Up to [cvs.NetBSD.org] / pkgsrc / www / apache-tomcat55
Request diff between arbitrary revisions
Keyword substitution: kv
Default branch: MAIN
www/apache-tomcat55: Update to 5.5.36 Changelog: Tomcat 5.5.36 (markt) General update Update to Apache Commons Daemon 1.0.10. (markt) update Update to Apache Commons Pool 1.5.7. (markt) update Update to Apache Tomcat Native 1.1.24. (markt) update Update to Eclipse JDT 3.7.2. (markt) Catalina fix 52677: The new SetCharacterEncodingFilter needs to implement Filter to be useful. (markt) 53050: Fix XOR arithmetics and charset issue when calculating fix entropy to initialize random numbers generator in session manager. Based on a proposal by Andras Rozsa. (kkolinko/jim) fix 53531: Better checking and improved error messages for directory creation during automatic deployment. (schultz/kkolinko) Various improvements to the DIGEST authenticator including 52954, fix the disabling caching of an authenticated user in the session by default, tracking server rather than client nonces and better handling of stale nonce values. (markt) code Remove unneeded handling of FORM authentication in RealmBase. (kkolinko) fix 53830: Better handling of Manager.randomFile default value on Windows. (kkolinko) Coyote fix Ensure that the chunked input filter is correctly recycled between requests. (kkolinko/jim) add Implement the maxHeaderCount for the HTTP connectors. (kkolinko) 42181: Better handling of edge conditions in chunk header fix processing. Improve chunk header parsing. Properly ignore chunk-extension suffix, not trying to parse digits contained in it. Reject chunks whose header is incorrect. (kkolinko) Webapps fix 52641: Remove mentioning of ldap.jar from docs. Patch provided by Felix Schumacher. (rjung) fix 53158: Fix documented defaults for DBCP. Patch provided by ph.dezanneau at gmail.com. (rjung) Other fix 52640: Correct set the endorsed directory location when using the Windows installer. (markt) update 52579: Add a note about Sun's Charset.decode() bug to the RELEASE-NOTES file. (kkolinko)
*: Remove logic for outdated NetBSD versions.
all: migrate several HOMEPAGEs to https pkglint --only "https instead of http" -r -F With manual adjustments afterwards since pkglint 19.4.4 fixed a few indentations in unrelated lines. This mainly affects projects hosted at SourceForce, as well as freedesktop.org, CTAN and GNU.
Drop superfluous PKG_DESTDIR_SUPPORT, "user-destdir" is default these days.
Update apache-tomcat to 5.5.35. (fix CVE-2011-4858) Tomcat 5.5.35 (jim) Catalina * Make configuration issues for security related Valves and Filters result in the failure of the valve or filter rather than just a warning message. (markt) * Ensure changes to the configuration of the RemoteHostValve and the RemoteAddrValve via JMX are thread-safe. (markt) * In RequestFilterValve (RemoteAddrValve, RemoteHostValve): refactor value matching logic into separate method and expose this new method isAllowed through JMX. (kkolinko) * Improve performance of parameter processing for GET and POST requests. Also add an option to limit the maximum number of parameters processed per request. This defaults to 10000. Excessive parameters are ignored. Note that FailedRequestFilter can be used to reject the request if some parameters were ignored. (markt/kkolinko) * New filter FailedRequestFilter that will reject a request if there were errors during HTTP parameter parsing. (kkolinko) * 52384: Do not fail with parameter parsing when debug logging is enabled. (kkolinko, jim) * Do not flag extra '&' characters in parameters as parse errors. (kkolinko, jim) * Slightly improve performance of UDecoder.convert(). Align %2f handling between implementations. (kkolinko) * 52225: Fix ClassCastException when adding an alias for an existing host via JMX. (kkolinko) * Do not throw an IllegalArgumentException from a parseParameters() call when a chunked POST request is too large, but treat it like an IO error. (kkolinko) * Add SetCharacterEncodingFilter (similar to the one contained in the examples web application) to the org.apache.catalina.filters package so it is available for all web applications. (kkolinko) General * Update Eclipse compiler to 3.7 and switch to using ecj.jar. (markt) Coyote * Improve multi-byte character handling in all connectors. (rjung) Jasper * 52335: Only handle <\% and not \% as escaped in template text. (markt) Webapps * 52049: Improve setup instructions for running as a Windows service: correct information on how a JRE is identified and selected. (kkolinko) * 52172: Update Tomcat build instructions. Includes changes proposed by bmargulies. (kkolinko) * 52243: Improve windows service documentation to clarify how to include # and/or ; in the value of an environment variable that is passed to the service. (markt) Other * 52059: Ensure Windows registry keys are removed when using the un-install option of the Windows installer. (markt)
