2010年4月23日

[installer 2340] Apache Tomcat 5.5.29

Apache Tomcat 5.5.29 出ています。

6.0 系では 1月に 6.0.24 で修正リリース済みの複数のセキュリティホールが
ようやく修正されてリリースされました ;(
http://tomcat.apache.org/security-5.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2693
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2901
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2902

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3548
参照のこと。

☆ Apache Tomcat 5.5.29
http://tomcat.apache.org/
http://archive.apache.org/dist/tomcat/tomcat-5/v5.5.29/src/apache-tomcat-5.5.29-src.tar.gz

Tomcat 5.5.29 (fhanik)
General
* 37847: Make location and filename of catalina.out configurable in
catalina.sh. (fhanik/kkolinko)
* 47609: Provide fail-safe EOL conversion for build
process. (sebb/markt/kkolinko)
* 47689: Enable the test Ant target to work. (markt)
* 47712: Loading tcnative was broken in 5.5.28. (rjung)
* Correct CVE-2009-3548. When installed via the Windows installer and
using defaults, don't create an administrative user with a blank
password. Additionally, the administrative user is only created if
the manager or host-manager web applications are selected for
installation. (markt/kkolinko)
* Deprecate the jni Buffer and Thread classes. (rjung)
* Include 32-bit and 64-bit versions of Tomcat Native DLLs into the
Windows installer, instead of downloading them from a web site
during install, and allow it to automatically select the correct one
for the current platform. (kkolinko/mturk)
* Update Windows installer to use NSIS 2.45. (kkolinko)
* Update to commons-pool 1.5.4. This fixes regressions in
1.5.2. (markt)
* Align server.xml installed by the Windows installer with the one
bundled in zip/tar.gz archives. (kkolinko)
* Encode all property files using ascii escaped UTF-8. (rjung)
* Correct MD5 generation in the build process. (kkolinko)

Catalina
* 37848: Re-fix. Don't display info output when there is no
terminal. (markt)
* 39231: Call LoginModule.logout() when using
JAASRealm. (markt/kkolinko)
* 39844: Fix NPE when performing a non-HTTP forward. (billbarker)
* 41059: Reduce the chances of errors when using
ENABLE_CLEAR_REFERENCES. Patch by Curt Arnold. (markt)
* 45255: Add the ability to change session ID on authentication to
protect against session fixation attacks. This is disabled by
default. (markt/kkolinko)
* 46967: Better handling of errors when trying to use
Manager.randomFile. Based on a patch by Kirk Wolf. (kkolinko)
* 47518: Correct reference in Valve Javadoc that referred to an old
method. Patch provided by Christopher Schultz. (markt)
* 47537: Return an error page rather than a zero length 200 response
if the forward to the login or error page fails during FORM
authentication. (markt)
* 47718: Fix file descriptor leak on context stop/reload. Patch
provided by George Sexton. (markt)
* 47826: Correct error in debug message in
org.apache.catalina.Bootstrap (markt)
* 47963: Ensure that any HTTP status messages are compliant with
RFC2616. (markt/kkolinko)
* 47997: Enable the NamingResourcesMBean to work with non-Server
(i.e. Context) containers. Patch provided by Michael Allman. (markt)
* 48004: Allow applications to set the Server header. (markt)
* 48007: Improve exception processing in
CustomObjectInputStream. (kkolinko)
* 48049: Fix copy and paste error so NamingContext.destroySubContext()
works correctly. Patch provided by gingyang.xu (markt)
* 48097: Make WebappClassLoader to do not swallow
AccessControlException. (kkolinko)
* 48097: Avoid throwing an AccessControlException which can lead to a
NoClassDefFoundError on first access of first jsp. (kkolinko/markt)
* 48322: Single quote characters are not HTTP separators and should
not be treated as such in the cookie handling. (markt)
* Provide an option to allow the use of equals characters in cookie
values. (markt)
* 48516: Prevent NPE in JNDIRealm if requested user does not
exist. Patch provided by Kevin Conaway. (markt)
* 48577: Filter URL when displaying missing included page. (markt)
* 48760: Remove race condition that can result in multiple threads
trying to use the same InputStream. (markt)
* Add an additional permission required by JULI when running under
newer JDKs and a security manager. (markt)
* Close resource stream in WebappClassLoader after read error. (pero)
* Do not swallow exceptions in ApplicationContextFacade.doPrivileged()
(kkolinko)
* Various related (un)deploy improvements including: better handling
of failed (un)deployment; adding checking for invalid zip file
entries that don't make sense in a WAR file; and improved validation
of WAR file names. These changes address CVE-2009-2693,
CVE-2009-2901 and CVE-2009-2902.

