28
28
<author email="fhanik@apache.org">Filip Hanik</author>
29
29
<author email="rjung@apache.org">Rainer Jung</author>
30
30
<author email="pero@apache.org">Peter Rossbach</author>
31
<author email="kkolinko@apache.org">Konstantin Kolinko</author>
31
32
<title>Changelog</title>
35
<section name="Tomcat 6.0.20 (remm)">
36
<section name="Tomcat 6.0.24 (jfclere)">
37
<subsection name="Catalina">
40
Correct TCK failures with security manager caused by the original fix
41
for <bug>47774</bug>. (markt)
45
<subsection name="Other">
48
Remove broken link in README.html. (jfclere)
51
Add <code>.notice</code> files to the set of files that have their line
52
endings changed. (markt)
55
<code>.zip</code> distributions should have windows line endings.
61
<section name="Tomcat 6.0.23 (jfclere)">
62
<subsection name="Catalina">
65
<bug>47774</bug>: Ensure web application class loader is used when
66
calling session listeners. (markt)
69
<bug>48006</bug>: Add additional information to the optional
70
X-Powered-By header to align with the content suggested in the Servlet
71
specification. (markt)
74
<bug>48345</bug>: Sessions timed out too early when using
75
PersistentManager. Patch provided by Keiichi Fujino. (markt)
78
<bug>48398</bug>: Make objects used as locks final to ensure correct
79
operation. Patch provided by sebb. (markt)
82
<bug>48417</bug>: Update French translations. Patch provided by Andr�
83
Warnier. (markt/kkolinko)
86
<bug>48421</bug>: Fix file descriptor and potential memory leak when a
87
web application uses a local logging.properties file. Allow a web
88
applciation's log files to be deleted once the web application has been
92
<bug>48454</bug>: Ensure stderr is completely read before terminating
93
the CGI process. Patch provided by Markus Grieder. (markt)
96
<bug>48516</bug>: Prevent NPE in JNDIRealm if requested user does not
97
exist. Patch provided by Kevin Conaway. (markt)
100
Fix implementation of log buffer size and provide a cleaner interface.
105
<subsection name="Coyote">
108
Update version of native bundled in Windows installer to 1.1.19. (mturk)
111
Update recommended version for native to 1.1.19. (rjung)
114
<bug>48004</bug>: All web applications to set the http
115
<code>Server</code> header. (markt)
118
<bug>48470</bug>: Ensure Tomcat does not lock up if shut down under
123
<subsection name="Jasper">
126
<bug>47977</bug>: Using a body with a tag that has an empty body should
127
cause an error. (markt)
130
<bug>48112</bug>: Correct handling of } character in literals when parsing
131
expressions. This also improves the fix for <bug>47413</bug>. (markt)
135
<subsection name="Webapps">
138
<bug>48530</bug>: Add information on the Manager Server Status page to
139
the Manager How-To in the documentation webapp. Based on a patch by
143
<bug>48532</bug>: Add information to the BIO/NIO SSL configuration page
144
in the documentation web application to specify how the defaults for the
145
various trust store attributes are determined. (markt)
149
<subsection name="Other">
152
Remove hard coded version numbers and instead apply version filter
153
already defined in ant scripts. (rjung)
156
<bug>47609</bug>: Correct regression in previous fix. (markt)
159
<bug>48464</bug>: Provide an option to specify the command window title
160
in catalina.bat on Windows. Patch provided by LiuYan. (markt)
163
Add some missing deprecation markers for
164
<code>javax.servlet.jsp.JspContext</code>. (markt/kkolinko)
169
<section name="Tomcat 6.0.22 (jfclere)" rtext="not released">
170
<subsection name="Catalina">
173
Log errors if a web application starts a thread but fails to stop the
174
thread when the web application stops or is reloaded. Failure to stop a
175
thread is very likely to result in a memory leak. (markt)
178
Provide an option to stop any threads a web application starts but fails
179
to stop when the web application stops or is reloaded. Using this option
180
is very likely to result in instability and should be viewed as a last
181
resort in development and is not recommended at all in production.