Update apache-tomcat55 to 5.5.34. General * Update Tomcat-Native to 1.1.22. (jim) * Fix CVE-2011-2729. Update to Commons Daemon 1.0.7. (markt) * 33262: When using the Windows installer, the monitor is now auto-started for the current user rather than all users to be consistent with menu item creation. (markt) * 40510: Provide an option within the Windows installer to create menu entries for the current user or all users. (markt) * 50949: Add the ability to specify the AJP port and the shutdown port when using the Windows installer. (markt) * 51135: Fix auto-detection of JAVA_HOME for 64-bit Windows platforms that only have a 32-bit JVM installed when using the Windows installer. (markt) Catalina * 27988: Improve reporting of missing files. (markt) * 28852: Add URL encoding where missing to parameters in URLs presented by Ant tasks to the Manager application. Based on a patch by Stephane Bailliez. (mark) * 41179: Return 404 rather than 400 for requests to the ROOT context when no ROOT context has been deployed. (markt) * 50189: Once the application has finished writing to the response, prevent further reads from the request since this causes various problems in the connectors which do not expect this. (markt) * Fix CVE-2011-2204. Prevent user passwords appearing in log files if a runtime exception (e.g. OOME) occurs while creating a new user for a MemoryUserDatabase via JMX. (markt) * 51042: Don't trigger session creation listeners when a session ID is changed as part of the authentication process. (markt) * 51324: Improve handling of exceptions when flushing the response buffer to ensure that the doFlush flag does not get stuck in the enabled state. Patch provided by Jeremy Norris. (kkolinko) * 51403: Avoid NullPointerException in JULI FileHandler if formatter is misconfigured. (kkolinko) * 51473: Fix concatenation of values in SecurityConfig.setSecurityProperty() when the value provided by JRE is null. (kkolinko) * 51550: Internal errors in Tomcat components that process requests before they are passed to a web application, such as Authenticators, now return a 500 response rather than a 200 response. (markt) * Add additional configuration options to the DIGEST authenticator. (markt) Coyote * Fix CVE-2011-2526. Protect against crashes (HTTP APR) if sendfile is configured to send more data than is available in the file. (markt) * 50394: Return -1 from read operation instead of throwing an exception when encountering an EOF with the HTTP APR connector. (kkolinko) * 50744: Skip the SSL configuration check on platforms where an unbounded socket cannot be created. (kkolinko) * 51073: Throw an exception and do not start the APR connector if it is configured for SSL and an invalid value is provided for SSLProtocol. (markt) * 51698: Fix CVE-2011-3190. Prevent AJP message injection. (markt) Jasper * 36362: Handle the case where tag file attributes (which can use any valid XML name) have a name which is not a Java identifier. (markt) * Fix possible threading issue in JSP compilation when development mode is enabled. (markt) Cluster * 48717: Ensure session activation events are fired. (markt) * 50771: Ensure HttpServletRequest#getAuthType() returns the name of the authentication scheme if request has already been authenticated. (kfujino) * 51647: Fix session replication when a session attribute is a Java dynamic proxy. Based on a patch by Tomasz Skutnik. (markt) Webapps * 41498: Add the allRolesMode attribute to the Realm configuration page in the documentation web application. (markt) * Configure Security Manager How-To to include a copy of the actual conf/catalina.policy file when the documentation is built, rather than maintaining a copy of its content. (kkolinko) * 48997: Fixed some typos and improve cross-referencing to the HTTP Connector and APR documentation with the SSL How-To page of the documentation web application. (markt) Other * Align jpda settings in catalina.bat with catalina.sh, tc6.0.x, tc7.0.x and trunk. (markt) * Clarify error messages in *.sh files to mention that if a script is not found it might be because execute permission is needed. (kkolinko)