Coyote
* 43327: Allow APR/native connector to work correctly on systems when
IPv6 is enabled. (markt)
* 46950: Support SSL renegotiation with APR/native connector. Note
that this requires APR/native 1.1.17 or later. (markt)
* 47225: Fix error in calculation of a buffer length in the
mapper. (markt)
* 47744: Prevent a medium term memory leak if using SSl with the JSSE
provider and also using a security manager. Based on a patch by Greg
Vanore. (markt)
* 47987: Limit size of not found resources cache. (markt)
* 48109: Ensure InputStream is closed in WebappClassLoader on error
conditions. (markt)
* 48311: APR should not be initialised if the APR life-cycle listener
is not enabled. (markt)
* 48581: Avoid security exception on first access. (markt)
* 48584: Prevent the APR connector logging an error if the acceptor
fails during shutdown since this is expected. (mturk)
* CVE-2009-3555. Provide option to disable legacy SSL
renegotiation. (markt/costin)
* Fix Windows installer to bundle an up-to-date version of native/APR
with it. When asked to install TC-Native it was downloading some
very old (1.1.4) version of it from the HEAnet site. (kkolinko)
* Update the native/APR library version bundled with Tomcat to
1.1.20. (kkolinko)
* Update recommended version for native to 1.1.19. (rjung)
* Remove unneeded line from the method that normalizes
decodedURI. (kkolinko)

Jasper
* 38797: Fix regression in previous fix for this bug. (markt)
* 41661: Fix thread safety issue in JspConfig.init() (markt)
* 41824: Need to use canonical rather than binary form when writing
code. (markt)
* 46907: Don't swallow input stream when debug logging is
enabled. (markt)
* 48582: Avoid NPE on background compile. (markt)

Cluster
* DeltaManager needs to replicate changed attributes even if session
gets invalidated. Otherwise session listeners will not see the right
data on the secondary nodes. (rjung)
* Remove unnecessary Java5 dependencies. (markt)
* 46384: Correct synchronisation issue that could lead to a cluster
member disappering permanently. (markt)
* 47554: Include httpOnly attribute when re-writing session cookie
after fail over. (markt)

Webapps
* 41564: Add some information on installing Tomcat as a service on
operating systems with User Account Control, e.g. Vista. (markt)
* 47656: Add information to documentation on system property
replacement in configuration files. (markt)
* 47769: Clarify the JNDI docs with repect to use of <resource-ref>
and related elements, specifically when they are required and when
they may be omitted. (markt)
* 48381: Add information on how Tomcat treats host names to the host
configuration documentation. (markt)
* 48530: Add information on the Manager Server Status page to the
Manager How-To in the documentation webapp. Based on a patch by
Arnaud Espy. (markt)
* 48532: Add information to the BIO/NIO SSL configuration page in the
documentation web application to specify how the defaults for the
various trust store attributes are determined. (markt)
* 48686: Fix deleting a host via the Administration web application
rather than failign with a HTTP 500 response. (markt)
* Make changelog.xml be directly rendered as HTML by certain
browsers. (kkolinko)

----
こがよういちろう


投稿者 xml-rpc : 2010年4月23日 08:46
役に立ちました?:
過去のフィードバック 平均:(0) 総合:(0) 投票回数:(0)
本記事へのTrackback: http://hoop.euqset.org/blog/mt-tb2006.cgi/95305
トラックバック
コメント
コメントする




画像の中に見える文字を入力してください。