185
Log errors if a web application creates a ThreadLocal but fails to clear
186
it when the web application stops or is reloaded. Failure to clear a
187
ThreadLocal is very likely to result in a memory leak. (markt)
190
Clear any unintentional references remaining in
191
<code>sun.rmi.transport.Target</code> when the web application stops or
192
is reloaded. Failure to clear these is very likely to result in a memory
197
<subsection name="Coyote">
200
Remove unneeded line from the method that normalizes decodedURI.
205
<subsection name="Other">
208
Correct MD5 generation in the build process. (jfclere/kkolinko)
211
<bug>47609</bug>: Provide fail-safe EOL conversion for build process.
212
Based on patches by sebb/kkolinko. (markt)
217
<section name="Tomcat 6.0.21 (jfclere)" rtext="not released">
218
<subsection name="Catalina">
221
Fix issues with expression language when running under a
222
SecurityManager. (markt)
225
Remove duplicate mime-mapping entries in web.xml. Re-order entries
226
alphabetically to make it easier to identify duplicates. (markt)
229
Use a more sensible default (webapps) for a Host's appBase.
233
<bug>37794</bug>: Support the parsing of parameters from chunked POSTs.
237
<bug>37984</bug>: Strip {MD5} as well as {SHA} if present in digest
238
passwords in LDAP directories. (markt)
241
<bug>38352</bug>: Allow JSPs to write to the directory defined by
242
<code>javax.servlet.context.tempdir</code> when running under a security
246
<bug>39231</bug>: Call LoginContext.logout() when using JAAS realm and
247
session expires. (markt/kkolinko)
250
<bug>40380</bug>: Fix potential synchronization issue in
251
StandardSession.expire(). (markt)
254
<bug>41059</bug>: Reduce chances of errors when ENABLE_CLEAR_REFERENCES
255
is used. Patch provided by Curt Arnold. (markt)
258
<bug>43343</bug>: Fix additional concurrency issues identified with the
259
persistent session manager. (markt)
262
<bug>44041</bug>: Fix threading issue in WebappClassLoader that can lead
263
to duplicate class definition under high load. (markt/fhanik)
266
<bug>44943</bug>: Use the same engine name in server.xml comments to
267
reduce copy and pastes issues. (markt/kkolinko)
270
<bug>45255</bug>: Provide protection against session fixation by
271
changing session ID automatically on authentication. (markt/kkolinko)
274
<bug>45403</bug>: Add additional checks on web application deployment
275
and do not swallow IO errors. (kkolinko)
278
<bug>45785</bug>: Additional fix required for the extension validator.
279
Based on a patch by Rolf Wojtech. (markt)
282
<bug>46908</bug>: Try and support java encoding names when using an xml
283
parser provided via the endorsed mechanism. (markt)
286
<bug>46967</bug>: Better handling of errors when trying to use
287
Manager.randomFile. Based on a patch by Kirk Wolf. (markt)
290
<bug>47046</bug>: Unregister all MBeans, including when non-default
291
engine names are used. (markt)
294
Use native2ascii to ensure non-ASCII characters in property files are
295
handled correctly in all circumstances. (markt)
298
<bug>47050</bug>: Remove unnecessary filtering of error messages.
302
<bug>47080</bug>: Fix NPE in RealmBase when uri is null. (markt)
305
<bug>47158</bug>: Fix some thread safety issues in the AccessLogValve.
309
<bug>47228</bug>: Correct French translations. Patch provided by sebb.
313
<bug>47299</bug>: Simplify code and make embedding easier. (markt)
316
<bug>47316</bug>: Allow different values for Service name and Engine
317
name. This corrects a regression introduced by the fix for
318
<bug>42707</bug>. (markt)
321
<bug>47343</bug>: Editing context.xml for a directory should not delete
322
the directory. This was a regression caused by the fix for
323
<bug>42747</bug>. (markt)
326
<bug>47364</bug>: Improve Javadoc for
327
org.apache.catalina.connector.Request.getAttributeNames() to include
328
information on the handling of Tomcat's internal request attributes.
