2010年7月12日

[installer 2435] Apache Tomcat 6.0.28, 5.5.30

Apache Tomcat 6.0.28, 5.5.30 出ています。

複数のセキュリティホールが修正されています。
http://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.28
http://tomcat.apache.org/security-5.html#Fixed_in_Apache_Tomcat_5.5.30
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1157
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2227
参照のこと。


☆ Apache Tomcat 6.0.28
http://tomcat.apache.org/
http://archive.apache.org/dist/tomcat/tomcat-5/v6.0.28/src/apache-tomcat-6.0.28-src.tar.gz

Tomcat 6.0.28 (jfclere) released 2010-07-09
Catalina
* Arrange filter logic. (jfclere)
* 49230: Enhance JRE leak prevention listener with protection for the
keep-alive thread started by sun.net.www.http.HttpClient. Patch
provided by Rob Kooper. (markt)
* 49351: Fix possible NPe when embedding and no name is specified for
the Service. (markt)
* 49424: Avoid NPE if client provides no data with a chunked POST
request. (markt)
* 49414: Differentiate between request threads and application created
threads when warning about still running threads when an application
stops. (markt)
* 49443: Use remoteIpHeader rather than remoteIPHeader
consistently. (markt)
* Add property searchExternalFirst to WebappLoader. If set, the
external repositories will be searched before the WEB-INF
ones. (rjung)

Cluster
* 49445: When session ID is changed after authentication, ensure the
DeltaManager replicates the change in ID to the other nodes in the
cluster. (kfujino)

Webapps
* 49213: Grant permissions required by manager application when
running under a security manager. (markt/kkolinko)
* 49436: Correct documented default for readonly attribute of the
UserDatabase component. (markt)


Tomcat 6.0.27 (jfclere) not released
General
* Update DBCP to 1.3. (markt)

Catalina
* Fix CVE-2010-1157. Prevent possible disclosure of host name or IP
address via the HTTP WWW-Authenticate header when using BASIC or
DIGEST authentication. (markt)
* Include context name when reporting memory leaks to aid root cause
identification. (markt)
* Improve exception handling on session de-serialization to assist in
identifying the root cause of 48007. (kkolinko)
* 48379: Make session cookie name, domain and path configurable per
context. (markt)
* 48589: Make JNDIRealm easier to extend. Based on a patch by Candid
Dauth. (markt/kkolinko)
* 48629: Allow user names as well as DNs to be used with the nested
role search. Add roleNested to the documentation. Patch provided by
Felix Schumacher. (markt)
* 48661: Make error page behavior consistent, regardless of how the
error page is defined. If a response has been committed, always
include the error page. (markt)
* 48729: Return roles defined by both userRoleName and roleName
mechanisms. Patch provided by 'eric'. Also make user's role list
immutable.(markt)
* 48760: Fix potential multi-threading issue in static resource
serving where multiple threads could try to use the the same
InputStream. (markt)
* 48790: Fix thread safety issue in the count of the maximum number of
active session. (markt/kkolinko)
* 48793: Make catalina.sh more robust to different return values on
different platforms. Patch provided by Thomas GL. (markt)
* 48840: Swallow output (if any) from use of cd when determining
$CATALINA_HOME in catalina.sh and tool-wrapper.sh scripts. Based on
patch provided by mdietze. (markt/kkolinko)
* 48895: Make clearing of ThreadLocals that are causing memory leaks
on web application stop, reload or undeploy configurable since the
process of clearing them is not thread-safe. (markt)
* 48903: Fix deadlock in webapp class loader. (rjung)
* 48971: Make stopping of leaking Timer threads optional and disabled
by default. (markt)
* 48976: Document JAVA_ENDORSED_DIRS in start-up scripts. Patch
provided by Laurent Vaills. (markt)
* 48983: Improve debug logging for situations when RemoteIpValve is
bypassed. Patch provided by Cyrille Le Clerc. (markt)
* 49018: Fix processing of time argument in the Expire sessions action
in the Manager web application. (kkolinko)
* 49116: If session is already invalid, expire session to prevent
memory leak. (kfujino)
* 49158: Ensure only one session cookie is returned for a single
request. (markt/fhanik)
* 49245: Fix session expiration check in cross-context
requests. (markt)
* 49398: ByteChunk.indexOf(String, int, int, int) could not find a
string of length 1. (kkolinko)
* Fix possible overflows when calculating session
statistics. (kkolinko)
* Log unexpected exceptions when providing access to web application
resources in ApplicationContext. (kkolinko)
* Improve exception handling in CatalinaShutdownHook. (kkolinko)
* Expose properties of VirtualWebappLoader and WebappClassLoader via
JMX. (rjung)

