Update to 8.5.43
Changelog:
Tomcat 8.5.43 (markt)
Catalina
Update: Modify the Default and WebDAV Servlets so that a 405 status code is returned for PUT and DELETE requests when disabled via the readonly initialisation parameter.
Fix: Align the contents of the Allow header with the response code for the Default and WebDAV Servlets. For any given resource a method that returns a 405 status code will not be listed in the Allow header and a method listed in the Allow header will not return a 405 status code. (markt)
Fix: When using WebDAV to copy a file resource to a destination that requires a collection to be overwritten, ensure that the operation succeeds rather than fails (with a 500 response). This enables Tomcat to pass two additional tests from the Litmus WebDAV test suite. (markt)
Fix: 49464: Improve the Default Servlet's handling of static files when the file encoding is not compatible with the required response encoding. (markt)
Fix: Fix typo in UTF-32LE charset name. Patch by zhanhb vi Github. (fschumacher)
Add: 58590: Add the ability for a UserDatabase to monitor the backing XML file for changes and reload the source file if a change in the last modified time is detected. This is enabled by default meaning that changes to $CATALINA_BASE/conf/tomcat-users.xml will now take effect a short time after the file is saved. (markt)
Fix: Improve parsing of Range request headers. (markt)
Fix: Range headers that specify a range unit Tomcat does not recognise should be ignored rather than triggering a 416 response. Based on a pull request by zhanhb. (markt)
Fix: When comparing a date from a If-Range header, an exact match is required. Based on a pull request by zhanhb. (markt)
Fix: Add an option to the default servlet to disable processing of PUT requests with Content-Range headers as partial PUTs. The default behaviour (processing as partial PUT) is unchanged. Based on a pull request by zhanhb. (markt)
Fix: Improve parsing of Content-Range headers. (markt)
Fix: Ensure that the HEAD response is consistent with the GET response when HttpServlet is relied upon to generate the HEAD response and the GET response uses chunking. (markt)
Update: Update the recommended minimum Tomcat Native version to 1.2.23. (markt)
Coyote
Fix: Avoid a potential hang when a client connects using TLS 1.0 to a Tomcat HTTPS connector configured to use NIO or NIO with OpenSSL 1.1.1 or later. (markt)
Fix: Once a URI is identified as invalid don't attempt to process it further. Based on a PR by Alex Repert. (markt)
Fix: Fix to avoid the possibility of long poll times for individual pollers when using mutliple pollers with APR. (markt)
Fix: Refactor the fix for 63205 so it only applies when using PKCS12 keystores as regressions have been reported with some other keystore types. (markt)
Jasper
Add: Include file names in error messages if SMAP processor is unable to delete or rename a class file during SMAP generation. (markt)
WebSocket
Fix: 63521: As required by the WebSocket specification, if a POJO that is deployed as a result of the SCI scan for annotated POJOs is subsequently deployed via the programmatic API ignore the programmatic deployment. (markt)
Other
Code: Switch i18n message files to use UTF-8 and convert to ASCII at build time. (markt)
Fix: 63523: Restore SSLUtilBase methods as protected to preserve compatibility. (remm)
Fix: Switch the check for terminal availability to test for stdin as using stdout does not work when output is piped to another process. Patch provided by Radosław Józwik. (markt)
2019-06-07 Tomcat 8.5.42 (markt)
Catalina
Add: 57287: Add file sorting to DefaultServlet (schultz)
Fix: Ensure that the default servlet reads the entire global XSLT file if one is defined. Identified by Coverity Scan. (markt)
Fix: Avoid potential NullPointerException when generating an HTTP Allow header. Identified by Coverity Scan. (markt)
Add: Remove any fragment included in the target path used to obtain a RequestDispatcher. The requested target path is logged as a warning since this is an application error. (markt)
Coyote
