2011年8月19日

[installer 2915] Apache Tomcat 6.0.33

Apache Tomcat 6.0.33 出ています。

複数のセキュリティ・ホールの修正が含まれています。
http://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.33
参照のこと。

☆ Apache Tomcat 6.0.33
http://tomcat.apache.org/

http://archive.apache.org/dist/tomcat/tomcat-6/v6.0.33/src/apache-tomcat-6.0.33-src.tar.gz

Tomcat 6.0.33 (jfclere)
Catalina
* Allow to search the virtual paths before the webapp or after it.
(rjung)
* 27988: Improve reporting of missing files. (markt)
* 28852: Add URL encoding where missing to parameters in URLs
presented by Ant tasks to the Manager application. Based on a patch
by Stephane Bailliez. (markt)
* 46252: Allow to specify character set to be used to write the access
log in AccessLogValve. (kkolinko)
* 48863: Provide an warning if there is a problem with a class path
entry but use debug level logging if it is expected due to catalina
home/base split. (kkolinko)
* 49180: Add an option to disable file rotation in JULI FileHandler.
(kkolinko)
* 50189: Once the application has finished writing to the response,
prevent further reads from the request since this causes various
problems in the connectors which do not expect this. (markt)
* 50700: Ensure that the override attribute of context parameters is
correctly followed. (markt)
* 50734: Return 404 rather than 400 for requests to the ROOT context
when no ROOT context is deployed. Patch provided by Violeta
Georgieva. (markt)
* 50751: When authenticating with the JNDI Realm, only attempt to read
user attributes from the directory if attributes are required. (markt)
* 50752: Fix typo in debug message in org.apache.catalina.startup.Embedded.
(markt)
* 50855: Fix NPE on AuthenticatorBase.register() when debug logging is
enabled. (markt)
* Correctly format the timestamp reported by version.[sh|bat]. (markt)
* Remove unnecessary whitespace from MIME mapping entries in global
web.xml file. (markt)
* 51042: Don't trigger session creation listeners when a session ID is
changed as part of the authentication process. (markt)
* 51119: Add JAAS authentication support to the
JMXRemoteLifecycleListener. Patch provided by Neil Laurance. (markt)
* Implement display of multiple request headers in AccessLogValve:
print not just the value of the first header, but of the all of
them, separated by commas. (kkolinko)
* Correct the SSLValve so it returns the SSL key size as an Integer
rather than as a String. (markt)
* 51162: Prevent possible NPE when removing a web application. (markt)
* 51249: Improve system property replacement code in
ClassLoaderLogManager of Tomcat JULI to cover some corner cases.
(kkolinko)
* 51315: Fix IAE when removing an authenticator valve from a container.
Patch provided by Violeta Georgieva. (markt)
* 51324: Improve handling of exceptions when flushing the response
buffer to ensure that the doFlush flag does not get stuck in the
enabled state. Patch provided by Jeremy Norris. (kkolinko)
* 51348: Fix possible NPE when processing WebDAV locks. (markt)
* Add a container event that is fired when a session's ID is changed,
e.g. on authentication. (markt)
* Fix CVE-2011-2204. Prevent user passwords appearing in log files if
a runtime exception (e.g. OOME) occurs while creating a new user for
a MemoryUserDatabase via JMX. (markt)
* 51400: Avoid jvm bottleneck on String/byte[] conversion triggered by
a JVM bug. Based on patches by Dave Engberg and Konstantin Preiser.
(markt)
* 51403: Avoid NPE in JULI FileHandler if formatter is misconfigured.
(kkolinko)
* Create a directory for access log or error log (in AccessLogValve
and in JULI FileHandler) automatically when it is specified as a
part of the file name, e.g. in the prefix attribute. Earlier this
happened only if it was specified with the directory attribute.
(kkolinko)
* Log a failure if access log file cannot be opened. Improve i18n of
messages. (kkolinko)
* Improve handling of URLs with path parameters and prevent incorrect
404 responses that could occur when path parameters were present.
(kkolinko)
* 51473: Fix concatenation of values in
SecurityConfig.setSecurityProperty(). (kkolinko)
* 51509: Fix potential concurrency issue in CSRF prevention filter
that may lead to some requests failing that should not. (markt)
* 51588: Make it easier to extend the AccessLogValve to add support
for custom elements. (markt)
* Unregister DataSource MBeans when web application stops. (kfujino)
* Add additional configuration options to the DIGEST authenticator.
(markt)

Coyote
* Reduce level of log message for invalid URL parameters from WARNING
to INFO. (kkolinko)
* 48208: Provide an option to specify a custom trust manager for BIO
and NIO HTTP connectors using SSL. Based on a patch by Luciana
Moreira. (markt)
* 49595: Protect against crashes when using the APR/native connector.
(jfclere)
* 49929: Make sure flush packet is not send after END_RESPONSE
packet. (mturk/markt)
* 50887: Enable the provider to be configured when generating SSL
certs. Based on a patch by pknopp. (markt)
* 51073: Throw an exception and do not start the APR connector if it
is configured for SSL and an invalid value is provided for
SSLProtocol. (markt)
* Fix CVE 2011-2526. Protect against infinite loops (HTTP NIO) and
crashes (HTTP APR) if sendfile is configured to send more data than
is available in the file. (markt)
* Prevent NPEs when a socket is closed in non-error conditions after
sendfile processing when using the HTTP NIO connector. (markt)
* 51515: Prevent immediate socket close when comet is used over HTTPS.
(markt)

