provided by
        Florent Benoit. (markt) |  |  | 44389: Fix memory leak that occurred if using a
        RequestDispatcher. Patch provided by Arto Huusko. (markt) |  |  | 44529: Correct handling of resource constraints so no roles
        (deny all) overrides no aoth-constraint (allow all). (markt) |  |  | 44562: HEAD requests cannot use includes. Patch provided by
        David Jencks. (markt) |  |  | 44595: Add possibility to request the QueueSize of an
        executor via JMX. (jfclere) |  |  | Fix CGI Servlet so it correctly reads the environment variables on
        Vista. (markt) |  |  | 44611: DirContextURLConnection didn't implement
        getHeaderFields(), getHeaderField(String name) was case sensitive and
        returned "" rather than null for header values that did not exist. Patch
        provided by Chris Hubick. (markt) |  |  | 44633: Provide a more helpful error message if a class can't
        be loaded due to a version error. (rjung/markt) |  |  | 44646: Correct various issues, including an ISE, in
        CometConnectionManagerValve. (markt) |  |  | 44673: ServletInputStream is no longer readable once closed.
        (markt) |  |  | Better handling of lack of permission for context specific logging.
        (markt) |  |  | Add permission required to read JDK logging config. (markt) |  |  | Update web.xml to reflect packaging of SSI and CGI. (markt) |  |  | Add missing access check for ThreadWithAttributes. (markt) |  |  | 44833: Correctly override StandardSession methods from
        DeltaSession. (fhanik) |  |  | 44943: Use the same engine name in server.xml comments to
        reduce copy and pastes issues. (markt) |  |  | 44988: Use Java5 syntax for debug options. Patch provided
        by Cédrik Lime. (markt) |  |  | 45101: Format header dates obtained from DirContextURLConnectionas per the HTTP spec. Patch
        provided by Chris Hubick. (markt) |  |  | A new valve, org.apache.catalina.valves.WebdavFixValve,
        that forces MS clients connecting to the WebDAV Servlet on port 80 to
        use a client that works rather than the default broken one. (markt) |  |  | 45195: Passing in null into setAttribute or removeAttribute
        cause NPE. (markt) |  | 
 | Coyote |  | 
    
      |  | NIO: Fix bug in NIO sendfile, symptoms during heavy traffic is that
        connection don't get closed. For previous versions, one can disable
        sendfile to work around the problem. (fhanik) |  |  | APR: Allow to specify the "random device" to use to collect the entropy.
        (jfclere) |  |  | Fix NIO/SSL live lock during client disconnect. (fhanik) |  |  | Fix possible ArrayIndexOutOfBoundsException. Patch provided by Charles R
        Caldarale. (markt/jim) |  |  | Add support for keystore types that do not need a file. Based on a patch
        by Bruno Harbulot. (markt) |  |  | 43094: Allow specification of keystore providers. Based on a
        patch by Bruno Harbulot. (markt) |  |  | 43191: Make it possible to override the defaults with the
        compressableMimeType attribute. Based on a patch by Len Popp. (markt) |  |  | 44391: Correct handling of escaped values in SSI processing.
        (markt) |  |  | 44392: HTML entities now handled correctly in SSI processing.
        (markt) |  |  | 44558: Improve error message so address is included if
        binding fails. (markt) |  |  | 44494: Character input limited to 8KB. (remm) |  |  | 44620: Infinite loop in NIO connector. (markt) |  |  | 44785: Correctly document default maxThreads for AJP
        connector. (markt) |  |  | Log errors for AJP signoffs at DEBUG level,
        since it is harmless if mod_jk has hung up the phone. (billbarker) |  |  | 44968: Provide more information when the load of a keystore
        fails. (markt) |  | 
 | Jasper |  | 
    
      |  | 31257: Quote endorsed dirs if they contain a space. (markt) |  |  | 42943: Make sure nested element is inside <jsp:text>
        element before throwing exception. (markt) |  |  | 43617: Correctly escape attribute values in tag files.
        Based on a patch by Lucas Galfaso. (markt) |  |  | 43656: Fix various numeric coercion bugs. Includes a patch by
        Nils Eckert and fixes related issues identified in a test case provided
        by Konstantin Kolinko. (markt) |  |  | 43741: Correctly handle dependencies for tag files in JARs.
        (markt) |  |  | 44408: Reduce synchronisation when evaluating EL expressions.
        Patch provided by Robert Andersson. (markt) |  |  | 44428: Fix possible NPE during serialization. (markt) |  |  | 44766: EL doesn't coerce custom Number subclasses. (markt) |  |  | 44877: Prevent collisions on tag pool names. (markt) |  |  | 44986: Make page encoding consistency checks
        case-insensitive. (markt) |  |  | 44994: Enable nested conditional expressions in JSP EL. Patch
        provided by James Manger. (markt) |  |  | 45015: You can't use an unescaped quote if you quote the
        value with that character. (markt/fhanik) |  |  | Add HTML filtering of error messages for included resources in case the
        app has tried to include an unsafe URL that does not exist. This is
        really an app responsibility but the filtering has been added for XSS
        safety. (markt) |  | 
 | Web applications |  | 
    