Update: Add additional NIO2 style read and write methods closer to core NIO2, for possible use with an asynchronous workflow like CompletableFuture. (remm)
Fix: Avoid useless exception wrapping in async IO. (remm)
Fix: 63412: Security manager failure when using the async IO API from a webapp. (remm)
Fix: Fix concurrency issue that lead to incorrect HTTP/2 connection timeout. (remm/markt)
Update: Reduce the default for maxConcurrentStreams on the Http2Protocol from 200 to 100 to align with typical defaults for HTTP/2 implementations. (markt)
Update: Reduce the default HTTP/2 header list size from 4GB to 32kB to align with typical HTTP/2 implementations. (markt)
Add: Add support for same-site cookie attribute. Patch provided by John Kelly. (markt)
Fix: Correct a bug in the stream flushing code that could lead to multiple threads processing the stream concurrently which in turn could cause errors processing the stream. (markt)
Cluster
Fix: 62841: Refactor the DeltaRequest serialization to reduce the window during which the DeltaSession is locked and to remove a potential cause of deadlocks during serialization. (markt)
Fix: 63441: Further streamline the processing of session creation messages in the DeltaManager to reduce the possibility of a session update message being processed before the session has been created. (markt)
Tribes
Fix: Treat NoRouteToHostException the same way as SocketTimeoutException when checking the health of group members. This avoids a SEVERE log message every time the check is performed when the host associated with a group member is not powered on. (markt)
Other
Update: Switch from FindBugs to SpotBugs. (fschumacher)and to check for terminal availability rather than the tty command since the tty based test fails on non-English locales. (markt)
2019-05-13 Tomcat 8.5.41 (markt)
Catalina
Fix: Fix a potential resource leak when executing CGI scripts from a WAR fileread of the APR connector. Identified by Coverity scan. (markt)
Fix: Fix a potential resource leak when running a web application from a WAR file. Identified by Coverity scan. (markt)
Fix: Fix a potential resource leak on some exception paths in ttified by Coverity scan. (markt)
Fix: Fix a potential resource leak when a JNDI lookup returns an object of an in compatible class. Identified by Coverity scan. (markt)
Code: Refactor ManagerServlet to avoid loading classes when filtering JNDI rescaching has been disabled. (markt)
Fix: Avoid a NullPointerException when a Context is defined in server.xml with a docBase but not the optional path. (markt)
Fix: 63324: Refactor the CrawlerSessionManagerValve so that the object placed in the sesials trigger account lock out when the LockOutRealm is in use. Patch provided by jchobantonov. (markt)
Coyote
Fix: When running on newer JREs that don't support SSLv2Hello, don't warn that it is not available unless explicitly configured. (markt)
Code: Refactor Hostname validation to improve performance. Patch provided by Uwe Hees. (markt)
Fix: Expand HTTP/2 timeout handling to include connection window exhaustion on write. This is the fix for CVE-2019-10072. (markt)
Other
Fix: 63335: Ensure that stack traces written by the OneLineFormatter are fully indented. The entire stack trace is now indented by an additional TAB character. (markt)
Fix: When using the OneLineFormatter, don't print a blank line in the log after printing a stack trace. (markt)
Update: Update the internal fork of Apache Commons DBCP 2 to dcdbc72 (2019-04-24) to pick up some clean-up and enhancements less the JDBC 4.2 related changes that require Java 8. (markt)
Update: Update the internal fork of Apache Commons Pool 2 to 0664f4d (2019-04-30) to pick up some enhancements and bug fixes. (markt)
Update: Update the internal fork of Apache Commons FileUpload to 41e4047 (2019-04-24) pick up some enhancements. (markt)
2019-04-12 Tomcat 8.5.40 (markt)
Catalina
Fix: 63196: Provide a default (X-Forwarded-Proto) for the protocolHeader attribute of the RemoteIpFilter and RemoteIpValve. (markt)
Fix: 63235: Refactor Charset cache to reduce start time. (markt)