332
<bug>47451</bug>: Don't throw an NPE if the various response.setHeader()
333
methods are called with null header name, zero length header name or
334
null value. Silently ignore the calls in the same way they are ignored
335
if the response has already been committed. (markt)
338
<bug>47462</bug>: Allow individual web applications to override metadata
339
complete if set in the global web.xml. Patch provided by Keiichi Fujino.
343
<bug>47495</bug>: Provide a more meaningful error message is server.xml
344
is not readable and exit immediately if a server cannot be created.
348
<bug>47518</bug>: Correct reference in Valve Javadoc that referred to an
349
old method. Patch provided by Christopher Schultz. (markt)
352
<bug>47537</bug>: Return an error page rather than a zero length 200
353
response if the forward to the login or error page fails during FORM
354
authentication. (markt)
357
<bug>47718</bug>: Fix file descriptor leak on context stop/reload. Patch
358
provided by George Sexton. (markt)
361
<bug>47796</bug>: Fix OpenEJB integration. Reset annotation processor on
362
context stop. (markt)
365
<bug>47826</bug>: Correct error in debug message in
366
org.apache.catalina.Bootstrap (markt)
369
<bug>47836</bug>: Clear cached TLD information on context reload.
373
<bug>47841</bug>: When using the CombinedRealm, if one of the nested
374
Realms fails to start, skip that Realm rather than preventing the
375
CombinedRealm from starting. (markt)
378
<bug>47881</bug>: Fix processing of startd and stopd arguments. Patch
379
provided by Qingyang Xu. (kkolinko)
382
<bug>47918</bug>: Correct mbean descriptors for the host deployer. Patch
383
provided by Uwe G�nther. (markt)
386
<bug>47930</bug>: Fix thread safety issues on session swap-in in the
387
persistent session manager. (markt/kkolinko)
390
<bug>47976</bug>: Correct usage message and Javadoc for
391
<code>org.apache.catalina.startup.Catalina</code>. (markt)
394
<bug>47997</bug>: Ensure the NamingContextListener applies to all naming
395
contexts, not just the global one. Patch provided by Michael Allman.
399
<bug>48049</bug>: Fix copy and paste error so
400
<code>NamingContext.destroySubContext()</code> works correctly.
401
Patch provided by gingyang.xu (markt)
404
<bug>48097</bug>: Make WebappClassLoader to do not swallow
405
AccessControlException. (kkolinko)
408
<bug>48097</bug>: Avoid throwing an AccessControlException which can
409
lead to a NoClassDefFoundError on first access of first jsp.
413
<bug>48257</bug>: Correct error in Spanish translations. Patch provided
414
by Guillermo Guti�rrez. (markt)
417
<bug>48306</bug>, <bug>48307</bug>: Correct French translations. Patches
418
provided by Marc Paquette. (markt)
421
<bug>48322</bug>: Single quote characters are not HTTP separators and
422
should not be treated as such in the cookie handling. (markt)
425
<bug>48413</bug>: Correct some French translations. Patch provided by
426
Andr� Warnier. (markt)
429
Deprecate the <code>caseSensitive</code> option on the
430
<code>StandardContext</code> which will be removed in Tomcat 7 onwards.
434
Log deployments consistently for WAR, directory and descriptor
438
Better logging for parameter decoding issues to help identify broken
442
Update Apache Commons Pool from 1.4 to 1.5.4. This update includes
443
various fixes to prevent deadlocks, reduces synchronization and makes
444
object allocation occur fairly - i.e. objects are allocated to threads
445
in the order that the threads request them. This update fixes a number
446
of issues in Tomcat's built-in copy of DBCP. (markt)
449
Allow log file encoding to be configured for JULI FileHandler. (kkolinko)
452
Provide debug logging for JNDI lookups. (markt)
455
Correct JDBC driver de-registration on web application stop and fix NPE
456
that is exposed by the fix. (markt)
459
Ensure JDBC driver de-registration works with a security manager.