      |  | Update documentation to use correct version number, correct file paths
        and to use $CATALINA_BASE rather than $CATALINA_HOME where applicable.
        (markt/jim) |  |  | Add a section on available system property configuration options.
        (markt) |  |  | Amend the JNDI datasource doc to reflect new value for no limit used by
        updated commons-pool and commons-DBCP. (markt) |  |  | 43333: Fix errors in sendfile documentation. (markt) |  |  | 43366: Provide backwards compatibility for manager sessions
        command. (markt) |  |  | 44541: Document packetSize attribute for AJP connector.
        (markt) |  |  | 44715: Document secret attribute for AJP connector. (markt) |  |  | Fix some links in the ROOT application that are broken if ROOT is
        renamed. (markt) |  |  | Align the Realm documentation so that both the configuration and the
        how-to are consistent. (markt) |  |  | 45277: Fix typo in logging docs. (markt) |  | 
 | Cluster |  | 
    
      |  | 45212: AbstractReplicatedMap.entrySet() now returns entries
        rather than vaules. (markt) |  |  | 45279: Properly close multicast socket. |  |  | Fix session replication dead lock during non sticky load balancing.
        (fhanik) |  | 
 | Other |  | 
    
      |  | Improve the Tests for unit tests for the cookie issues. (jfclere) |  |  | Fix build for JavaDoc. Patch provided by Stephen Bannasch. (markt) |  |  | 44955: Use correct location for endorsed directory in Windows
        installer. (markt) |  | 
 | 
 | Tomcat 6.0.16 (remm) | released 2008-02-08 |  | 
  | General |  | 
    
      |  | Update commons-logging to version 1.1.1 and the NSIS installer to 2.34.
        (markt) |  |  | Update to commons-pool version 1.4, native version 1.1.12 and update
        the download location for the commons libraries. (markt) |  |  | Change chunked input parsing, always parse CRLF directly after a chunk has been
        received, except if data is not available. If data is not available for CRLF
        parsing, we run into BZ 11117, and must defer the parsing of CRLF to the next read event.
        This fixes the incorrect blocking when using CometProcessor and the draining data during the READ event
        where it before would block incorrectly waiting for the next chunk (fhanik) |  |  | The CometProcessor interface now extends the javax.servlet.Servlet interface(fhanik) |  |  | Fix CVE-2007-5342 by limiting permissions granted to JULI. (markt) |  |  | Fix handling of CometEvent.close when called during BEGIN event (fhanik) |  |  | 43594: Use setenv from CATALINA_BASE (if set) in preference
        to the one in CATALINA_HOME. Patch provided by Shaddy Baddah.
        (markt/jim) |  |  | 43692: Clean up unused entries from build scripts. Patch
        provided by Paul Shemansky. (markt) |  |  | 43775: Don't try to change line endings of binary files in
        the source distribution. (markt) |  |  | 43846:
        Fix block simulated read and writes causing timeouts.
        Add non blocking parsing of HTTP request headers.
        Perf improvements(fhanik) |  |  | 43957: Service.bat doesn't configure logging correctly. Patch
        provided by  Richard Fearn. (markt/jim) |  |  | Cookie handling/parsing changes!
        The following behavior has been changed with regards to Tomcat's cookie handling
        a) Cookies containing control characters, except 0x09(HT), are rejected using an InvalidArgumentException b) If cookies are not quoted, they will be quoted if they contain tspecials(ver0), tspecials2(ver1) characters
 c) Escape character '\\' is allowed and respected as a escape character, will be unescaped during parsing
 |  |  | Cookie parsing of $Version regression from 6.0.15 has been fixed |  |  | The script that builds the windows installer was including additional
        files due to the way it processes recurrsive file selectors. The
        selectors have been modified to only include the intended files. (markt) |  | 
 | Catalina |  | 
    
      |  | Fix ManagerServlet.expireSessions throws Exceptions as iterate longer
        session lists at production servers. (pero) |  |  | 38131: WatchedResource doesn't work if app is outside host appbase webapps.
        Patch provided by Peter Lynch (pero) |  |  | Add -Dorg.apache.catalina.tribes.dns_lookups=false as default. The ability to turn off reverse DNS lookups for membership.(fhanik) |  |  | Set correct StandardManager.sessionCounter after reload/restart. (pero) |  |  | 42503: ServletContext.getResourceAsStream() could return
        stale data. Patch provided by Arvind Srinivasan. (funkman/jim) |  |  | 43236: When resetting the response, also reset the flags
        associated with using a writer or an output stream to allow the user to
        change character set after the reset. (markt) |  |  | 43241: Make ServletContext.getResourceAsStream() conform to
        the specification. Patch provided by John Kew. (markt) |  |  | 43530: doc link fixes provided by  Paul Shemansky (funkman) |  |  | 43675: Fix a possible logging related classloader leak.
        (markt) |  |  | 43687: Remove conditional headers on Form Auth replay,
           since the UA (esp. FireFox) isn't expecting it. |  |  | 43706: WebDAV copy/move now returns 201 on success. Based on
        a patch by Panagiotis Astithas. (markt) |  |  | 43840: Include user principal if possible when serializing /
        de-serializing sessions. (markt) |  |  | 43868: MBean methods getInvoke and getSetter were broken.
        (markt) |  |  | 43887: Make error messages much more helpful when illegal
        Servlet names are used. Based on a patch provided by Mike Baranczak.
        (markt) |  |  | Fix a bug that causes CGI Servlet to fail when it is included. (markt) |  |  | Improve the webDAV Servlet Javadocs to make clear that the WebDAV
        Servlet can not be used as the default servlet. (markt) |  |  | 43993: mime mapping for WS-Policy. Patch by Fabian Ritzmann  (funkman) |  |  | 44041: Fix duplicate class definition under load. (markt) |  |  | 44084: JASSRealm was broken for application provided
        Principals. Patch provided by Noah Levitt. (markt) |  |  | 44223: Use the javax.net.ssl.trustStoreType setting if no
        explicit connector configuration is provided and the property is set.
        (markt/jim) |  |  | 44268: Log a warning if a duplicate listener configuration is
        ignored. (markt/jim) |  | 
 | Coyote |  | 
    
