pkgsrc-Changes archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

CVS commit: [pkgsrc-2010Q2] pkgsrc/www/apache-tomcat6



Module Name:    pkgsrc
Committed By:   tron
Date:           Sat Sep 25 13:30:25 UTC 2010

Modified Files:
        pkgsrc/www/apache-tomcat6 [pkgsrc-2010Q2]: Makefile PLIST distinfo

Log Message:
Pullup ticket #3231 - requested by spz
apache-tomcat6: security update

Revisions pulled up:
- www/apache-tomcat6/Makefile                   1.7
- www/apache-tomcat6/PLIST                      1.4
- www/apache-tomcat6/distinfo                   1.4
---
Module Name:    pkgsrc
Committed By:   spz
Date:           Sun Sep 19 14:32:04 UTC 2010

Modified Files:
        pkgsrc/www/apache-tomcat6: Makefile PLIST distinfo

Log Message:
Update of apache-tomcat to version 6.0.29
(and a little Makefile cosmetics)
fixes two of the currently known security issues

Upstream changelog:
Tomcat 6.0.29 (jfclere) released 2010-07-22

Catalina

add     48960: Add a new option to the SSI Servlet and SSI Filter to
        allow the disabling of the exec command. This is now disabled
        by default. Based on a patch by Yair Lenga. (markt)
fix     49551: Allow default context.xml location to be specified using
        an absolute path. (markt)
fix     49598: When session is changed and the session cookie is
        replaced, ensure that the new Set-Cookie header overwrites the
                old Set-Cookie header. (markt)
fix     Fix order when listing Webapp loader search URLs. (rjung)
add     Add support for *.jar pattern in VirtualWebappLoader. (kkolinko)

Tomcat 6.0.28 (jfclere) released 2010-07-09

Catalina

fix     Arrange filter logic. (jfclere)
fix     49230: Enhance JRE leak prevention listener with protection for
        the keep-alive thread started by sun.net.www.http.HttpClient.
        Patch provided by Rob Kooper. (markt)
fix     49351: Fix possible NPe when embedding and no name is specified
        for the Service. (markt)
fix     49424: Avoid NPE if client provides no data with a chunked
        POST request. (markt)
fix     49414: Differentiate between request threads and application
        created threads when warning about still running threads when
        an application stops. (markt)
fix     49443: Use remoteIpHeader rather than remoteIPHeader
        consistently. (markt)
add     Add property searchExternalFirst to WebappLoader. If set,
        the external repositories will be searched before the WEB-INF
        ones. (rjung)

Cluster

fix     49445: When session ID is changed after authentication, ensure
        the DeltaManager replicates the change in ID to the other nodes
        in the cluster. (kfujino)

Webapps

fix     49213: Grant permissions required by manager application when
        running under a security manager. (markt/kkolinko)
fix     49436: Correct documented default for readonly attribute of
        the UserDatabase component. (markt)

Tomcat 6.0.27 (jfclere) not released

General

update  Update DBCP to 1.3. (markt)

