** Description changed:
Binary package hint: tomcat6
Tomcat 6.0.18 was released on Jul 31 as a security release to fix
CVE-2008-1232, CVE-2008-1947, CVE-2008-2370 and CVE-2008-2938.
- There was however significant bugfix work for the (doa) 6.0.17 release.
- Here is the combined upstream changelog :
-
- == Tomcat 6.0.18 ==
- * Catalina
- fix 42727: Correctly handle request lines that are exact multiples
of 4096 in length. Patch provided by Will Pugh.
- fix 42678: Only ignore docBase it it really is a subdir of appBase.
Patch provided by juergen. (markt)
- fix 42722: Possible NPE in CGI Servlet. (markt)
- upd 45285: Look for annotations in class hierarchy. (markt)
- fix Add additional checks for URI normalization. (remm)
- * Jasper
- fix 42565: Make EL ternary expression without space before colon
work. Patch provided by Lucas Galfaso. (markt)
- * Webapps
- upd 45323: Add note that context.xml files can only contain a
single Context element. (markt)
- * Cluster
- upd 45317: Properly document and log the value of the state
transfer timeout flag (fhanik)
-
- == Tomcat 6.0.17 ==
- * General
- upd 45315: Add Unix support for NSIS. (remm)
- * Catalina
- fix 45272: Put in work around for Internet Explorer not accepting a
quoted Path: value using the Set-Cookie header (fhanik)
- fix APR connector now adds connection to poller after using send
file. (remm)
- upd Add ManagerBase session getLastAccessedTimestamp and
getCreationTimestamp for better remote JMX access. (pero)
- upd Expose alwaysSend flag for message dispatch interceptor.
(fhanik)
- fix 29936: Create digesters and parsers earlier so we aren't using
the webapp class loader when we create them. (markt)
- fix 42662: Properly resolve reflection proxies during session
replication. (fhanik)
- fix 42750: Request line should be tolerant of multiple whitespaces.
(markt/fhanik)
- fix 42934: Change the order of events on context start so
contextInitialized() event is fired before sessionDidActivate(). The spec isn't
100% clear on the required order but this seems more logical than the current
behaviour. (markt)
- fix 43079: Fix identification of suspicious URL patterns. Patch
provided by John Kew. (markt)
- fix 43080: Log suspicious URL patterns to the correct web app.
(markt)
- fix 43117: Setting an empty workDir could result in all of
CATALINA_HOME being deleted. Patch provided by Takayuki Kaneko. (markt)
- fix 43142: Don't assume a directory named xxx.war is a war file.
(markt)
- fix 43150: Allow Tomcat to start correctly when installed on a path
that contains a # character. (markt)
- add The fix for 43285 had the side-effct of coercing null values to
zero. This side-effect has been made configurable with a system property,
org.apache.el.parser.COERCE_TO_ZERO which defaults to true. Patch provided by
Nils Eckert. (markt)
- fix 43343: Correctly handle requesting a session we are in the
middle of persisting. Based on a suggestion by Wade Chandler. (markt)
- fix 43425: Make annotations spec compliant. Patch provided by Dain
Sundstrom. (markt)
- fix 43470: Fix various class cast exceptions. Based on a patch by
Lucas Galfaso. (markt)
- fix 43578: Fix startup when installation path contains a space.
Patch provided by Ray Sauers. (markt)
- fix 43683: Fix 404 that could occur if a Servlet is accessed while
the context is reloading. (markt)
- fix ExtendedAccessLogValve cs-uri not print empty querystring.
(pero)
- upd ServletContext.getResource("noslash/resource") only requires
forward slash if STRICT_SERVLET_COMPLIANCE flag is set to true. This mimics the
behavior of 6.0.15 and earlier. (fhanik)
- fix 44021: Add support for using the # character to define
multi-level contexts in WARs and directories in the appBase. (markt)
- fix 44282: Fix TRACE level class loader logging message when a
security manager is used. (markt)
- fix 44337: Dir listing crashes if no readme-file present. (funkman)
- fix If listener declared in web.xml, only add it once. (funkman)
- fix Fix NPE when iterating through sessions for expiration.
(fhanik/jim)
- fix 44380: Don't scan non-file URLs for TLDs. Patch provided by
Florent Benoit. (markt)
- fix 44389: Fix memory leak that occurred if using a
RequestDispatcher. Patch provided by Arto Huusko. (markt)
- fix 44529: Correct handling of resource constraints so no roles
(deny all) overrides no aoth-constraint (allow all). (markt)
- fix 44562: HEAD requests cannot use includes. Patch provided by
David Jencks. (markt)
- fix 44595: Add possibility to request the QueueSize of an executor
via JMX. (jfclere)
- fix Fix CGI Servlet so it correctly reads the environment variables
on Vista. (markt)
- fix 44611: DirContextURLConnection didn't implement
getHeaderFields(), getHeaderField(String name) was case sensitive and returned
"" rather than null for header values that did not exist. Patch provided by
Chris Hubick. (markt)
- fix 44633: Provide a more helpful error message if a class can't be
loaded due to a version error. (rjung/markt)
- fix 44646: Correct various issues, including an ISE, in
CometConnectionManagerValve. (markt)
- fix 44673: ServletInputStream is no longer readable once closed.
