Skip to content

testing/tomcat9: upgrade to 9.0.78

Krassy Boykinov requested to merge chereskata/aports:tomcat9 into master

Changelog:

Tomcat 9.0.78 (remm)
Other

    Fix: Correct properties for JSign dependency. (rjung)
Tomcat 9.0.77 (remm)
Catalina

    Add: 59232: Add org.apache.catalina.core.ContextNamingInfoListener, a listener which creates context naming information environment entries. (michaelo)
    Add: 66665: Add org.apache.catalina.core.PropertiesRoleMappingListener, a listener which populates the context's role mapping from a properties file. (michaelo)
    Fix: Fix an edge case where intra-web application symlinks would be followed if the web applications were deliberately crafted to allow it even when allowLinking was set to false. (markt)
    Update: Add utlity config file resource lookup on Context to allow looking up resources from the webapp (prefixed with webapp:) and make the resource lookup API more visible. (remm)

Coyote

    Fix: 66627: Restore the documented behaviour of MessageBytes.getType() that it returns the type of the original content rather than reflecting the most recent conversion. (markt)
    Fix: 66635: Correct certificate logging on start-up so it differentiates between keystore based keys/certificates and PEM file based keys/certificates and logs the relevant information for each. (markt)

WebSocket

    Fix: Improve handling of error conditions for the WebSocket server, particularly during Tomcat shutdown. (markt)
    Fix: Correct a regression in the fix for 66574 that meant the WebSocket session could return false for onOpen() before the onClose() event had been completed. (markt)

Web applications

    Add: Documentation. Expand the security guidance to cover the embedded use case and add notes on the uses made of the java.io.tmpdir system property. (markt)
    Fix: 66662: Documentation. Fix a typo in the name of the algorithms attribute in the configuration section for the Digest authentication valve. Pull request #629 provided by gohilmca. (markt)

Other

    Add: Include the Windows specific binary distributions in the files uploaded to Maven Central. (markt)
    Add: Improvements to French translations. (remm)
    Add: Improvements to Japanese translations. Contributed by tak7iji. (markt)
    Update: Update UnboundID to 6.0.9. (markt)
    Update: Update Checkstyle to 10.12.1. (markt)
    Update: Update BND to 6.4.1. (markt)
    Update: Update JSign to 5.0. (markt)

2023-06-09 Tomcat 9.0.76 (remm)
Catalina

    Add: Add RateLimitFilter which can be used to mitigate DoS and Brute Force attacks. (isapir)
    Code: Move the management of the utility executor from the init()/destroy() methods of components to the start()/stop() methods. (markt)
    Add: Add org.apache.catalina.core.StandardVirtualThreadExecutor, a virtual thread based executor that may be used with one or more Connectors to process requests received by those Connectors using virtual threads. This Executor requires a minimum Java version of Java 21. (markt)
    Fix: 66513: Add a per session Semaphore to the PersistentValve that ensures that, within a single Tomcat instance, there is no more than one concurrent request per session. Also expand the debug logging to include whether a request bypasses the Valve and the reason if a request fails to obtain the per session Semaphore. (markt)
    Fix: 66609: Ensure that the default servlet correctly escapes file names in directory listings when using XML output. Based on pull request #621 by Alex Kachanov. (markt)
    Add: 66618: Add a numeric last modified field to the XML directory listings produced by the default servlet to enable sorting in the XSLT. Pull request #622 by Alex Kachanov. (markt)
    Fix: 66621: Attempts to lock a collection with WebDAV may incorrectly fail if a child collection has an expired lock. (markt)
    Fix: 66622: Deprecate the xssProtectionEnabled setting from the HttpHeaderSecurityFilter and change the default value to false as support for the associated HTTP header has been removed from all major browsers. (markt)

Coyote

    Update: Update the HTTP/2 implementation to use the prioritization scheme defined in RFC 9218 rather than the one defined in RFC 7540. (markt)
    Fix: 66602: not sending WINDOW_UPDATE when dataLength is ZERO on call SwallowedDataFramePayload. Pull request #619 by ledefe. (lihan)

WebSocket

    Fix: 66548: Expand the validation of the value of the Sec-Websocket-Key header in the HTTP upgrade request that initiates a WebSocket connection. The value is not decoded but it is checked for the correct length and that only valid characters from the base64 alphabet are used. (markt)

Other

    Update: Update to Commons Daemon 1.3.4. (markt)
    Add: Improvements to French translations. (remm)
    Update: Update Checkstyle to 10.12.0. (markt)
    Update: Update the packaged version of the Apache Tomcat Native Library to 1.2.37 to pick up the Windows binaries built with with OpenSSL 1.1.1u. (markt)
Edited by Krassy Boykinov

Merge request reports