2011年3月15日

[installer 2722] Apache Tomcat 7.0.11

Apache Tomcat 7.0.11 出ています。

セキュリティホールの修正が含まれています。
http://tomcat.apache.org/security-7.html
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-1088
参照のこと。

☆ Apache Tomcat 7.0.11

http://tomcat.apache.org/
http://archive.apache.org/dist/tomcat/tomcat-7/v7.0.11/src/apache-tomcat-7.0.11-src.tar.gz

Tomcat 7.0.11 (markt)
Catalina
* CVE-2011-1088: Completed fix. Don't ignore @ServletSecurity
annotations. (markt)
* 25060: Close Apache Commons DBCP datasources when the associated
JNDI naming context is stopped (e.g. for a non-global DataSource
resource on web application reload) to close remaining database
connections immediately rather than waiting for garbage
collection. (markt)
* 26701: Provide a mechanism for users to register their own
URLStreamHandlerFactory objects. (markt)
* 50855: Fix NPE on HttpServletRequest.logout() when debug logging is
enabled. (markt)
* New context attribute "swallowAbortedUploads" allows to make request
data swallowing configurable for requests that are too large. (rjung)
* 50854: Add additional permissions required by the Manager
application when running under a security Manager and support a
shared Manager installation when $CATALINA_HOME !=
CATALINA_BASE. (markt)
* 50893: Add additional information to the download README for the
extras components. (markt)
* Calling stop() and then destroy() on a connector in correctly
triggered an exception. (markt)

Coyote
* 48208: Allow the configuration of a custom trust manager for use in
CLIENT-CERT authentication. (markt)
* Fix issues that prevented asynchronous servlets from working when
used with the HTTP APR connector on platforms that support
TCP_DEFER_ACCEPT. (markt)

Jasper
* Correct possible threading issue in JSP compilation when development
mode is used. (markt)
* 50895: Don't initialize classes created during the compilation
stage. (markt)

Tomcat 7.0.10 (markt) released 2011-03-08
Catalina
* CVE-2011-1088: Partial fix. Don't ignore @ServletSecurity
annotations. (markt)
* 27988: Improve reporting of missing files. (markt)
* 28852: Add URL encoding where missing to parameters in URLs
presented by Ant tasks to the Manager application. Based on a patch
by Stephane Bailliez. (mark)
* Improve handling of SSL renegotiation by failing earlier when the
request body contains more bytes than maxSavePostSize. (markt)
* Improve shut down speed by not renewing threads during shut down
when the ThreadLocalLeakPreventionListener is enabled. (markt)

Coyote
* 49284: Add SSL re-negotiation support to the HTTP NIO connector and
extend test cases to cover CLIENT-CERT authentication. (fhanik/markt)

Tomcat 7.0.9 (markt) not released
Catalina
* 19444: Add an option to the JNDI realm to allow role searches to be
performed by the authenticated user. (markt)
* 21669: Add the ability to specify the roleBase for the JNDI Realm as
relative to the users DN. Based on a patch by Art W. (markt)
* 22405: Add a new Lifecycle listener,
org.apache.catalina.security.SecurityListener that prevents Tomcat
from starting insecurely. It requires that Tomcat is not started as
root and that a umask at least as restrictive as 0007 is used. This
new listener is not enabled by default. (markt)
* 48863: Better logging when specifying an invalid directory for a
class loader. Based on a patch by Ralf Hauser. (markt/kkolinko)
* 48870: Refactor to remove use of parallel arrays. (markt)
* Enhance the RemoteIpFilter and RemoteIpValve so that the modified
remote address, remote host, protocol and server port may be used in
an access log if desired. (markt)
* Restore access to Environments, Resources and ResourceLinks via JMX
which was lost in early 7.0.x re-factoring. (markt)
* Remove ServerLifecycleListener. This was already removed from
server.xml and with the Lifecycle re-factoring is no longer
required. (markt)
* Add additional checks to ensure that sub-classes of
org.apache.catalina.util.LifecycleBase correctly implement the
expected state transitions. (markt)
* 50189: Once the application has finished writing to the response,
prevent further reads from the request since this causes various
problems in the connectors which do not expect this. (markt)
* 50700: Ensure that the override attribute of context parameters is
correctly followed. (markt)
* 50721: Correctly handle URL decoding where the URL ends in
%nn. Patch provided by Christof Marti. (markt)
* 50737: Add additional information when an invalid WAR file is
detected. (markt)
* 50748: Allow the content length header to be set up to the point the
response is committed when a writer is being used. (markt)
* 50751: When authenticating with the JNDI Realm, only attempt to read
user attributes from the directory if attributes are required. (markt)
* 50752: Fix typo in debug message in deprecated Embedded class. (markt)
* 50789: Provide an option to enable ServletRequestListeners for
forwards as required by some CDI frameworks. (markt)
* 50793: When processing Servlet 3.0 async requests, ensure that the
requestInitialized and requestDestroyed events are only fired once
per request at the correct times. (markt)
* 50802: Ensure that ServletContext.getResourcePaths() includes static
resources packaged in JAR files in its output. (markt)
* Web crawlers can trigger the creation of many thousands of sessions
as they crawl a site which may result in significant memory
consumption. The new Crawler Session Manager Valve ensures that
crawlers are associated with a single session - just like normal
users - regardless of whether or not they provide a session token
with their requests. (markt)
* Don't attempt to start NamingResources for Contexts multiple
times. (markt)
* 50826: Avoid IllegalArgumentException if an embedded Tomcat instance
that includes at least one Context is destroyed without ever being
started. (markt)
* Ensure a web application is taken out of service if the web.xml file
is not valid. (kkolinko/markt)
* Ensure Servlet 2.2 jspFile elements are correctly converted to use a
leading '/' if missing. (markt)
* 50836: Better documentation of the meaning of Lifecycle.isAvailable()
and correct a couple of cases where this could incorrectly return
true. (markt)

Coyote
* 50780: Fix memory leak in APR implementation of AJP connector
introduced by the refactoring for 49884. (markt)
* If server configuration errors and/or faulty applications caused the
ulimit for open files to be reached, the acceptor threads for all
connectors could enter a tight loop. This loop consumed CPU and also
logged an error message for every iteration of the loop which lead
to large log files being generated. The acceptors have been enhanced
to better handle this situation. (markt)

Jasper
* 50720: Ensure that the use of non-ISO-8859-1 character sets for
web.xml does not trigger an error when Jasper parses the web.xml
file. (markt)
* 50726: Ensure that the use of the genStringAsCharArray does not
result in String constants that are too long for valid Java
code. (markt)
* 50790: Improve method resolution in EL expressions. (markt)

Cluster
* 50771: Ensure HttpServletRequest#getAuthType() returns the name of
the authentication scheme if request has already been
authenticated. (kfujino)

Wep applications
* 50713: Remove roles command from the Manager application. (markt)

Tribes
* r1068549 50667: Allow RPC callers to get confirmation when sending a
reply. (fhanik)

Other
* 50743: Cache CheckStyle results between builds to speed up
validation. Patch provided by Oliver. (markt)

----
こがよういちろう


投稿者 xml-rpc : 2011年3月15日 09:03
役に立ちました?:
過去のフィードバック 平均:(0) 総合:(0) 投票回数:(0)
本記事へのTrackback: http://hoop.euqset.org/blog/mt-tb2006.cgi/102575
トラックバック
コメント
コメントする




画像の中に見える文字を入力してください。