Fix: 63249: Use a consistent log level (WARN) when logging the failure to register or deregister a JMX Bean. (markt)
Fix: 63249: Use a consistent log level (ERROR) when logging the LifecycleException associated with the failure to start or stop a component. (markt)
Fix: When the SSI directive fsize is used with an invalid target, return a file size of - rather than 1k. (markt)
Fix: 63251: Implement a work-around for a known JRE bug (JDK-8194653) that may cause a dead-lock when Tomcat starts. (markt)
Fix: 63275: When using a RequestDispatcher ensure that HttpServletRequest.getContextPath() returns an encoded path in the dispatched request. (markt)
Fix: 63286: Document the differences in behaviour between the LogFormat directive in httpd and the pattern attribute in the AccessLogValve for %D and %T. (markt)
Fix: 63311: Add support for https URLs to the local resolver within Tomcat used to resolve standard XML DTDs and schemas when Tomcat is configured to validate XML configuration files such as web.xml. (markt)
Fix: Encode the output of the SSI printenv command. This is the fix for CVE-2019-0221. (markt)
Code: Use constants for SSI encoding values. (markt)
Add: When the CGI Servlet is configured with enableCmdLineArguments set to true, limit the encoded form of the individual command line arguments to those values allowed by RFC 3875. This restriction may be relaxed by the use of the new initialisation parameter cmdLineArgumentsEncoded. (markt)
Add: When the CGI Servlet is configured with enableCmdLineArguments set to true, limit the decoded form of the individual command line arguments to known safe values when running on Windows. This restriction may be relaxed by the use of the new initialisation parameter cmdLineArgumentsDecoded. This is the fix for CVE-2019-0232. (markt)
Update: Change the default for the enableCmdLineArguments parameter of the CGI servlet from true to false as additional hardening against CVE-2019-0232. (markt)
Coyote
Fix: Fix bad interaction between NIO2 async read API and the regular read. (remm)
Fix: Refactor NIO2 write pending strategy for the classic IO API. (remm)
Fix: Harmonize NIO2 isReadyForWrite with isReadyForRead code. (remm)
Fix: When using a JSSE TLS connector that supported ALPN (Java 9 onwards) and a protocol was not negotiated, Tomcat failed to fallback to HTTP/1.1 and instead dropped the connection. (markt)
Fix: Correct a regression in the TLS connector refactoring in Tomcat 9.0.17 that prevented the use of PKCS#8 private keys with OpenSSL based connectors. (markt)
Fix: When performing an upgrade from HTTP/1.1 to HTTP/2, ensure that any query string present in the original HTTP/1.1 request is passed to the HTTP/2 request processing. (markt)
Fix: When Tomcat writes a final response without reading all of an HTTP/2 request, reset the stream to inform the client that the remaining request body is not required. (markt)
Fix: 63312: Correct a regression in the error page handling that prevented error pages from issuing redirects or taking other action that required the response status code to be changed. (markt)
Jasper
Add: Add support for specifying Java 11 (with the value 11) as the compiler source and/or compiler target for JSP compilation. (markt)
Add: Add support for specifying Java 12 (with the value 12) and Java 13 (with the value 13) as the compiler source and/or compiler target for JSP compilation. If used with an ECJ version that does not support these values, a warning will be logged and the latest supported version will used. Based on a patch by Thomas Collignon. (markt)
WebSocket
Fix: Improve the handling of exceptions during TLS handshakes for the WebSocket client. (markt)
Web applications
Fix: 63184: Expand the SSI documentation to provide more information on the supported directives and their attributes. Patch provided by nightwatchcyber. (markt)
Add: Add a note to the documentation about the risk of DoS with poorly written regular expressions and the RewriteValve. Patch provided by salgattas. (markt)
jdbc-pool
Fix: 63320: Ensure that StatementCache caches statements that include arrays in arguments. (kfujino)
UnifiedSplitRaw