463
<bug>48214</bug>: Ensure JDBC driver de-registration is not too zealous.
467
Various JNDI realm improvements for Active Directory. These include the
468
ability to specify a default role, optional handling for nested roles
469
and an option to ignore PartialResultExceptions (markt).
472
Expose Servlet Filters via JMX. Based on a patch by Xie Xiaodong as part
476
Tomcat now uses the Platform MBean server by default so all MBeans
477
registered by Tomcat will be exposed via JMX (eg via JConsole) without
478
requiring any additional configuration. (markt)
481
The JMX Remote Lifecycle Listener allows the ports used by JMX to be
482
fixed, making it easier to configure firewalls to all JMX traffic to
483
pass through. Part of the extras package. (markt)
486
Make context deployment error message for fixDocBase() more meaningful.
490
Add an additional permission required by JULI when running under newer
491
JDKs and a security manager. (markt)
494
Remove unnecessary reference to tomcat-coyote.jar from the bootstrap JAR
498
Use correct method to create URLs in VirtualWebappLoader. (kkolinko)
501
Provide a new listener to protect against a memory leak caused by a
502
change in the Sun JRE from version 1.6.0_15 onwards. Also include
503
protection against locked JAR files, memory leaks triggered by
504
XML parsing and the GC Daemon. (markt)
507
Don't swallow exceptions in ApplicationContextFacade.doPrivileged()
511
Close resource stream in WebappClassLoader after read error. (pero)
514
Include attribute name into the text of Non-serializable exception
515
that might be thrown by Session.setAttribute() in distributable
516
applications. (mturk)
519
Add RemoteIpValve, a port of mod_remoteip. Patch provided by Cyrille Le
523
Allow per instance configuration of JULI or log4j for core Tomcat
524
logging when using CATALINA_BASE. (markt/kkolinko)
527
Prevent NPE in JULI during shutdown when resources try to log messages
528
after JULI has been shutdown. (fhanik/kkolinko)
531
Make the JULI FileHandler easier to extend. (fhanik)
534
Make buffer size for FileHandler configurable. (fhanik)
537
Make JULI FileHandler thread safe. (fhanik)
540
Provide an option to disable buffering in the JULI FileHandler.
544
Ensure log messages are not lost on shutdown. (markt)
547
Provide an option to allow the equals character in unquoted cookie
551
Add support for a connectionTimeout parameter to the JNDIRealm. (markt)
554
Various (un)deployment related improvements including better handling of
555
failed (un)deployment, additional checking for valid zip entries that
556
don't make sense in a WAR and improved validation of WAR file names.
561
<subsection name="Coyote">
563
<update>Implement <code>socket.unlockTimeout</code> attribute for NIO connector.</update>
565
Update version of native bundled in Windows installer
566
to 1.1.18. (kkolinko)
569
Update minimum required version for native to 1.1.17. (rjung)
572
<bug>46950</bug>: Fix doing SSL renegotiation when a resource with CLIENT-CERT
573
auth is requested. (markt)
576
Align tcnative native and Java method names. (rjung)
578
<update>Dont report thread count from connector if an external executor is used.</update>
580
<bug>39637</bug>: Enable the AJP connectors to correctly handle client
581
certificate chains. Patch by Patrik Schnellmann. (markt)
584
<bug>46985</bug>: Clean up code and remove impossible condition.
588
<bug>47225</bug>: Fix error in calculation of a buffer length in the
592
<bug>47320</bug>: Don't rely on the platform default encoding being
593
suitable to parse the session ID. (markt)
596
<bug>47499</bug>: Don't swallow bind exceptions. (markt)
599
<bug>47744</bug>: Prevent a medium term memory leak if using SSl with
600
the JSSE provider and also using a security manager. Based on a patch by
604
<bug>47963</bug>: Ensure that any HTTP status messages are compliant
605
with RFC2616. (markt/kkolinko)
608
<bug>47987</bug>: Limit size of not found resources cache. (markt)
611
<bug>48009</bug>: Protect against the situation where editing a
612
context.xml file may result in the file disappearing for a very short
616
Use correct connector attribute (SSLEnabled) rather than secure to
617
determine if SSL should be used. (fhanik)
620
Provide a workaround for CVE-2009-3555, the TLS renegotiation issue, for
621
the default Blocking IO Java connector.
