Binary package hint: tomcat6 Tomcat 6.0.18 was released on Jul 31 as a security release to fix CVE-2008-1232, CVE-2008-1947, CVE-2008-2370 and CVE-2008-2938. There was however significant bugfix work for the (doa) 6.0.17 release. Here is the combined upstream changelog : == Tomcat 6.0.18 == * Catalina fix 42727: Correctly handle request lines that are exact multiples of 4096 in length. Patch provided by Will Pugh. fix 42678: Only ignore docBase it it really is a subdir of appBase. Patch provided by juergen. (markt) fix 42722: Possible NPE in CGI Servlet. (markt) upd 45285: Look for annotations in class hierarchy. (markt) fix Add additional checks for URI normalization. (remm) * Jasper fix 42565: Make EL ternary expression without space before colon work. Patch provided by Lucas Galfaso. (markt) * Webapps upd 45323: Add note that context.xml files can only contain a single Context element. (markt) * Cluster upd 45317: Properly document and log the value of the state transfer timeout flag (fhanik) == Tomcat 6.0.17 == * General upd 45315: Add Unix support for NSIS. (remm) * Catalina fix 45272: Put in work around for Internet Explorer not accepting a quoted Path: value using the Set-Cookie header (fhanik) fix APR connector now adds connection to poller after using send file. (remm) upd Add ManagerBase session getLastAccessedTimestamp and getCreationTimestamp for better remote JMX access. (pero) upd Expose alwaysSend flag for message dispatch interceptor. (fhanik) fix 29936: Create digesters and parsers earlier so we aren't using the webapp class loader when we create them. (markt) fix 42662: Properly resolve reflection proxies during session replication. (fhanik) fix 42750: Request line should be tolerant of multiple whitespaces. (markt/fhanik) fix 42934: Change the order of events on context start so contextInitialized() event is fired before sessionDidActivate(). The spec isn't 100% clear on the required order but this seems more logical than the current behaviour. (markt) fix 43079: Fix identification of suspicious URL patterns. Patch provided by John Kew. (markt) fix 43080: Log suspicious URL patterns to the correct web app. (markt) fix 43117: Setting an empty workDir could result in all of CATALINA_HOME being deleted. Patch provided by Takayuki Kaneko. (markt) fix 43142: Don't assume a directory named xxx.war is a war file. (markt) fix 43150: Allow Tomcat to start correctly when installed on a path that contains a # character. (markt) add The fix for 43285 had the side-effct of coercing null values to zero. This side-effect has been made configurable with a system property, org.apache.el.parser.COERCE_TO_ZERO which defaults to true. Patch provided by Nils Eckert. (markt) fix 43343: Correctly handle requesting a session we are in the middle of persisting. Based on a suggestion by Wade Chandler. (markt) fix 43425: Make annotations spec compliant. Patch provided by Dain Sundstrom. (markt) fix 43470: Fix various class cast exceptions. Based on a patch by Lucas Galfaso. (markt) fix 43578: Fix startup when installation path contains a space. Patch provided by Ray Sauers. (markt) fix 43683: Fix 404 that could occur if a Servlet is accessed while the context is reloading. (markt) fix ExtendedAccessLogValve cs-uri not print empty querystring. (pero) upd ServletContext.getResource("noslash/resource") only requires forward slash if STRICT_SERVLET_COMPLIANCE flag is set to true. This mimics the behavior of 6.0.15 and earlier. (fhanik) fix 44021: Add support for using the # character to define multi-level contexts in WARs and directories in the appBase. (markt) fix 44282: Fix TRACE level class loader logging message when a security manager is used. (markt) fix 44337: Dir listing crashes if no readme-file present. (funkman) fix If listener declared in web.xml, only add it once. (funkman) fix Fix NPE when iterating through sessions for expiration. (fhanik/jim) fix 44380: Don't scan non-file URLs for TLDs. Patch provided by Florent Benoit. (markt) fix 44389: Fix memory leak that occurred if using a RequestDispatcher. Patch provided by Arto Huusko. (markt) fix 44529: Correct handling of resource constraints so no roles (deny all) overrides no aoth-constraint (allow all). (markt) fix 44562: HEAD requests cannot use includes. Patch provided by David Jencks. (markt) fix 44595: Add possibility to request the QueueSize of an executor via JMX. (jfclere) fix Fix CGI Servlet so it correctly reads the environment variables on Vista. (markt) fix 44611: DirContextURLConnection didn't implement getHeaderFields(), getHeaderField(String name) was case sensitive and returned "" rather than null for header values that did not exist. Patch provided by Chris Hubick. (markt) fix 44633: Provide a more helpful error message if a class can't be loaded due to a version error. (rjung/markt) fix 44646: Correct various issues, including an ISE, in CometConnectionManagerValve. (markt) fix 44673: ServletInputStream is no longer readable once closed. (markt) fix Better handling of lack of permission for context specific logging. (markt) fix Add permission required to read JDK logging config. (markt) fix Update web.xml to reflect packaging of SSI and CGI. (markt) fix Add missing access check for ThreadWithAttributes. (markt) fix 44833: Correctly override StandardSession methods from DeltaSession. (fhanik) fix 44943: Use the same engine name in server.xml comments to reduce copy and pastes issues. (markt) fix 44988: Use Java5 syntax for debug options. Patch provided by Cedrik Lime. (markt) fix 45101: Format header dates obtained from DirContextURLConnection as per the HTTP spec. Patch provided by Chris Hubick. (markt) add A new valve, org.apache.catalina.valves.WebdavFixValve, that forces MS clients connecting to the WebDAV Servlet on port 80 to use a client that works rather than the default broken one. (markt) fix 45195: Passing in null into setAttribute or removeAttribute cause NPE. (markt) * Coyote upd NIO: Fix bug in NIO sendfile, symptoms during heavy traffic is that connection don't get closed. For previous versions, one can disable sendfile to work around the problem. (fhanik) upd APR: Allow to specify the "random device" to use to collect the entropy. (jfclere) upd Fix NIO/SSL live lock during client disconnect. (fhanik) fix Fix possible ArrayIndexOutOfBoundsException. Patch provided by Charles R Caldarale. (markt/jim) upd Add support for keystore types that do not need a file. Based on a patch by Bruno Harbulot. (markt) upd 43094: Allow specification of keystore providers. Based on a patch by Bruno Harbulot. (markt) fix 43191: Make it possible to override the defaults with the compressableMimeType attribute. Based on a patch by Len Popp. (markt) fix 44391: Correct handling of escaped values in SSI processing. (markt) fix 44392: HTML entities now handled correctly in SSI processing. (markt) fix 44558: Improve error message so address is included if binding fails. (markt) fix 44494: Character input limited to 8KB. (remm) fix 44620: Infinite loop in NIO connector. (markt) fix 44785: Correctly document default maxThreads for AJP connector. (markt) upd Log errors for AJP signoffs at DEBUG level, since it is harmless if mod_jk has hung up the phone. (billbarker) fix 44968: Provide more information when the load of a keystore fails. (markt) * Jasper fix 31257: Quote endorsed dirs if they contain a space. (markt) fix 42943: Make sure nested element is inside element before throwing exception. (markt) fix 43617: Correctly escape attribute values in tag files. Based on a patch by Lucas Galfaso. (markt) fix 43656: Fix various numeric coercion bugs. Includes a patch by Nils Eckert and fixes related issues identified in a test case provided by Konstantin Kolinko. (markt) fix 43741: Correctly handle dependencies for tag files in JARs. (markt) fix 44408: Reduce synchronisation when evaluating EL expressions. Patch provided by Robert Andersson. (markt) fix 44428: Fix possible NPE during serialization. (markt) fix 44766: EL doesn't coerce custom Number subclasses. (markt) fix 44877: Prevent collisions on tag pool names. (markt) fix 44986: Make page encoding consistency checks case-insensitive. (markt) fix 44994: Enable nested conditional expressions in JSP EL. Patch provided by James Manger. (markt) fix 45015: You can't use an unescaped quote if you quote the value with that character. (markt/fhanik) add Add HTML filtering of error messages for included resources in case the app has tried to include an unsafe URL that does not exist. This is really an app responsibility but the filtering has been added for XSS safety. (markt) * Webapps upd Update documentation to use correct version number, correct file paths and to use $CATALINA_BASE rather than $CATALINA_HOME where applicable. (markt/jim) add Add a section on available system property configuration options. (markt) fix Amend the JNDI datasource doc to reflect new value for no limit used by updated commons-pool and commons-DBCP. (markt) fix 43333: Fix errors in sendfile documentation. (markt) fix 43366: Provide backwards compatibility for manager sessions command. (markt) fix 44541: Document packetSize attribute for AJP connector. (markt) fix 44715: Document secret attribute for AJP connector. (markt) fix Fix some links in the ROOT application that are broken if ROOT is renamed. (markt) fix Align the Realm documentation so that both the configuration and the how-to are consistent. (markt) fix 45277: Fix typo in logging docs. (markt) * Cluster fix 45212: AbstractReplicatedMap.entrySet() now returns entries rather than vaules. (markt) fix 45279: Properly close multicast socket. upd Fix session replication dead lock during non sticky load balancing. (fhanik) * Other add Improve the Tests for unit tests for the cookie issues. (jfclere) fix Fix build for JavaDoc. Patch provided by Stephen Bannasch. (markt)