Catalina

fix     Fix CVE-2010-1157. Prevent possible disclosure of host name
        or IP address via the HTTP WWW-Authenticate header when using
        BASIC or DIGEST authentication. (markt)
add     Include context name when reporting memory leaks to aid root
        cause identification. (markt)
fix     Improve exception handling on session de-serialization to
        assist in identifying the root cause of 48007. (kkolinko)
add     48379: Make session cookie name, domain and path configurable
        per context. (markt)
fix     48589: Make JNDIRealm easier to extend. Based on a patch by
        Candid Dauth. (markt/kkolinko)
fix     48629: Allow user names as well as DNs to be used with the
        nested role search. Add roleNested to the documentation.
        Patch provided by Felix Schumacher. (markt)
fix     48661: Make error page behavior consistent, regardless of how
        the error page is defined. If a response has been committed,
        always include the error page. (markt)
fix     48729: Return roles defined by both userRoleName and roleName
        mechanisms. Patch provided by 'eric'. Also make user's role
        list immutable.(markt)
fix     48760: Fix potential multi-threading issue in static resource
        serving where multiple threads could try to use the the same
        InputStream. (markt)
fix     48790: Fix thread safety issue in the count of the maximum
        number of active session. (markt/kkolinko)
fix     48793: Make catalina.sh more robust to different return values
        on different platforms. Patch provided by Thomas GL. (markt)
fix     48840: Swallow output (if any) from use of cd when determining
        $CATALINA_HOME in catalina.sh and tool-wrapper.sh scripts.
        Based on patch provided by mdietze. (markt/kkolinko)
fix     48895: Make clearing of ThreadLocals that are causing memory
        leaks on web application stop, reload or undeploy configurable
        since the process of clearing them is not thread-safe. (markt)
fix     48903: Fix deadlock in webapp class loader. (rjung)
fix     48971: Make stopping of leaking Timer threads optional and
        disabled by default. (markt)
fix     48976: Document JAVA_ENDORSED_DIRS in start-up scripts.
        Patch provided by Laurent Vaills. (markt)
fix     48983: Improve debug logging for situations when RemoteIpValve
        is bypassed. Patch provided by Cyrille Le Clerc. (markt)
fix     49018: Fix processing of time argument in the Expire sessions
        action in the Manager web application. (kkolinko)
fix     49116: If session is already invalid, expire session to prevent
        memory leak. (kfujino)
fix     49158: Ensure only one session cookie is returned for a single
        request. (markt/fhanik)
fix     49245: Fix session expiration check in cross-context requests.
        (markt)
fix     49398: ByteChunk.indexOf(String, int, int, int) could not find
        a string of length 1. (kkolinko)
fix     Fix possible overflows when calculating session statistics.
        (kkolinko)
add     Log unexpected exceptions when providing access to web
        application resources in ApplicationContext. (kkolinko)
fix     Improve exception handling in CatalinaShutdownHook. (kkolinko)
add     Expose properties of VirtualWebappLoader and WebappClassLoader
        via JMX. (rjung)

Coyote

fix     48839: Correctly handle HTTP header folding in the NIO connector.
        Patch suggested by Richa Baronia. (markt)
fix     48843: Prevent possible deadlock for worker allocation in
        connectors. (kkolinko)
fix     48843: Fix handling of add queues in AprEndpoint.Poller and
        AprEndpoint.Sendfile. Do not miss wakeups. (kkolinko)
add     48862: Add support for the backlog parameter to the AJP
        connector. (pero/markt)
fix     48917: Correct name of mod_jk module in ApacheConfig.
        Patch provided by Todd Hicks. (markt)
fix     49095: AprEndpoint did not wakeup acceptors during shutdown
        when deferAccept option was enabled. Based on a patch provided
        by Ruediger Pluem. (kkolinko)
add     Use chunked encoding for http 1.1 requests with no
        content-length (regardless of keep-alive) so client can
        differentiate between complete and partial responses. (markt)
fix     Correct the SSL session timeout attribute name so the code
        agrees with the documentation. (markt)
add     CoyotePrincipal now implements Serializable. (fhanik)
fix     Enable the BIO AJP connector to run under a security manager.
        (markt)

Jasper

fix     45015: Correct a regression in quote handling caused by the
        re-factoring of attribute parsing. (markt)
fix     48701: Add a system property to allow disabling enforcement
        of JSP.5.3. The specification recommends, but does not require,
        this enforcement. (kkolinko)
fix     48737: Don't assume paths that start with /META-INF/... are
        always in JARs. This is not true for some IDEs.
        Patch provided by Fabrizio Giustina. (markt)
fix     49081: Correctly handle EL expressions of the form #${...}. (markt)
fix     49196: Avoid NullPointerException in PageContext.getErrorData()
        if an error-handling JSP page is called directly. (markt)