      |  | 43622: Don't overwrite the min compression size set by the
        compression attribute with the default. (markt/jim) |  |  | 43839: URL based session tracking failed when a session
        cookie from a parent context was present. Based on a patch by Yuan
        Qingyun. (markt) |  |  | 43914: URLs in location headers should be encoded. Patch
        provided by Ivan Todoroski. (markt) |  | 
 | Jasper |  | 
    
      |  | 43285: Missing EL Coercion causes argument type mismatch.
        Patch provided by Bernhard Huemer. (funkman/jim) |  |  | 43675: Fix a possible logging related classloader leak.
        (markt) |  |  | 43702: Inner class files have unnecessarily long names.
        (markt) |  |  | 43743: Fix NPE when compiling nest tag files packaged in a
        JAR. (markt) |  |  | 43757: Rather than use string matching to work out the line
        in the JSP with the error, use the SMAP info and the knowledge that for
        a scriptlet there is a one to one line mapping. (markt/jim) |  |  | 43758: Fix NPE when scripting elements are empty. (markt) |  |  | 43909: Make sure locale maps to wrapped ELContext. Patch
        provided by Tuomas Kiviaho. (markt) |  |  | 43944: Fix a missing resource exception. (markt) |  |  | Improve docs for Jasper configuration. Put options in alphabetical
        order, add some missing options, deprecate an unused one and address
        feedback about the page provided on the users list. |  | 
 | Web applications |  | 
    
      |  | 43173: Fix typo in logging documentation regarding location
        of logging.properties. (markt) |  |  | 43344: Fix typo in if.jsp example. Patch provided by Tim
        Nowaczyk. (markt) |  |  | 43468: Fix possible NPE when listing contexts in the Manager
        application. (markt) |  |  | 43515: Fix bug in Manager application that may have caused
        problems when listing contexts. Patch provided by Lucas Galfaso. (markt) |  |  | 43611: Provide an error message if user tries to upload a war
        for a context defined in server.xml rather than failing silently.
        (markt/jim) |  |  | 43800: Make relationship between APR and the native connector
        clearer. (markt) |  |  | 44088: Fix expire session button in manager. (markt) |  |  | 44094: Add a note about the side effects of configuring a
        context as privileged. (markt) |  |  | Update JNDI documentation to refer to configuring contexts via
        context.xml rather than server.xml. (markt/jim) |  | 
 | Cluster |  | 
    
      |  | Fix FarmWarDeployer can be only configured as host subelement (pero) |  |  | Fix wrong && at ReplicationValve (pero) |  |  | Add get/set methods for properties in the Tcp Failure detector.
        (fhanik/jim) |  | 
 | 
 | Tomcat 6.0.15 (remm) | not released |  | 
  | General |  | 
    
      |  | Fix the MD5 file contents in distribution |  |  | Add ANT script to be able to publish signed Tomcat JAR's to ASF Maven repo (fhanik) |  |  | Use Eclipse JDT 3.3.1. (pero) |  | 
 | Catalina |  | 
    