624
<bug>48252</bug>: Fix stack overflow exception when setting jkHome on
625
NIO connector. (fhanik)
628
<bug>48311</bug>: Only the APR lifecycle listener should try and
629
initialise APR. (markt)
633
<subsection name="Jasper">
636
<bug>38797</bug>: Fix a regression in the previous patch for
637
<bug>37933</bug>. (markt)
640
<bug>38897</bug>: Add uri of broken TLD to error message to aid
644
<bug>41661</bug>: Fix thread safety issue with JspConfig.init() (markt)
647
<bug>41824</bug>: Need to use canonical rather than binary form when
648
writing code. (markt)
651
<bug>42390</bug>: Fix compilation issue with some nested tag files and
652
simple tags. (kkolinko/markt)
655
<bug>43656</bug>: Correctly coerce <code>null</code> to zero when the
656
target type is <code>Number</code>. (markt)
659
<bug>46907</bug>: Don't swallow input stream when debug logging is
663
<bug>47318</bug>: Process directives found in include preludes and
667
<bug>47331</bug>: Treat uninterpreted tags as template text for JSP.2.2.
671
<bug>47413</bug>: Ensure expressions of the form "${a}${b}"
672
are correctly coerced to String. (kkolinko)
675
<bug>47453</bug>: Handle void return types for deferred methods.
679
Remove the code that auto-detects the value for compilerSourceVM,
680
compilerTargetVM options of Jasper, because we know that this version
681
of Tomcat cannot run on JDK 1.4 and thus the value is always "1.5".
685
Change default values for JDK version compliance options of JspC
686
(-source and -target when running from command line)
687
to be "1.5", to be the same as the ones used by Jasper servlet.
691
Make constants in the TagHandlerPool really constant. (markt)
694
When development mode is enabled and a JSP is deleted, ensure next
695
request for that JSP is consistent with the JSP having been removed.
699
<bug>48019</bug>: Be more careful about skipping content that does not
700
need to be parsed. (markt)
703
Better handling of exception in JSP if parsed JSP source is not
708
<subsection name="Cluster">
711
DeltaSession needs endAccess so that CrossContext replication works. (pero)
714
DeltaManager needs to replicate changed attributes even if session
715
gets invalidated. Otherwise session listeners will not see the right
716
data on the secondary nodes. (rjung)
719
Spurious startup errors during session transfer.
720
Sessions get transferred, but node still waits until timeout. (rjung)
723
Perform deserializtion events with context class loader. (fhanik)
726
<bug>47515</bug>: Correctly replicate timestamp during startup. (fhanik)
729
<bug>47478</bug>: Call replication listeners when using BackupManager. (fhanik)
732
<bug>47369</bug>: Reset data diff after replication. (fhanik)
735
<bug>40551</bug>: Enable the JvmRouteBinderValve to work with
736
PersistentManagers as well as clustering. Based on a patch by Chris
740
<bug>47342</bug>: Fix potential NPE on replicated context start. Patch
741
provided by Keiichi Fujino. (markt)
744
<bug>47389</bug>: DeltaManager doesn't do session replication if
745
notifySessionListenersOnReplication=false.
746
Patch by Keiichi Fujino. (fhanik)
749
<bug>47502</bug>: Don't replicate session attributes known not to be
750
serializable. (funkman)
753
<bug>47554</bug>: Include httpOnly attribute when re-writing session
754
cookie after fail over. (markt)
757
<bug>47799</bug>: Enable the domain to be configured for Membership and
758
DomainFilterInterceptor. Patch provided by Keiichi Fujino. (markt)
761
<bug>48113</bug>: Display IP addresses using 0 to 255 rather than -128
762
to +127. Based on a patch by Quintin Beukes. (fhanik/kkolinko)
766
<subsection name="Webapps">
769
<bug>41564</bug>: Add some documentation on installing Tomcat as a
770
service on operating systems with User Account Control, e.g. Vista.