Coyote
* 48839: Correctly handle HTTP header folding in the NIO
connector. Patch suggested by Richa Baronia. (markt)
* 48843: Prevent possible deadlock for worker allocation in
connectors. (kkolinko)
* 48843: Fix handling of add queues in AprEndpoint.Poller and
AprEndpoint.Sendfile. Do not miss wakeups. (kkolinko)
* 48862: Add support for the backlog parameter to the AJP
connector. (pero/markt)
* 48917: Correct name of mod_jk module in ApacheConfig. Patch provided
by Todd Hicks. (markt)
* 49095: AprEndpoint did not wakeup acceptors during shutdown when
deferAccept option was enabled. Based on a patch provided by
Ruediger Pluem. (kkolinko)
* Use chunked encoding for http 1.1 requests with no content-length
(regardless of keep-alive) so client can differentiate between
complete and partial responses. (markt)
* Correct the SSL session timeout attribute name so the code agrees
with the documentation. (markt)
* CoyotePrincipal now implements Serializable. (fhanik)
* Enable the BIO AJP connector to run under a security
manager. (markt)

Jasper
* 45015: Correct a regression in quote handling caused by the
re-factoring of attribute parsing. (markt)
* 48701: Add a system property to allow disabling enforcement of
JSP.5.3. The specification recommends, but does not require, this
enforcement. (kkolinko)
* 48737: Don't assume paths that start with /META-INF/... are always
in JARs. This is not true for some IDEs. Patch provided by Fabrizio
Giustina. (markt)
* 49081: Correctly handle EL expressions of the form #${...}. (markt)
* 49196: Avoid NullPointerException in PageContext.getErrorData() if
an error-handling JSP page is called directly. (markt)

Cluster
* 48717: When a node joins a cluster and it receives all the current
sessions, ensure the sessionCreated event is fired if the Manager is
configured to replicate session events. (markt)
* 48934: Previous fix to handle dropped connections incorrectly
permanently disabled session replication. (fhanik)
* 49051: memberAlive is not called if member has not already existed
in membership. (kfujino)
* 49151: Avoid ClassCastException in BackupManager#stop. (kfujino)
* 49170: Do not send duplicated session. (kfujino)
* Add missing messages and ensure cluster listeners log messages to
correct logger. (markt)

Webapps
* Use underscores instead of spaces in anchor names in Tomcat
documentation. (kkolinko)
* Add support for displaying the Spring Security user name (if
present) in the Manager application. (markt)
* Improve the ChatServlet Comet example
(/examples/jsp/chat/). (kkolinko)

Other
* Update to Commons Daemon 1.0.2. Use service launcher (procrun) from
the Commons Daemon release. Do not keep a copy of it in our source
tree. (mturk/kkolinko)
* Update to NSIS 2.46. (kkolinko)
* 48990: Fix the skip.installer build property so if set, only the
Windows installer is skipped. (markt)
* 49178: Provide in catalina.policy an example of additional
permissions that might be needed for code located in
$CATALINA_BASE/lib. (markt)
* 49236: Do not use indexing when packing Tomcat JARs. (kkolinko)
* Remove unused code from org.apache.tomcat.util.buf
classes. (kkolinko)
* Rearrange tomcat-juli.jar permissions and wrap long lines in the
conf/catalina.policy file, to make the text more readable when cited
in documentation. (kkolinko)
* Do not evaluate the execute.installer property when building a
release. The skip.installer property is used instead. (kkolinko)