      |  | Guess java location from the PATH environment and improve fix for 37284 |  |  | Add NIO connector to server.xml parsing warning, remove Connector as exception case |  |  | 43653: Fix SSL buffer mixup when response is unable to write more than socket buffer can handle |  |  | 43643: If connector doesn't support external executor, display warning |  |  | 43641: Property bind multicast address for cluster membership |  |  | 42693: Fix JSP compiler bug |  |  | Add mbean descriptor for virtual webapp loader |  |  | 43487:
        Fix request processing stats |  |  | 43435: Don't iterate and relocate sessions if they are not part of the map. |  |  | 43356: Keystore parameter is relative to CATALINA_BASE,
        Truststore is either defined as parameter, javax.net.ssl.trustStore or if empty
        defaults to the keystore.
        SSL Client cert authentication changed from boolean to "true|false|want" (fhanik) |  |  | 30949: Improve previous fix. Ensure requests are re-cycled
        on cross-context includes and forwards when an exception occurs in the
        target page. (markt) |  |  | 42944: Correctly handle servlet mappings that use a '+'
        character as part of the url pattern. (markt) |  |  | 42951: Don't use CATALINA_OPTS when stopping Tomcat. This
         allows options for starting and stopping to be set on JAVA_OPTS and
         options for starting only to be set on CATALINA_OPTS. Without this
         fix, some startup options (eg the port for remote JMX) would cause
         stop to fail. Based on a fix suggested by Michael Vorburger.
         Port of r454193 (36976) from Tomcat 5.5.x. (markt,rjung) |  |  | Validation of attributes and elements used in server.xml. (remm) |  |  | 43175: Fix typos in servlet XSD files. Patch provided by
        Takayuki Kaneko. (markt) |  |  | 43216: Set correct StandardSession#accessCount as StandardSession.ACTIVITY_CHECK is true.
        Patch provided by Takayuki Kaneko (pero) |  |  | Made session createTime accessible for all SessionManager via JMX (pero) |  |  | 43129: Support logging of all response header values at AccessLogValve (ex. add %{Set-Cookie}o to your pattern). (pero) |  |  | Support logging of all response header values at ExtendedAccessLogValve (ex. add x-O(Set-Cookie) to your pattern). (pero) |  |  | Support logging of current thread name at AccessLogValve (ex. add %I to your pattern).
        Usefull to compare access logging entry later with a stacktraces. (pero) |  |  | Improve large-file support (more then 4 Gb) at all AccessLogValves, backport from 5.5.25. (pero) |  |  | Optimized JDBCAccessLogValve combined pattern request attribute access. (pero) |  |  | o.a.juli.ClassLoaderLogManager handle more then one system property replacement at file logging.properties. (pero) |  |  | 43338: Support '*' servlet-name mapping at filter-mapping.
        Patch provided by Keiichi Fujino. (pero) |  |  | 41797: CNFE/NPE thrown from function mapper when externalizing
        Patch by Tuomas Kiviaho- tuomas.kiviahos at ikis fi (funkman) |  |  | 43453: ClassCastException at
        org.apache.catalina.core.StandardContext.findStatusPage(int)
         (funkman) |  |  | Fix important vulnerability when webdav is enabled for write. (markt) |  |  | Call stopAwait in StandardServer.stop if port == -1. (pero) |  |  | 43668: Fix NPE when the outer most wrapper is a ServletRequest/ResponseWrapper, but not a HttpServletRequest/ResponseWrapper on a Forward. (billbarker) |  | 
 | Coyote |  | 
    
      |  | Harmonize with HTTP java.io code. Otherwise the socket is not closed. |  |  | In the APR connector, start accepting connections after fully starting
        the connector, to prevent possible exceptions due to non initialized fields. (remm) |  |  | Cookie parser refactoring, submitted by John Kew. (remm) |  |  | Make cookie escaping / unescaping consistent. (markt) |  |  | 43479: Memory leak cleaning up sendfile connections, submitted by Chris Elving. (remm) |  |  | 42925: Add maintain for sendfile. (remm) |  |  | Fix explicit flush before response commit in the org.apache.jk AJP connector. (pero) |  |  | 43621: Fix possible Dos condition when using the experimental NIO/AJP Connector (billbarker) |  | 
 | Jasper |  | 
    
      |  | 37326: No error reported when an included page does not
        exist. (markt) |  | 
 | Web applications |  | 
    
      |  | Fix WebDAV Servlet so it works correctly with MS clients. (markt) |  |  | Fix CVE-2007-5461, an important information disclosure vulnerability in
        the WebDAV Servlet. Based on a patch by Marc Schoenefeld. (markt) |  |  | 42979: Update sample.war to include recent security fixes
        in the source code. (markt) |  |  | Minor connector doc fix. (jfclere) |  | 
 | Cluster |  | 
    
      |  | Set correct BioReceiver transfer buffer size. (pero) |  | 
 | Other |  | 
    
      |  | Tests for unit tests for the cookie issues. (jfclere) |  | 
 | 
 | Tomcat 6.0.14 (remm) | released 2007-08-13 |  | 
  | General |  | 
    
      |  | Correct j.u.l log levels in JULI docs. (rjung) |  | 
 | Catalina |  | 
    
      |  | Handle special case of ROOT when re-loading webapp after ROOT.xml has
        been modified. In some circumstances the reloaded ROOT webapp had no
        associated resources. (markt) |  |  | Remove invalid attribute "encoding" of MBean MemoryUserDatabase,
        which lead to errors in the manager webapp JMXProxy output. (rjung) |  |  | 33774: Retry JNDI authentication on ServiceUnavailableException
        as at least one provider throws this after an idle connection has been
        closed. (markt) |  |  | 39875: Fix BPE in RealmBase.init(). Port of yoavs's fix from
         Tomcat 5. (markt) |  |  | 41722: Make the role-link element optional (as required by
        the spec) when using a security-role-ref element. (markt) |  |  | 42361: Handle multi-part forms when saving requests during
         FORM authentication process. Patch provided by Peter Runge. (markt) |  |  | 42401: Update RUNNING.txt with better JRE/JDK information.
         (markt) |  |  | 42444: prevent NPE for AccessLogValve
         Patch provided by Nils Hammar (funkman) |  |  | 42449:
         JNDIRealm does not catch NullPointerException for Sun's
         LDAP provider (See bug for details) (funkman) |  |  | 42497: Ensure ETag header is present in a 304 response.
         Patch provided by Len Popp. (markt) |  |  | Fix XSS security vulnerability (CVE-2007-2450) in the Manager and Host
        Manager. Reported by Daiki Fukumori. (markt) |  |  | 42547: Fix NPE when a ResourceLink in context.xml tries to
        override an env-entry in web.xml. (markt) |  |  | Avoid some casting in ErrorReportValve (remm) |  |  | Fix persistence API annotation, submitted by Bill Burke (remm) |  |  | In Comet mode, if bytes are not read, send an error event (otherwise,
        fields referring to the connection could remain) (remm) |  |  | Fix Comet when running Tomcat with the security manager (remm) |  | 
 | Jasper |  | 
    
