CVS commit: [pkgsrc-2011Q3] pkgsrc/www/apache-tomcat6

["Matthias Scheler" <tron%netbsd.org@localhost>]

Module Name:    pkgsrc
Committed By:   tron
Date:           Wed Dec 14 07:20:13 UTC 2011

Modified Files:
        pkgsrc/www/apache-tomcat6 [pkgsrc-2011Q3]: Makefile PLIST distinfo

Log Message:
Pullup ticket #3629 - requested by spz
www/apache-tomcat6: security update

Revisions pulled up:
- www/apache-tomcat6/Makefile                                   1.10
- www/apache-tomcat6/PLIST                                      1.6
- www/apache-tomcat6/distinfo                                   1.7

---
   Module Name: pkgsrc
   Committed By:        spz
   Date:                Tue Dec 13 09:44:17 UTC 2011

   Modified Files:
        pkgsrc/www/apache-tomcat6: Makefile PLIST distinfo

   Log Message:
   Upstream changelog:

   Tomcat 6.0.35 (jfclere)
   +++++++++++++++++++++++

   Catalina
   --------

   fix  Fix regression in decoding of parameters that contain spaces.
        Patch by Willem Fibbe. (kkolinko)

   Tomcat 6.0.34 (jfclere)      not released
   ++++++++++++++++++++++++++++++++++++

   Catalina
   --------

   fix  51550: Display an error page rather than an empty response
        for an IllegalStateException caused by too many active sessions.
        (markt)
   add  51640: Improve the memory leak prevention for leaks triggered
        by java.sql.DriverManager. (markt/kkolinko)
   fix  51688: JreMemoryLeakPreventionListener now protects against
        AWT thread creation. (schultz)
   fix  51758: The digester (used for processing XML files) used
        the logger name org.apache.commons.digester.Digester rather
        than the expected org.apache.tomcat.util.digester.Digester.
        The digester has been changed to use the expected logger name.
        (kkolinko)
   add  51862: Added a classesToInitialize attribute to
        JreMemoryLeakPreventionListener to allow pre-loading of
        configurable classes to avoid some classloader leaks. (slaurent)
   fix  51872: Ensure that the access log always uses the correct
        value for the remote IP address associated with the request
        and that requests with multiple errors do not result in
        multiple entries in the access log. (markt)
   add  Allow to overwrite the check for distributability of session
        attributes by session implementations. (rjung)
   add  Provide the log format "OneLineFormatter" for JULI that
        provides the same information as the default plus thread
        name but on a single line. (markt/rjung)
   fix  Ensure the the memory leak protection for the HttpClient
        keep-alive always operates even if the thread has already
        stopped. (markt)
   fix  51940: Do not limit saving of request bodies during FORM
        authentication to POST requests since any HTTP method may
        include a request body. Based on a patch by Nicholas Sushkin.
        (kkolinko)
   fix  52091: Address performance issues related to lock contention
        in StandardWrapper. Based on patch provided by Taiki Sugawara.
        (kkolinko)
   update       In GenericPrincipal, SerializablePrincipal: Do not sort lists
        of roles that have only one element. (kkolinko)
   add  Make configuration issue for CsrfPreventionFilter result in
        the failure of the filter rather than just a warning message.
        (kkolinko)
   fix  Ensure changes to the configuration of RemoteAddrValve and
        RemoteHostValve via JMX are thread-safe. (kkolinko)
   add  Make configuration issue for RemoteAddrValve and
        RemoteHostValve result in the failure of the valve rather
        than just a warning message. (kkolinko)
   update       In RequestFilterValve (RemoteAddrValve, RemoteHostValve):
        refactor value matching logic into separate method and expose
        this new method isAllowed through JMX. (kkolinko)
   add  Improve performance of parameter processing for GET and POST
        requests. Also add an option to limit the maximum number of
        parameters processed per request. This defaults to 10000.
        Excessive parameters are ignored. Note that FailedRequestFilter
        can be used to reject the request if some parameters were
        ignored. (markt/kkolinko)
   add  New filter FailedRequestFilter that will reject a request
        if there were errors during HTTP parameter parsing. (kkolinko)

   Coyote
   ------

   fix  50394: Return -1 from read operation instead of throwing an
        exception when encountering an EOF with the HTTP APR connector.
        (kkolinko)
   fix  51698: Fix CVE-2011-3190. Prevent AJP message injection. (markt)
   fix  Detect incomplete AJP messages and reject the associated
        request if one is found. (markt)
   fix  51794: Fix race condition in NioEndpoint selector.
        Patch provided by dlord. (fhanik)
   fix  51905: Fix infinite loop in AprEndpoint shutdown if acceptor
        unlock fails. Reduce timeout before forcefully closing the
        socket from 30s to 10s. (kkolinko)
   fix  52121: Fix possible output corruption when compression is
        enabled for a connector and the response is flushed.
        Test case provided by David Marcks. (kkolinko)
   fix  Replace unneeded call that iterated events queue in
        NioEndpoint.Poller. (kkolinko)
   fix  Improve MimeHeaders.toString(). (kkolinko)
   fix  Allow the BIO HTTP connector to be used with SSL when
        running under Java 7. (markt)
   fix  Improve multi-byte character handling in all connectors. (rjung)

   Jasper
   ------

   fix  51220: Correct copy/paste error in original commit for this
        issue. (markt)
   fix  52091: Address performance issues related to log creation
        in TagHandlerPool. Patch provided by Taiki Sugawara. (markt)

   Cluster
   -------

   add  51736: Make rpcTimeout configurable in BackupManager. (kfujino)
   add  New cluster manager attribute sessionAttributeFilter allows
        to filter which session attributes are replicated using a
        regular expression applied to the attribute name. (rjung)
   fix  Avoid an unnecessary session ID change notice.
        Notice of changed session ID by JvmRouteBinderValve is
        unnecessary to BackupManager. In BackupManager, change of
        session ID is replicated by the call of a setId() method.
        (kfujino)
   fix  Fix unneeded duplicate resetDeltaRequest() call in
        DeltaSession.setId(String). (kkolinko)
   add  When Context manager does not exist, no context manager
        message is replied in order to avoid timeout (default 60 sec)
        of GET_ALL_SESSIONS sync phase. (kfujino)

   Webapps
   -------

   fix  Correct the documentation for the connectionLinger attribute
        of the HTTP connector. (markt)
   add  Show build date and version in the header on every
        documentation page. (kkolinko)
   fix  52049: Improve setup instructions for running as a Windows
        service: correct information on how a JRE is identified and
        selected. (markt)
   update       52172: Clarify Tomcat build instructions. Patch provided by
        bmargulies. (kkolinko)

   Other
   -----

   update       Update the native component of the APR/native connectors
        to 1.1.22. (markt)
   update       Update the recommended version of the native component
        of the APR/native connectors to 1.1.22. (kkolinko)
   update       Update the Eclipse compiler (used for JSPs) to 3.7. (markt)
   fix  Correct two typos in the Windows installer. (kkolinko)
   fix  52059: In Windows uninstaller: Do not forget to remove
        Tomcat keys from 32-bit registry on deinstallation. (kkolinko)


To generate a diff of this commit:
cvs rdiff -u -r1.9 -r1.9.2.1 pkgsrc/www/apache-tomcat6/Makefile
cvs rdiff -u -r1.5 -r1.5.6.1 pkgsrc/www/apache-tomcat6/PLIST
cvs rdiff -u -r1.6 -r1.6.2.1 pkgsrc/www/apache-tomcat6/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.