2011年7月20日

[installer 2883] Apache Tomcat 7.0.19

Apache Tomcat 7.0.19 出ています。

複数のセキュリティ・ホールの修正が含まれています。
http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.19
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2204
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2526
参照のこと。

☆ Apache Tomcat 7.0.19
http://tomcat.apache.org/
http://archive.apache.org/dist/tomcat/tomcat-7/v7.0.19/src/apache-tomcat-7.0.19-src.tar.gz

Tomcat 7.0.19 (markt)
Catalina
* Add option to activate access log for unit tests. (rjung)
* Fix regression in year number formatting for AccessLogValve. (rjung)
* 46252: Allow to specify character set to be used to write the access
log in AccessLogValve. (kkolinko)
* 51494: Prevent an NPE when a long running request completes if the
associated web application was destroyed while the request was
processing. (markt)
* Allow choosing a locale for timestamp formatting in AccessLogValve. (rjung)
* When generating access logs for errors, log at the Context/Host
level if a Context or Host can be identified for the failed
request. (markt)
* In JULI FileHandler and in AccessLogValve create a directory
automatically when it is specified as a part of the file name,
e.g. in the prefix attribute. Earlier this happened only if it was
specified with the directory attribute. (kkolinko)
* Log a failure if access log file cannot be opened. (kkolinko)
* Use en_US as locale for timestamps in ExtendedAccessLogValve. (rjung)
* Use en_US as locale for creationdate in WebdavServlet. (rjung)

Coyote
* 51477: Support all SSL protocol combinations in the APR/native
connector. This only works when using the native library version
1.1.21 or later, which is not yet released. (rjung)
* Various refactorings to reduce code duplication and unnecessary code
in the connectors. (markt)
* Correct regression introduced in 7.0.17 that triggered 400 entries
in the AccessLog when using the AJP/BIO connector. (markt)
* Fix regression producing invalid MBean names when using IPV6
addresses for connectors. (rjung)
* Add missing thread name in RequestProcessor when Servlet 3 Async is
used. Fixes null thread name in access log and JMX MBean. (rjung)
* Fix CVE-2011-2526. Protect against infinite loops (HTTP NIO) and
crashes (HTTP APR) if sendfile is configured to send more data than
is available in the file. (markt)
* Prevent NPEs when a socket is closed in non-error conditions after
sendfile processing when using the HTTP NIO connector. (markt)

Cluster
* Remove unnecessary server.xml parsing code for old cluster
implementation that does not ship as part of Tomcat 7. (markt)

Web applications
* Add additional information to the documentation web application on
the benefits and remaining risks when running under a security
manager. (markt)
* 51490: Correct broken HTML in JSP tag plugin examples and improve
the <c:if> example to make failures more obvious. Based on
suggestions by Charles. (markt)
* Document ExtendedAccessLogValve. (rjung)
* Correct default value of enableLookups for connectors and mention,
that resolveHosts for the AccessLogValve is replaced by
enableLookups. (rjung)

Other
* Update to Commons Daemon 1.0.6. (markt)
* Update to Eclipse JDT Compiler 3.7. (markt)
* Include jdbc-pool into tomcat release. (fhanik)


Tomcat 7.0.18 (markt) not released
Catalina
* Correct regression introduced in 7.0.17 that triggered an NPE if a
CrawlerSessionManagerValve was used without setting
crawlerUserAgents. (markt)
* 51466: Correct comment typos in HostManagerServlet. Patch provided
by Felix Schumacher. (markt)
* 51467: Invoke Thread.start() rather than Thread.run() so that
listeners and filters are stopped in a separate thread rather than
the current thread. Patch provided by Felix Schumacher. (markt)
* 51473: Fix concatenation of values in
SecurityConfig.setSecurityProperty(). (kkolinko)
* Fix response.encodeURL() for the special case of an absolute URL
with no path segment http://name). (rjung)

Coyote
* Correct regression caused by connector re-factoring that made AJP
APR/native connector very unstable on Windows platforms. (markt)
* Correct regression caused by connector re-factoring that meant that
sendfile data was not reset between pipe-lined HTTP requests. (markt)