(markt)
- fix Better handling of lack of permission for context specific
logging. (markt)
- fix Add permission required to read JDK logging config. (markt)
- fix Update web.xml to reflect packaging of SSI and CGI. (markt)
- fix Add missing access check for ThreadWithAttributes. (markt)
- fix 44833: Correctly override StandardSession methods from
DeltaSession. (fhanik)
- fix 44943: Use the same engine name in server.xml comments to
reduce copy and pastes issues. (markt)
- fix 44988: Use Java5 syntax for debug options. Patch provided by
Cedrik Lime. (markt)
- fix 45101: Format header dates obtained from
DirContextURLConnection as per the HTTP spec. Patch provided by Chris Hubick.
(markt)
- add A new valve, org.apache.catalina.valves.WebdavFixValve, that
forces MS clients connecting to the WebDAV Servlet on port 80 to use a client
that works rather than the default broken one. (markt)
- fix 45195: Passing in null into setAttribute or removeAttribute
cause NPE. (markt)
- * Coyote
- upd NIO: Fix bug in NIO sendfile, symptoms during heavy traffic is
that connection don't get closed. For previous versions, one can disable
sendfile to work around the problem. (fhanik)
- upd APR: Allow to specify the "random device" to use to collect the
entropy. (jfclere)
- upd Fix NIO/SSL live lock during client disconnect. (fhanik)
- fix Fix possible ArrayIndexOutOfBoundsException. Patch provided by
Charles R Caldarale. (markt/jim)
- upd Add support for keystore types that do not need a file. Based
on a patch by Bruno Harbulot. (markt)
- upd 43094: Allow specification of keystore providers. Based on a
patch by Bruno Harbulot. (markt)
- fix 43191: Make it possible to override the defaults with the
compressableMimeType attribute. Based on a patch by Len Popp. (markt)
- fix 44391: Correct handling of escaped values in SSI processing.
(markt)
- fix 44392: HTML entities now handled correctly in SSI processing.
(markt)
- fix 44558: Improve error message so address is included if binding
fails. (markt)
- fix 44494: Character input limited to 8KB. (remm)
- fix 44620: Infinite loop in NIO connector. (markt)
- fix 44785: Correctly document default maxThreads for AJP connector.
(markt)
- upd Log errors for AJP signoffs at DEBUG level, since it is
harmless if mod_jk has hung up the phone. (billbarker)
- fix 44968: Provide more information when the load of a keystore
fails. (markt)
- * Jasper
- fix 31257: Quote endorsed dirs if they contain a space. (markt)
- fix 42943: Make sure nested element is inside <jsp:text> element
before throwing exception. (markt)
- fix 43617: Correctly escape attribute values in tag files. Based on
a patch by Lucas Galfaso. (markt)
- fix 43656: Fix various numeric coercion bugs. Includes a patch by
Nils Eckert and fixes related issues identified in a test case provided by
Konstantin Kolinko. (markt)
- fix 43741: Correctly handle dependencies for tag files in JARs.
(markt)
- fix 44408: Reduce synchronisation when evaluating EL expressions.
Patch provided by Robert Andersson. (markt)
- fix 44428: Fix possible NPE during serialization. (markt)
- fix 44766: EL doesn't coerce custom Number subclasses. (markt)
- fix 44877: Prevent collisions on tag pool names. (markt)
- fix 44986: Make page encoding consistency checks case-insensitive.
(markt)
- fix 44994: Enable nested conditional expressions in JSP EL. Patch
provided by James Manger. (markt)
- fix 45015: You can't use an unescaped quote if you quote the value
with that character. (markt/fhanik)
- add Add HTML filtering of error messages for included resources in
case the app has tried to include an unsafe URL that does not exist. This is
really an app responsibility but the filtering has been added for XSS safety.
(markt)
- * Webapps
- upd Update documentation to use correct version number, correct
file paths and to use $CATALINA_BASE rather than $CATALINA_HOME where
applicable. (markt/jim)
- add Add a section on available system property configuration
options. (markt)
- fix Amend the JNDI datasource doc to reflect new value for no limit
used by updated commons-pool and commons-DBCP. (markt)
- fix 43333: Fix errors in sendfile documentation. (markt)
- fix 43366: Provide backwards compatibility for manager sessions
command. (markt)
- fix 44541: Document packetSize attribute for AJP connector. (markt)
- fix 44715: Document secret attribute for AJP connector. (markt)
- fix Fix some links in the ROOT application that are broken if ROOT
is renamed. (markt)
- fix Align the Realm documentation so that both the configuration
and the how-to are consistent. (markt)
- fix 45277: Fix typo in logging docs. (markt)
- * Cluster
- fix 45212: AbstractReplicatedMap.entrySet() now returns entries
rather than vaules. (markt)
- fix 45279: Properly close multicast socket.
- upd Fix session replication dead lock during non sticky load
balancing. (fhanik)
- * Other
- add Improve the Tests for unit tests for the cookie issues.
(jfclere)
- fix Fix build for JavaDoc. Patch provided by Stephen Bannasch.
(markt)
+ There was however significant bugfix work for the (doa) 6.0.17 release. See
combined upstream changelog at :
+ http://tomcat.apache.org/tomcat-6.0-doc/changelog.html
--
Update to Tomcat 6.0.18
https://bugs.launchpad.net/bugs/260016
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