Cluster

fix     48717: When a node joins a cluster and it receives all the
        current sessions, ensure the sessionCreated event is fired
        if the Manager is configured to replicate session events. (markt)
fix     48934: Previous fix to handle dropped connections incorrectly
        permanently disabled session replication. (fhanik)
fix     49051: memberAlive is not called if member has not already
        existed in membership. (kfujino)
fix     49151: Avoid ClassCastException in BackupManager#stop. (kfujino)
fix     49170: Do not send duplicated session. (kfujino)
fix     Add missing messages and ensure cluster listeners log messages
        to correct logger. (markt)

Webapps

add     Use underscores instead of spaces in anchor names in Tomcat
        documentation. (kkolinko)
add     Add support for displaying the Spring Security user name
        (if present) in the Manager application. (markt)
update  Improve the ChatServlet Comet example (/examples/jsp/chat/).
        (kkolinko)

Other

update  Update to Commons Daemon 1.0.2. Use service launcher (procrun)
        from the Commons Daemon release. Do not keep a copy of it in
        our source tree. (mturk/kkolinko)
update  Update to NSIS 2.46. (kkolinko)
fix     48990: Fix the skip.installer build property so if set, only
        the Windows installer is skipped. (markt)
fix     49178: Provide in catalina.policy an example of additional
        permissions that might be needed for code located in
        $CATALINA_BASE/lib. (markt)
fix     49236: Do not use indexing when packing Tomcat JARs. (kkolinko)
fix     Remove unused code from org.apache.tomcat.util.buf classes.
        (kkolinko)
update  Rearrange tomcat-juli.jar permissions and wrap long lines in
        the conf/catalina.policy file, to make the text more readable
        when cited in documentation. (kkolinko)
fix     Do not evaluate the execute.installer property when building
        a release. The skip.installer property is used instead. (kkolinko)

Tomcat 6.0.26 (jfclere) released 2010-03-11

Catalina

fix     Close security hole in unreleased 6.0.25 by ensuring new find
        leaks functionality is protected by a security constraint.
        (kkolinko)
fix     48831: Improve logging shutdown behaviour. Use Catalina's
        shutdown hook to shutdown JULI. This enables them to be shutdown
        in the correct order. Do not shutdown global handlers several
        times. (markt/kkolinko)

Coyote

fix     48584: Prevent the APR connector logging an error if the
        acceptor fails during shutdown since this is expected. (mturk)
fix     48660: Using compression should not overwrite any Vary header
        set by a web application. (markt)

Jasper

fix     48371: Ensure generated servlet mappings are inserted at the
        correct location when using JspC and allow the option that
        controls this to be configured on the command line.
        Also allow the encoding of web.xml to be configured when using
        JspC and deprecate some unused JspC methods. (markt/kkolinko)
fix     48498: Avoid ArrayIndexOutOfBoundsException triggered by a
        Java 6/7 XML parser bug. (markt/kkolinko)
fix     48668: Additional fixes to ensure deferred syntax is handled
        correctly. (kkolinko)
fix     48827: Correct a regression in the fix for 47977 that caused
        an incorrect non-empty body error to be reported for valid
        JSP documents. (markt)

Webapps

add     Make changelog.xml be directly rendered as HTML by certain
        browsers. (kkolinko)
add     Add support for automated generation of TOC tables and for
        links to svn revisions to tomcat-docs.xsl in documentation.
        (kkolinko/fhanik)
add     Move Manager application JSPs that are not intended to be
        accessed directly under the WEB-INF directory. (kkolinko)
fix     Improve the messages displayed by the find leaks diagnostic
        in the Manager application. (kkolinko)

Other

fix     Encode all property files using ascii escaped UTF-8. Also
        fixes deployment problem when using French locale. (jfclere/rjung)