☆ Apache Tomcat 5.5.30
http://tomcat.apache.org/
http://archive.apache.org/dist/tomcat/tomcat-5/v5.5.30/src/apache-tomcat-5.5.30-src.tar.gz

Tomcat 5.5.30 (jim) released 2010-07-09
General
* Update to Commons Daemon 1.0.2. Use service launcher (procrun) from
the Commons Daemon release. Do not keep a copy of it in our source
tree. (mturk/kkolinko)
* Update to NSIS 2.46. (kkolinko)
* Update to Apache Commons DBCP 1.3. (markt)
* 48840: Swallow output (if any) from use of cd when determining
$CATALINA_HOME in catalina.sh and tool-wrapper.sh scripts. Based on
patch provided by mdietze. (markt/kkolinko)
* 49236: Do not use indexing when packing Tomcat JARs. (kkolinko)
* 48990: Build windows distributions correctly on Linux and add
support for the skip.installer property. (kkolinko)

Catalina
* Fix CVE-2010-1157. Prevent possible disclosure of host name or IP
address via the HTTP WWW-Authenticate header when using BASIC or
DIGEST authentication. (markt)
* 44041, 48694: Fix duplicate class definition under load. Avoid
possible deadlock in class loading. (markt/kkolinko)
* 47774: Ensure web application class loader is used when calling
session listeners. (kfujino)
* 48179: Improve error handling when reading or writing TLD cache file
("tldCache.ser"). (kkolinko)
* 49398: ByteChunk.indexOf(String, int, int, int) could not find a
string of length 1. (kkolinko)
* Ensure all required i18n messages are present for the APR/native
Listener. (kkolinko)
* Fix possible overflows when calculating session
statistics. (kkolinko)
* 49424: Avoid NPE if client provides no data with a chunked POST
request. (markt)
* Minor code cleanup in AccessLogValve and FastCommonAccessLogValve
classes. (kkolinko)

Coyote
* Arrange filter logic. (jfclere)
* 48613: Only attempt APR/native connector initialization if the
Listener element has been specified in server.xml. (fhanik/kkolinko)
* 48843: Prevent possible deadlock and correct queue handling for
worker allocation in APR connectors. (kkolinko)
* Use chunked encoding for http 1.1 responses with no content-length
(regardless of keep-alive) so client can differentiate between
complete and partial responses. (markt)

Jasper
* 42390, 48616: Fix compilation error with some nested tag files and
simple tags. Do not declare or synchronize scripting variables for
JSP fragments since they are scriptless. (kkolinko)
* 47878: Return “404”s rather than a permanent “500” if a JSP is
deleted. Make sure first response after deletion is
correct. (markt/kkolinko)
* 48701: Add a system property to allow disabling enforcement of
JSP.5.3. The specification recommends, but does not require, this
enforcement. (kkolinko)
* 48580: Prevent AccessControlException when running under a security
manager if the first access is to a JSP that uses a
FunctionMapper. (markt/kkolinko)
* 49196: Avoid NullPointerException in PageContext.getErrorData() if
an error-handling JSP page is called directly. (kkolinko)

Cluster
* 48717: When a node joins a cluster and it receives all the current
sessions, ensure the sessionCreated event is fired if the Manager is
configured to replicate session events. (markt)
* 49170: Do not send duplicated session. (kfujino)
* 49445: When session ID is changed after authentication, ensure the
DeltaManager replicates the change in ID to the other nodes in the
cluster. (kfujino)

Webapps
* Backport documentation stylesheet improvements from Tomcat 6: use
CSS styles to provide printer-friendly layout, support generation of
TOC tables, support links to revision numbers, use underscores
instead of spaces in anchor names. (kkolinko)

----
こがよういちろう


投稿者 xml-rpc : 2010年7月12日 18:22
役に立ちました?:
過去のフィードバック 平均:(0) 総合:(0) 投票回数:(0)
本記事へのTrackback: http://hoop.euqset.org/blog/mt-tb2006.cgi/97019
トラックバック
コメント
コメントする




画像の中に見える文字を入力してください。