      |  | 39425: Add additional system property permission to
        catalina.policy for pre-compiled JSPs. (markt) |  |  | 42438: Duplicate temporary variables were created when
        jsp:attribute was used in conjunction with custom tags. Patch provided
        by Brian Lenz. (markt) |  |  | 42643: Prevent creation of duplicate JSP function mapper
        variables. (markt) |  | 
 | Coyote |  | 
    
      |  | Separate sequence increment from getter in ThreadPool to avoid
        misleading increments during monitoring via JMX. (rjung) |  |  | Add back missing socketBuffer attribute in the java.io HTTP connector (remm) |  | 
 | Web applications |  | 
    
      |  | Don't write error on System.out, use log() instead. (rjung) |  |  | 39813: Correct handling of new line characters in JMX
        attributes. Patch provided by R Bramley. Ported from tc5.5.x r415029. (markt,rjung) |  |  | 42459: Fix Tomcat Web Application Manager table error. (rjung) |  |  | Fix XSS security vulnerabilities (CVE-2007-2449) in the examples.
        Reported by Toshiharu Sugiyama. (markt) |  | 
 | 
 | Tomcat 6.0.13 (remm) | released 2007-05-15 |  | 
  | Catalina |  | 
    
      |  | More accurate available() method. (remm) |  |  | Add recycle check in the event object, since it is a facade like the others. (remm) |  |  | When processing a read event, enforce that the servlet consumes all available bytes. (remm) |  |  | Add a flag in ContainerBase which could be used in embedded scenarios to avoid a double start
         of contexts (this problem generally occurs when adding contexts to a started host). (remm) |  |  | 42309: Ability to create a connector using a custom protocol specification for embedded.
         (fhanik) |  |  | Add SSL engine flag to AprLifecycleListener. (fhanik) |  |  | Improve event processing, so that an END event is generated when encountering EOF, and an
         ERROR is always generated on client disconnects. (remm) |  |  | Add declarations for the new XSD files. (remm) |  | 
 | Coyote |  | 
    
      |  | Add heartbeatBackgroundEnabled flag to SimpleTcpCluster.
         Enable this flag don't forget to disable the channel heartbeat thread (pero) |  |  | Possible memory leak when using comet, caused by adding the socket to the poller before
         cleaning up the connection tracking structure. (remm) |  |  | 42308: nextRequest recycles the request, which caused issues with statistics. (remm) |  |  | Fix non recycled comet flag in the APR connector. (remm) |  | 
 | Cluster |  | 
    
      |  | Add heartbeatBackgroundEnabled flag to SimpleTcpCluster.
         Enable this flag don't forget to disable the channel heartbeat thread (pero) |  |  | Method name cleanup. (fhanik) |  | 
 | 
 | Tomcat 6.0.12 (remm) | not released |  | 
  | General |  | 
    
      |  | License source headers. Submitted by Niall Pemberton. (remm) |  | 
 | Catalina |  | 
    
      |  | 42039: Log a stack trace if a servlet throws an
         UnavailableException. Patch provided by Kawasima Kazuh. (markt) |  |  | 41990: Add some additional mime-type mappings. (markt) |  |  | 41655: Fix message translations. Japanese translations
        provided by Suzuki Yuichiro. (markt) |  |  | Add enabled attribute to AccessLogValve (pero) |  |  | 42085: Avoid adding handlers for the root logger twice when they are explicitly
        specified. (remm) |  |  | Reduce thread local manipulation in the request dispatcher. Submitted by
        Arvind Srinivasan. (remm) |  |  | Avoid keeping references to loggers tied to the webapp classloaders after a reload in
        a couple more places. (remm) |  |  | 42202: Fix container parsing of TLDs in webapps when Tomcat is installed in
        a URL encodable path. (remm) |  | 
 | Coyote |  | 
    
      |  | 42119: Fix return value for request.getCharacterEncoding() when
        Content-Type headers contain parameters other than charset. Patch by
        Leigh L Klotz Jr. (markt) |  |  | Move away from using a thread local processor for the APR and java.io
        connectors, as this does not work well when using an executor. (remm) |  |  | Remove Comet timeout hack in the APR connector. Comet connections will now
        use the regular timeout or the keepalive timeout if specified. (remm) |  | 
 | Web applications |  | 
    
      |  | 42025: Update valve documentation to refer to correct regular
        expression implementation. (markt) |  |  | Fix various paths in the manager webapps (remm) |  |  | Session viewer and editor for the HTML manager. Submitted by Cédrik Lime. (remm) |  |  | Session handling tools for the manager. Submitted by Rainer Jung. (remm) |  | 
 | Jasper |  | 
    
      |  | 41869: TagData.getAttribute() should return
        TagData.REQUEST_TIME_VALUE when the attribute value is an EL expression.
        (markt) |  |  | 42071: Fix IllegalStateException on multiple requests to
        an unavailable JSP. Patch provided by Kawasima Kazuh. (markt) |  |  | After a JSP throws an UnavailableException allow it to be accessed once
        the unavailable period has expired. (markt) |  | 
 | Cluster |  | 
    