Jasper
* 36362: Handle the case where tag file attributes (which can use any
valid XML name) have a name which is not a Java identifier. (markt)
* 47371: Correctly coerce the empty string to zero when used as an
operand in EL arithmetic. Patch provided by gbt. (markt)
* 50726: Ensure that the use of the genStringAsCharArray does not
result in String constants that are too long for valid Java
code. (markt)
* 50895: Don't initialize classes created during the compilation
stage. (markt)
* 51124: Make Tomcat more robust if an OOME occurs. Usually after an
OOME all bets are off but this change appears to help some users and
the description of a 'recoverable' OOME in the bug is a plausible
one. Based on a patch by Ramiro. (markt)
* 51177: Ensure Tomcat's MapELResolver and ListELResolver always
return Object.class for getType() as required by the EL
specification. (markt)
* Correct possible threading issue in JSP compilation when development
mode is used. (markt)
* 51220: Add a system property to enable tag pooling with JSPs that
use a custom base class. Based on a patch by Dan Mikusa. (markt)
* Broaden the exception handling in the EL Parser so that more
failures to parse an expression include the failed expression in the
exception message. Hopefully, this will help track down the cause of
51088. (markt)
* Improve error reporting of Jasper compilation. (schultz)

Cluster
* 50646: Fix cluster message data corruption if message size exceeds
the underlying buffer size. Patch provided by Olivier Costet. (markt)
* 50771: Ensure HttpServletRequest#getAuthType() returns the name of
the authentication scheme if request has already been
authenticated. (kfujino)
* 50950: Correct possible NotSerializableException for an
authenticated session when running with a security manager. (markt)
* 51306: Avoid NPE when handleSESSION_EXPIRED is processed while
handleSESSION_CREATED is being processed. (kfujino)
* The change in session ID is notified to the container event listener
on the backup node in cluster. This notification is controlled by
notifyContainerListenersOnReplication. (kfujino)

Webapps
* 41498: Add the allRolesMode attribute to the Realm configuration
page in the documentation web application. (markt)
* 48997: Fixed some typos and improve cross-referencing to the HTTP
Connector and APR documentation with the SSL How-To page of the
documentation web application. (markt)
* 50804: Update links for Servlet 2.5 and JSP 2.1 Javadoc. (markt)
* Improve class loading documentation and logging documentation.
(kkolinko)
* Configure Security Manager How-To to include a copy of the actual
conf/catalina.policy file when the documentation is built, rather
than maintaining a copy of its content. (kkolinko)
* 51147: Fix deployment via HTML Manager that was broken by addition
of CRSF protection. Patch provided by Alexis Hassler. (markt)
* 51156: Ensure session expiration option is available in Manager
application was running web applications that were defined in
server.xml. (markt)
* Correct the log4j configuration settings when defining conversion
patterns in the documentation web application. (markt)
* Update Maven repository information in the documentation to reflect
current usage. (markt)
* 51346: Update the documentation web application to make clear the
circumstances in which the RequestDumperValve will consume the
request's InputStream. Based on a patch by pid. (markt)
* 51443: Document the notifySessionListenersOnReplication attribute
for the DeltaManager. (markt)
* 51516: Correct documentation web application to show correct system
property name for changing the name of the SSO session cookie.
(markt)
* Update documentation to be even more explicit about the implications
of setting the path attribute on a Context element in server.xml.
(markt/kkolinko)

Other
* Clarify error messages in *.sh files to mention that if a script is
not found it might be because execute permission is needed.
(kkolinko)
* 33262, 40510, 50949, 51135: Various improvements to the Windows
installer to be able to install several copies of Tomcat 6 side by
side. Allow to configure service name, connector and shutdown
ports. Allow to choose whether to install Start menu shortcuts and
Apache Tomcat monitor application for all users or for the current
one only. Improve auto-detection of JAVA_HOME for 64-bit Windows
platforms: autoselect 32-bit JRE if it exists and 64-bit one is not
available. Improve server.xml file handling. Fix uninstallation
icon. (markt/kkolinko)
* 50854: Add additional entries to the default catalina.policy file to
support running the manager web application from CATALINA_HOME or
CATALINA_BASE. (markt)
* Update default download sources to use the central Apache Maven 2
repository as some libraries have been removed from the central
Apache Maven 1 repository. (kkolinko)
* 51155: Add comments to @deprecated tags that have none. Patch
provided by sebb. (kkolinko)
* 51309: Correct logic in catalina.sh stop when using a PID file to
ensure the correct message is shown. Patch provided by Caio
Cezar. (markt)
* Update Apache Commons Pool to 1.5.6. (kkolinko)
* Update Apache Commons Daemon to 1.0.7. (kkolinko)
* At build time use two alternative download locations for components
downloaded from apache.org. (kkolinko)

----
こがよういちろう


投稿者 xml-rpc : 2011年8月19日 11:21
役に立ちました?:
過去のフィードバック 平均:(0) 総合:(0) 投票回数:(0)
本記事へのTrackback: http://hoop.euqset.org/blog/mt-tb2006.cgi/106083
トラックバック
コメント
コメントする




画像の中に見える文字を入力してください。