774
<bug>47161</bug>: Report thread count correctly in Manager when exectors
775
are used and return -1 when it can not easily be determined. (markt)
778
<bug>47235</bug>: Remove use of autoReconnect from MySQL examples.
782
<bug>47324</bug>: Fix submit URL for session list page so it works
783
behind a reverse proxy. Patch provided by Maik Jablonski. (markt)
786
<bug>47425</bug>: Add crlFile attribute to the SSL configuration
787
documentation. (markt)
790
<bug>47444</bug>: Remove Jakarta references from the documentation.
794
<bug>47656</bug>: Add information to documentation on system property
795
replacement in configuration files. (markt)
798
<bug>47705</bug>: Fix division by zero error in the manager when trying
799
to expire sessions when the session timeout is set to infinite.
803
Fix display of session information pages of Manager application
804
in Internet Explorer. (kkolinko)
807
Do not reuse windows (tabs) for session detail pages in Manager
808
application. (kkolinko)
811
<bug>47769</bug>: Clarify the JNDI docs with repect to use of
812
<resource-ref> and related elements, specifically when they are
813
required and when they may be omitted. (markt)
816
<bug>48381</bug>: Add information on how Tomcat treats host names to the
817
host configuration documentation. (markt)
821
<subsection name="Other">
824
<bug>37847</bug>: Make location and filename of catalina.out configurable
825
in catalina.sh. (fhanik)
828
<bug>37848</bug>: Re-fix not outputting info messages when there is no
832
<bug>39194</bug>: Make classpath configuration consistent in the startup
833
scripts. (markt/kkolinko)
836
Update Tomcat Windows service application (procrun) to version 2.0.5.
837
It contains a fix for issue <bug>41538</bug> (mturk)
840
<bug>40786</bug>: Include 64-bit Windows service wrapper in
841
distributions. Update the Windows installer to automatically use the
842
correct binary on 64-bit machines. (markt)
845
Update Windows Installer to use NSIS 2.45. They say that this version
846
provides support for the upcoming Microsoft Windows 7. (kkolinko)
849
Don't add blank lines to end of files when fixing line-endings for
850
tar.gz distribution. (markt)
853
Use explicit encoding during filtering operations when building Tomcat
854
for distribution. (kkolinko)
857
Remove references to unused commons-collections from the build scripts.
861
Fix download task check for commons-pool and commons-dbcp in the
862
build scripts. (kkolinko)
865
Include deployer-howto.html into the deployer distributive. (kkolinko)
868
<bug>47149</bug>: Build scripts: Explicitly specify encoding when
869
compiling. (kkolinko)
872
<bug>47267</bug>: Ensure release notes displayed by Windows installer
873
have CRLF line-endings regardless of which OS the install package is
874
built on. (markt/kkolinko)
877
Include NOTICE, LICENSE and manifest files in all Tomcat JARs and add a
878
mechanism to the build process to enable these files to be customised
879
per JAR as required. (markt)
882
<bug>47699</bug>: Provide better handling of PID files. (markt)
885
<bug>47824</bug>: Make Servlet API an optional dependency for JULI when
889
Add support for per instance (using $CATALINA_BASE) log4j.properties
890
files, JDBC drivers etc by adding ${catalina.base}/lib and
891
${catalina.base}/lib/*.jar to the start of the common loader class
895
Correct CVE-2009-3548. When installed via the Windows installer and
896
using defaults, don't create an administrative user with a blank
897
password. Additionally, the administrative user is only created of the
898
manager or host-manager web applications are selected for installation.
902
Further improvements to the administrative user name and password
903
handling in the Windows installer. (kkolinko)
909
<section name="Tomcat 6.0.20 (remm)" rtext="released 2009-06-03">
36
910
<subsection name="Catalina">