      |  | Add toString method to better logging session replication message at tribes MESSAGES (pero) |  | 
 | 
 | Tomcat 6.0.11 (remm) | not released |  | 
  | General |  | 
    
      |  | Update DBCP to 1.2.2, pool to 1.3, JDT to 3.2.2 and remove collections
        build dependency (pero, remm) |  | 
 | Catalina |  | 
    
      |  | Don't log pattern subtoken at ExtendedAccesLogValve (pero) |  |  | Add some missing JMX attributes for new AccessLogValve (pero) |  |  | 41786: Incorrect reference to catalina_home in catalina.sh/bat Patch provided by Mike Hanafey (fhanik) |  |  | 41703: SingleSignOnMessage invalid setter, patch provided by Nils Hammar (fhanik) |  |  | 41682: ClassCastException when logging is turned on (fhanik) |  |  | 41530: Don't log error messages when connector is stopped (fhanik) |  |  | 41166: Invalid handling when using replicated context (fhanik) |  |  | Added SENDFILE support for the NIO connector. (fhanik) 
 |  |  | Added support for shared thread pools by adding in the <Executor>
        element as a nested element to the <Service> element. (fhanik) |  |  | 41666: Correct handling of boundary conditions for
        If-Unmodified-Since and If-Modified-Since headers. Patch provided by
        Suzuki Yuichiro. (markt) |  |  | 41739: Correct handling of servlets with a load-on-startup
        value of zero. These are now the first servlets to be started. (markt) |  |  | 41747: Correct example ant script for deploy task. (markt) |  |  | 41752: Correct error message on exception in MemoryRealm.
        (markt) |  |  | 39883: Add documentation warning about using antiResourceLocking
        on a webapp outside the Host's appBase. (yoavs) |  |  | 40150: Ensure user and roll classnames are validated on startup.  Patch by
          Tom. (yoavs) |  |  | Refactor extend access log valve using the optimized access log valve. Submitted by
        Takayuki Kaneko. (remm) |  |  | Possible deadlock in classloading when defining packages. (remm) |  |  | Remove excessive syncing from listener support. (remm) |  |  | Web services support. The actual factory implementations are implemented in the
        extras. Submitted by Fabien Carrion. (remm) |  |  | Add logging to display APR capabilities on the platform. (remm) |  |  | Expose executors in JMX. (remm) |  |  | CRLF inside a URL pattern is always invalid. (remm) |  |  | Tweak startup time display. (remm) |  |  | Adjustments to handling exceptions with Comet. (remm) |  |  | If the event is closed asynchronously, generate an end event for cleanup on the
        next event. (remm) |  |  | Cleanup hello webapp from the docs and fix a XSS issue in the JSP.  (remm) |  |  | Examples webapp cleanup. Submitted by Takayuki Kaneko and Markus Schönhaber. (remm) |  |  | 41289: Create configBase, since it is no longer created elsewhere.
        Submitted by Shiva Kumar H R. (remm) |  | 
 | Coyote |  | 
    
      |  | Fixed NIO memory leak caused by the NioChannel cache not working properly. |  |  | Added flag to enable/disable the usage of the pollers selector instead of a Selector pool
        when the serviet is reading/writing from the input/output streams
        The flag is -Dorg.apache.tomcat.util.net.NioSelectorShared=true |  |  | Requests with multiple content-length headers are now rejected. (markt) |  |  | 41675: Add a couple of DEBUG-level logging statements to Http11Processors
          when sending error responses.  Patch by Ralf Hauser. (yoavs) |  |  | Reuse digester used by the modeler. (remm) |  |  | When the platform does not support deferred accept, put accepted sockets in the
        poller. (remm) |  |  | Fix problem with blocking reads for keepalive when using an executor (the number
        of busy threads is always 0). (remm) |  |  | The poller now has good performance, so remove firstReadTimeout. (remm) |  |  | 42119: Fix return value for request.getCharacterEncoding() when
        Content-Type headers contain parameters other than charset. Patch by
        Leigh L Klotz Jr. (markt) |  | 
 | Web applications |  | 
    
      |  | Fix previous update to servlet 2.5 xsd to use correct declaration.
        (markt) |  |  | Update host configuration document for new behaviour for directories
        in appBase. (markt) |  |  | 39540: Add link to httpd 2.2 mod_proxy_ajp docs in AJP connector doc. (yoavs) |  | 
 | Jasper |  | 
    
      |  | 41227: Add a bit of DEBUG-level logging to JspC so users know
          which file is being compiled. (yoavs) |  |  | Remove some dead utility code, and refactor stream capture as part of the Ant compiler. (remm) |  |  | Support the trim directive of JSP 2.1 as an equivalent of Jasper's own parameter. (remm) |  |  | 41790: Close file stream used to read the Java source. (remm) |  |  | Fix reporting of errors which do not correspond to a portion of the JSP source. (remm) |  |  | Remove try/catch usage for annotation processing in classic tags. The usage
        of the log method might have been questionable as well. (remm) |  |  | Cleanup of the message that is displayed for compilation errors. (remm) |  |  | Skip BOM when reading a JSP file. (remm) |  | 
 | 
 | Tomcat 6.0.10 (remm) | released 2007-02-28 |  | 
  | Catalina |  | 
    