Tribes
* Re-factor tests to align packages for tests with the classes under
test. Start to convert non-JUnit tests to JUnit. Remove unnecessary
code. (markt)
* Add synchronization to receiver socket binding to prevent test
failures on Linux. (markt)

Other
* More code clean-up to remove unused code and reduce IDE
warnings. (markt/kkolinko)
* Further improvements to the Windows installer. (markt/kkolinko)


Tomcat 7.0.17 (markt) not released
Catalina
* 48956: Add regular expression support for SSI. (markt)
* 49165: Allow any time stamp formats supported by SimpleDateFormat in
AccessLogValve. Support logging begin and/or end of request. (rjung)
* 50677: Allow system property variables to be used in the values of
"common.loader" and other "*.loader" properties in the
catalina.properties file. (kkolinko)
* 51376: When adding a Servlet via ServletContext#addServlet(String,
Servlet), the Servlet was not initialized when the web application
started and a load on startup value was set. (markt)
* 51386: Correct code for processing @HandlesTypes annotations so only
types of interest are reported to a ServletContainerInitializer. (markt)
* Add the Tomcat extras, ant-junit and Java Help Jars to the list of
JARs to skip when scanning for TLDs and web fragments. (rjung)
* The fix for bug 51310 caused a regression that re-introduced bug
49957 and deleted the contents of the work directory when Tomcat was
shutdown. This fix ensures that that work directory for an
application is not deleted when Tomcat is shutdown. (markt)
* Correct issues with JULI's OneLineFormatter including: correctly
re-using formatted timestamps when possible; thread-safety issues in
timestamp formatting; correcting the output of any milliseconds to
include leading zeros and formatting any parameters
present. (kkolinko/markt/rjung)
* 51395: Fix memory leak triggered when an application that includes a
SAXParserFactory is the first web application to be loaded. (markt)
* 51396: Correctly handle jsp-file entries in web.xml when the JSP
servlet has been configured via code when embedding Tomcat. (markt)
* 51400: Avoid known bottleneck in JVM when converting between Strings
and bytes by always providing a Charset rather than an encoding
name. Based on a patch by Dave Engberg. (markt)
* 51401: Correctly initialise shared WebRuleSet instance used by the
digesters that parse web.xml and prevent incorrect warnings about
multiple occurrences of elements that are only allowed to appear
once in web.xml and web-fragment.xml. (kfujino)
* 51403: Avoid NPE in JULI FileHandler if formatter is
misconfigured. (kkolinko)
* Previous improvements in JAR scanning performance introduced a
start-up performance penalty for some use cases. This fix addresses
those performance penalties while retaining the original
improvements. (markt)
* 51418: Provide more control over Context creation when embedding
Tomcat. Based on a patch by Benson Margulies. (markt/kkolinko)
* Remove redundant copy of catalina.properties from
o.a.c.startup. Generate this copy for inclusion in bin and src jars
during the ant "compile" task. (rjung)
* Use system properties loaded from catalina.properties via the class
path in unit tests. (rjung)
* Improve JMX unit test. (rjung)
* Fix IllegalStateException for JavaScript files when switching from
Writer to OutputStream. The special handling of this case in the
DefaultServlet was broken due to a MIME type change for
JavaScript. (funkman)
* Fix CVE-2011-2204. Prevent user passwords appearing in log files if
a runtime exception (e.g. OOME) occurs while creating a new user for
a MemoryUserDatabase via JMX. (markt)
* Fix an issue with the CrawlerSessionManagerValve that meant sessions
were not always correctly tracked. (markt)
* 51436: Send 100 (Continue) response earlier to enable
ServletRequestListener implementations to read the request
body. Based on a patch by Simon Olofsson. (markt)
* Ensure an access log entry is made if an error occurs during
asynchronous request processing and the socket is immediately
closed. (markt)
* Ensure that if asyncDispatch() is called during an onTimeout event
and the target Servlet does not call startAsync() or complete() that
Tomcat calls complete() once the target Servlet exits. (markt)
* Improve the handling for Servlets that implement the deprecated
SingleThreadModel when embedding Tomcat. (markt)
* 51445: Correctly initialise all instances of Servlets that implement
SingleThreadModel. Based on a patch by Felix Schumacher. (markt)
* 51453: Fix a regression in the preemptive authentication support
(enhancement 12428) that could trigger authentication even if
preemptive authentication was disabled. (markt)
* Prevent possible NPE when serving Servlets that implement the
SingleThreadModel interface. (markt)
* In launcher for embedded Tomcat: do not change catalina.home system
property if it had a value. (kkolinko)
* When using Servlets that implement the SingleThreadModel interface,
add the single instance created to the pool when it is determined
that a pool of servlets is required rather than throwing it away. (markt)