Tomcat 6.0.25 (jfclere) not released

Catalina

fix     48039: Return immediately if start() is called on an already
        started StandardService. (markt)
fix     48109: Ensure InputStream is closed on error condition in web
        application class loader. (markt)
fix     48179: Clean up dead code that was used to read tldCache file.
        (kkolinko)
fix     48318: Handle case where WebDAV resource is in directory
        listing but is not accessible. (markt)
add     48384: Add a per context xslt option for directory listings.
        Make the fallback options work as described in the
        documentation. (markt)
fix     48577: Filter URL when displaying missing included page. (markt)
fix     48612: Prevent exception on shutdown if the address attribute
        is specified for a connector. (markt)
fix     48613: Further fixes to ensure APRLifecycleListener is only
        used if defined in server.xml. (fhanik)
fix     48614: Correct JULI log file buffering so default behaviour
        is no buffering. (fhanik)
fix     48625: Provide an option to exit if an error occurs during
        the initialization phase. (fhanik)
fix     48645: Use specified encoding rather than null in calls to
        RequestUtil.URLDecode(byte[] bytes, String enc) (markt)
fix     48653: Force request.secure and request.scheme to false and
        http if the X-Forwarded-Proto header has the value http.
        Patch provided by Cyrille Le Clerc. (markt)
fix     48678: Remove duplicate server field from
        org.apache.catalina.startup.Catalina. (markt)
fix     48694: Remove potential deadlock in web application class
        loader. (markt)
add     48716: Provide additional configuration options for JULI. (markt)
fix     48726: Prevent OOME when uploading large WAR files with the
        deployer. Patch provided by adam. (markt)
add     Improve memory leak protection by safely stopping threads
        started via java.util.Timer that an application starts but
        fails to stop and by clearing references retained due to the
        use of java.util.ResourceBundle. (markt)
update  Modify ThreadLocal memory leak detection to not report false
        positives and to simplify implementation. (markt/kkolinko)
add     Basic memory leak detection was added to the standard Host
        implementation and exposed via JMX to detect memory leaks on
        web application reload. (markt/kkolinko)

Coyote

update  Update the native/APR library version bundled with Tomcat to
        1.1.20. (kkolinko)

Jasper

add     Add some debug logging to the compiler where exceptions were
        previously swallowed. (markt)
fix     48170: Remove unnecessary synchronization that is causing
        issues under load. (markt)
fix     48580: Prevent AccessControlException if first access is to
        a JSP that uses a FunctionMapper. (markt)
fix     48582: Avoid NPE on background compilation failure. (markt)
fix     48616: Don't declare or synchronize scripting variables for
        JSP fragments since they are scriptless. This is an alternative
        fix for 42390 that avoids both the original problem and the
        regression in the first fix. (kkolinko)
fix     48627: Fix regression in re-factored EL parsing. Keep literals
        as literals and handle deferredSyntaxAllowedAsLiteral. (kkolinko)
fix     48668: When parsing JSPs only parse EL as EL if EL is enabled
        else strings such as ${ will be silently dropped. (markt)
fix     Various EL TCK failures. (markt)

Cluster

fix     Force a disconnect if an error occurs during replication such
        as a firewall dropping the connection. (fhanik)

Webapps

add     Add new "Find leaks" command to the Manager application.
        It allows to detect web applications that have caused memory
        leaks on stop, reload or undeploy. (markt/kkolinko)

Other

fix     Ensure files in conf directory have CRLF line endings when
        using the Windows installer. (kkolinko)
fix     Allow special characters recognized by the Windows command-line
        shell to be present in the names of CATALINA_HOME/_BASE and
        the current directory used to call the Tomcat scripts. (kkolinko)
fix     Don't use @Deprecated annotations in javax.servlet.jsp.JspContext
        since the specification does not include them in the API
        definition. (markt)
add     Improve the information in the JAR manifest files. (markt)


To generate a diff of this commit:
cvs rdiff -u -r1.6 -r1.6.2.1 pkgsrc/www/apache-tomcat6/Makefile
cvs rdiff -u -r1.3 -r1.3.10.1 pkgsrc/www/apache-tomcat6/PLIST
cvs rdiff -u -r1.3 -r1.3.4.1 pkgsrc/www/apache-tomcat6/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.



Home | Main Index | Thread Index | Old Index