      |  | Unify usage of security manager flag, submitted by Arvind Srinivasan. (remm) |  |  | Fix formatting of CGI variable SCRIPT_NAME. (markt) |  |  | 41521: Support * for servlet-name, submitted by Paul McMahan. (remm) |  |  | Cache getServletContext value, submitted by Arvind Srinivasan. (remm) |  |  | Add options for handling special URL characters in paths, and disallow '\' and encoded '/'
        due to possible differences in behavior between Tomcat and a front end webserver. (remm) |  |  | Fix bad comparison for FORM processing, submitted by Anil Saldhana. (remm) |  |  | 41608: Make log levels consistent when Servlet.service()
        throws an exception. (markt) |  | 
 | Coyote |  | 
    
      |  | Reduce usage of MessageBytes.getLength(), submitted by Arvind Srinivasan. (remm) |  | 
 | Jasper |  | 
    
      |  | 41558: Don't call synced method on every request, submitted by Arvind Srinivasan. (remm) |  |  | Switch to a thread local page context pool. (remm) |  | 
 | 
 | Tomcat 6.0.9 (remm) | beta, 2007-02-08 |  | 
  | General |  | 
    
      |  | Use 2.5 xsd in Tomcat webapps. (markt) |  |  | Compression filter improvements, submitted by Eric Hedström. (markt) |  | 
 | Catalina |  | 
    
      |  | Properly return connector names. (remm) |  |  | Remove logging of the XML validation flag. (remm) |  |  | Correct error messages for context.xml. (markt) |  |  | 41217: Set secure flag correctly on SSO cookie, submitted by
        Chris Halstead. (markt) |  |  | 40524: request.getAuthType() now returns CLIENT_CERT rather
        than CLIENT-CERT. (markt) |  |  | 40526: Return support for JPDA_OPTS to catalina.bat and add
        a new option JPDA_SUSPEND, submitted by by Kurt Roy. (markt) |  |  | 41265: In embedded, remove the code that resets checkInterval
        values of zero to 300. (markt) |  | 
 | Coyote |  | 
    
      |  | 37869: Fix getting client certificate, submitted by Christophe Pierret. (remm) |  |  | 40960: Throw a timeout exception when getting a timeout rather than a
        generic IOE, submitted by Christophe Pierret. (remm) |  | 
 | Jasper |  | 
    
      |  | EL validation fixes for attributes. (remm) |  |  | 41327: Show full URI for a 404. (markt) |  |  | JspException now uses getCause() as the result for getRootCause(). (markt) |  | 
 | Cluster |  | 
    
      |  | 41466: When using the NioChannel and SecureNioChannel its
        important to use the channels buffers. (fhanik) |  | 
 | 
 | Tomcat 6.0.8 (remm) | alpha |  | 
  | Catalina |  | 
    
      |  | Make provided instances of RequestDispatcher thread safe. (markt) |  |  | Optional development oriented loader implementation. (funkman) |  |  | Optimized access log valve, submitted by Takayuki Kaneko. (remm) |  |  | Fix error messages when parsing context.xml that incorrectly referred to
        web.xml. (markt) |  |  | 41217: Set secure attribute on SSO cookie when cookie is
        created during a secure request. Patch provided by Chris Halstead.
        (markt) |  |  | 40524: HttpServletRequest.getAuthType() now returns
        CLIENT_CERT rather than CLIENT-CERT for certificate authentication
        as per the spec. Note that web.xml continues to use CLIENT-CERT to
        specify the certificate authentication should be used. (markt) |  |  | 41401: Add support for JPDA_OPTS to catalina.bat and add a
        JPDA_SUSPEND environment variable to both startup scripts. Patch
        provided by Kurt Roy. (markt) |  | 
 | Coyote |  | 
    
      |  | Use the tomcat-native-1.1.10 as recommended version.
        OpenSSL detection on some platforms was broken 1.1.8 will continue to work,
        although on some platforms there can be JVM crash if IPV6 is enabled and
        platform doesn't support IPV4 mapped addresses on IPV6 sockets. |  | 
 | Jasper |  | 
    
      |  | When displaying JSP source after an exception, handle included files.
        (markt) |  |  | Display the JSP source when a compilation error occurs and display
        the correct line number rather than start of a scriptlet block. (markt) |  |  | Fix NPE when processing dynamic attributes. (remm) |  |  | More accurate EL usage validation. (remm) |  |  | Fix regression for implicit taglib and page data version numbers. (remm) |  |  | 41265: Allow JspServlet checkInterval init parameter to be
        explicitly set to the stated default value of zero by removing the
        code that resets it to 300 if explicitly specified as zero. (markt) |  |  | 41327: Show full URI for a 404. Patch provided by Vijay.
        (markt) |  | 
 | Web applications |  | 
    
      |  | Add a virtual hosting how-to contributed by Hassan Schroeder. (markt) |  |  | Update all webapps to use the servlet 2.5 xsd. (markt) |  |  | 39572: Improvements to CompressionFilter example provided by
        Eric Hedström. (markt) |  | 
 | 
 | Tomcat 6.0.7 (remm) | beta, 2007-01-10 |  | 
  | General |  | 
    
      |  | Fix installer's bitmap (mturk) |  | 
 | Catalina |  | 
    
      |  | Refactor logging of errors which may occur when reading a post body (remm) |  | 
 | Coyote |  | 
    