Coyote
* Fix unit test for bindOnInit which was failing for APR on some
platforms. (rjung)
* Remove superfluous quotes from thread names for connection pools. (rjung)
* Fix crash observed during pausing the connector when using APR. Only
add socket to poller if we are sure we don't close it later. (rjung)
* Various refactorings to reduce code duplication and unnecessary code
in the connectors. (markt)
* Correct a regression introduced in Apache Tomcat 7.0.11 that broke
certificate revocation list handling. (markt)

Jasper
* Improve the message printed by TldLocationsCache and add
configuration example to the logging.properties file. (kkolinko)
* 33453: Recompile JSPs if last modified time of the source or any of
its dependencies changes either forwards or backwards. Note that
this introduces an incompatible change to the code generated for
JSPs. Tomcat will automatically re-compile any JSPs and tag files
found in the work directory when upgrading from 7.0.16 or earlier to
7.0.17 or later. If you later downgrade from 7.0.17 or later to
7.0.16 or earlier, you must empty the work directory as part of the
downgrade process. (markt)
* 36362: Handle the case where tag file attributes (which can use any
valid XML name) have a name which is not a Java identifier. (markt/kkolinko)
* Broaden the exception handling in the EL Parser so that more
failures to parse an expression include the failed expression in the
exception message. Hopefully, this will help track down the cause of
51088. (markt)

Cluster
* 51306: Avoid NPE when handleSESSION_EXPIRED is processed while
handleSESSION_CREATED is being processed. (kfujino)
* Notifications of changes in session ID to other nodes in the cluster
should be controlled by notifySessionListenersOnReplication rather
than notifyListenersOnReplication. (markt)
* The change in session ID is notified to the container event listener
on the backup node in cluster. This notification is controlled by
notifyContainerListenersOnReplication.(kfujino)

Web applications
* Update Maven repository information in the documentation to reflect
current usage. (markt)
* 43538: Add host name and IP address to the HTML Manager application.
Patch by Dennis Lundberg. (markt)
* Add session="false" directive to the index page of the ROOT web
application. (kkolinko)
* 51443: Document the notifySessionListenersOnReplication attribute
for the DeltaManager. (markt)
* 51447: Viewing a back up session in the HTML Manager web application
no longer changes the session to a primary session. Based on a patch
provided by Eiji Takahashi. (markt)

Other
* 33262: Install monitor to auto-start for current user only rather
than all users to be consistent with menu item creation. (markt)
* 40510: Provide an option to install shortcuts for the current user
or all users. Also ensure registry is correctly cleaned on uninstall
for 64-bit platforms. (markt)
* 50949: Provide the ability to specify the AJP port and service name
when installing Tomcat using the Windows installer. This permits
multiple instances of the same Tomcat version to be installed
side-by-side. (markt)
* Clean up shell and batch scripts (improve consistency, clarify
comments, add configtest command support for Windows). (rjung)
* 51206: Make CATALINA_BASE visible for setenv.sh. (rjung)
* Remove unnecessary variable BASEDIR from scripts. (rjung)
* 51425, 51450: Update Spanish translations. Based on patches provided
by Jesus Marin. (markt)

----
こがよういちろう


投稿者 xml-rpc : 2011年7月20日 09:35
役に立ちました?:
過去のフィードバック 平均:(0) 総合:(0) 投票回数:(0)
本記事へのTrackback: http://hoop.euqset.org/blog/mt-tb2006.cgi/105161
トラックバック
コメント
コメントする




画像の中に見える文字を入力してください。