      |  | 37869: Also use the SSL_INFO_CLIENT_CERT field if the chain is empty,
        submitted by Grzegorz Grzybek (remm) |  | 
 | 
 | Tomcat 6.0.5 (remm) | not released |  | 
  | Catalina |  | 
    
      |  | 40585: Fix parameterised constructor for o.a.juli.FileHandler
        so parameters have an effect. (markt) |  |  | Escape invalid characters from request.getLocale. (markt, remm) |  |  | Update required version for native to 1.1.8. (remm) |  |  | Do not log broken pipe errors which can occur when flushing the content of an error page. (remm) |  | 
 | Coyote |  | 
    
      |  | Fix firstReadTimeout behavior for the AJP connector. (remm) |  | 
 | Jasper |  | 
    
      |  | 41057: Make jsp:plugin output XHTML compliant. (markt) |  | 
 | Cluster |  | 
    
      |  | Cluster interface cleanup. (fhanik) |  |  | Refactoring to allow usage of executors. (fhanik) |  | 
 | 
 | Tomcat 6.0.3 (remm) | not released |  | 
  
  | Catalina |  | 
    
      |  | 37509: Do not remove whitespace from the end of values
        defined in logging.properties files. (markt) |  |  | 38198: Add reference to Context documentation from Host
        documentation that explains how Context name is obtained from the
        Context filename. (markt) |  |  | 40844: Missing syncs in JDBCRealm. (markt) |  |  | 40901: Encode directory listing output. Based on a patch
        provided by Chris Halstead. (markt) |  |  | 40929: Correct JavaDoc for StandardClassLoader. (markt) |  |  | 41008: Allow POST to be used for indexed queries with CGI
        Servlet. Patch provided by Chris Halstead. (markt) |  |  | Fix usage of print on the servlet output stream if the processor never used
        a writer (fhanik) |  |  | Fix logic of sameSameObjects used to determine correct wrapping of request and
        response objects (fhanik) |  |  | Update TLD scan lists, and disable caching for now (remm) |  |  | Add system property to WebappClassLoader to allow disabling setting references
        to null when stopping it (remm) |  |  | Add clustered SSO code, submitted by Fabien Carrion (remm) |  | 
 | Coyote |  | 
    
      |  | 40860: Log exceptions and other problems during parameter
        processing. (markt) |  |  | Enable JMX for trust store attributes for SSL connector. (markt) |  |  | Port memory usage reduction changes to the java.io HTTP connector. (remm) |  |  | MessageBytes.setString(null) will remove the String value. (remm) |  |  | 41057: Caching large strings is not useful and takes too much
        memory, so don't cache these (remm) |  |  | Add keepAliveTimeout attribute to most connectors (mturk, remm) |  | 
 | Jasper |  | 
    
      |  | Relax EL type validation for litterals. (remm) |  |  | Update some version numbers to 2.1. (funkman, remm) |  |  | Add xsds for JSP 2.1 (remm) |  |  | 41106: Update validation checks for EL to also include
        legacy 1.2 tags (remm) |  | 
 | 
 | Tomcat 6.0.2 (remm) | beta, 2006-11-23 |  | 
  | General |  | 
    
      |  | Various tweaks to distribution (remm, funkman) |  |  | Update Tomcat native to 1.1.7 (mturk) |  |  | Update to JDT 3.2.1 (remm) |  | 
 | Catalina |  | 
    
      |  | Fix EJB annotation interface (remm) |  | 
 | Coyote |  | 
    
      |  | Fix passing of the keystore password for the NIO connector (fhanik) |  | 
 | 
 | Tomcat 6.0.1 (remm) | alpha |  | 
  
  | Catalina |  | 
    
      |  | Refactor exception processing using Throwable.getCause to improve exception chaining (remm) |  |  | Remove dead code involving the Logger (funkman) |  |  | 37458: Fix some exceptions which could happen during classloading (markt) |  |  | 40817: Fix CGI path (markt) |  |  | 34956: Add the possibility to enforce usage of request and response
        wrapper objects (markt) |  | 
 | Jasper |  | 
    
      |  | Many fixes for JSP 2.1 compliance, involving tag files handling, deferred expressions
        validation, bom encoding support (remm) |  | 
 | Coyote |  | 
    
      |  | Many HTTP NIO connector fixes and refactorings (fhanik) |  |  | HTTP NIO connector performance improvements (fhanik) |  |  | Add packetSize option for the classic AJP connector (jfclere) |  |  | Implement explicit flushing in AJP (mturk) |  | 
 | 
 | Tomcat 6.0.0 (remm) | alpha |  | 
  | Catalina |  | 
    
      |  | SSLEngine attribute added to the AprLifecycleListener(fhanik) |  |  | Add API for Comet IO handling (remm, fhanik) |  |  | Servlet 2.5 support (remm) |  | 
 | Jasper |  | 
    
      |  | JSP 2.1 support (jhook, remm) |  |  | Unifed EL 2.1 support (jhook) |  | 
 | Coyote |  | 
    
      |  | SSLEnabled attribute required for SSL to be turned on, on all HTTP connectors (fhanik) |  |  | Memory usage reduction for the HTTP connectors, except java.io (remm) |  |  | Modeler update to use dynamic mbeans rather than model mbeans, which consume more
        resources (costin) |  | 
 | Cluster |  | 
    
      |  | New cluster configuration and new documentation (fhanik) |  | 
 | 
 |