Update www/apache-tomcat55 to 5.5.33 - Addresses SA http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0013 - Added LICENSE entry to pkgsrc - Drop MAINTAINERship - Changes since 5.5.28 below Tomcat 5.5.33 (jim) General fix Fix permissions of version.sh in bin tarball. (rjung) fix 45332, 45852, 50140: Backport numerous improvements to the Windows installer. Specify the correct encoding (the current Windows code page) rather than assuming UTF-8 when creating tomcat-users.xml - 45332, 45852. Update install/uninstall icons. Create an installation log. Allow 32-bit JVMs to be selected when installing on a 64-bit platform. Do not ignore install directory if it is specified with the command line switch on 64-bit platforms - 50140. Add support for the /? command line switch. Replace the .ini files with the script equivalents. Provide the ability to edit the roles for the added user. Clean up fully after installation. Add DetailPrint statements for operations that may take time. Improve the descriptions of the components. (kkolinko, mturk, markt) add Add roles (admin-gui, admin-script, manager-gui, manager-script, manager-jmx, manager-status) to the Manager, Host Manager and Admin applications to allow more fine-grained control of permissions. The old roles are deprecated but will still work in the same way. (kkolinko) Catalina fix Improve HTTP specification compliance in support of Accept-Language header. (kkolinko) fix 50620: Stop exceptions that occur during Session.endAccess() from preventing the normal completion of Request.recycle(). (markt/kkolinko) Coyote update Remove JSSE13Factory, JSSE13SocketFactory classes, as Tomcat 5.5 always runs on JRE 1.4 or later. (kkolinko) fix 50325: When the JVM indicates support for RFC 5746, disable Tomcat's allowUnsafeLegacyRenegotiation configuration attribute and use the JVM configuration to control renegotiation. (markt/kkolinko) Tomcat 5.5.32 (jim) released 2011-02-01 General update Update to Commons Daemon 1.0.5. (mturk) update Update to commons-pool 1.5.5. (markt) fix Ensure POM files have correct line endings in source distributions. (rjung/markt) Catalina add 43960: Expose available property of StandardWrapper via JMX. (markt) fix 50131: Avoid possible NPE in debug output in PersistentValve. Patch provided by sebb. (kkolinko) fix 50413: Ensure 304s are not returned when using static files as error pages. (markt/kkolinko) fix Avoid unnecessary cast in StandardContext. (markt) fix 50460: Avoid a possible memory leak caused by using a cached exception instance. (kkolinko) fix 50550: When a new directory is created (e.g. via WebDAV) ensure that a subsequent request for that directory does not result in a 404 response. (markt/kkolinko) Coyote fix 47913: Return the IP address rather than null for getRemoteHost() with the APR connector if the IP address does not resolve. (markt) fix 49521: Disable scanning for a free port in Jk AJP/1.3 connector by default. Do not change maxPort field value of ChannelSocket in its setPort() and init() methods. Add support for maxPort attribute on a Connector element as a synonym for channelSocket.maxPort. (kkolinko) Jasper fix 49935: Handle compilation of recursive tag files. (markt) Cluster fix Improve sending an access message in DeltaManager. maxInactiveInterval of not Manager but the session is used. If maxInactiveInterval is negative, an access message is not sending. (kfujino) fix 50547: Add time stamp for CHANGE_SESSION_ID message and SESSION_EXPIRED message. (kfujino) Webapps add 50294: Add more information to documentation regarding format of configuration files. Patch provided by Luke Meyer. (markt) update Improve documentation of database connection factory. (rjung) fix Improve filtering of Manager display output. (kkolinko) update Configure the Admin, Manager and Host-Manager web applications to use HttpOnly flag for their session cookies. (kkolinko) Tomcat 5.5.31 (jim) released 2010-09-16 General fix Add svn:executable property to some script files and remove it from non-executable files. (rjung) Catalina fix 38113 Add system property (ALLOW_EMPTY_QUERY_STRING) to allow spec compliant handling of query string. (markt/kkolinko/jim) fix Return a copy of the URL being used from the webapp class loader, not the original array. (kkolinko/markt) fix 49749: Use HttpOnly flag of current context when genrating a Single-Sign-On cookie. (markt) Coyote fix 49718: Fix regression in previous fix for 46984 caused by the patch being applied to the wrong section of code. The regression caused HTTP 0.9 requests to fail. (markt) Webapps fix 49585: Update JSVC documentation to reflect new packaging of Commons Daemon. (markt) fix 49774: Add support for SSL with either JSSE or APR baaed connectors to the admin app. (markt) Cluster fix Add Null check when CHANGE_SESSION_ID message received. (kfujino) Tomcat 5.5.30 (jim) released 2010-07-09 General update Update to Commons Daemon 1.0.2. Use service launcher (procrun) from the Commons Daemon release. Do not keep a copy of it in our source tree. (mturk/kkolinko) update Update to NSIS 2.46. (kkolinko) update Update to Apache Commons DBCP 1.3. (markt) fix 48840: Swallow output (if any) from use of cd when determining $CATALINA_HOME in catalina.sh and tool-wrapper.sh scripts. Based on patch provided by mdietze. (markt/kkolinko) fix 49236: Do not use indexing when packing Tomcat JARs. (kkolinko) fix 48990: Build windows distributions correctly on Linux and add support for the skip.installer property. (kkolinko) Catalina fix Fix CVE-2010-1157. Prevent possible disclosure of host name or IP address via the HTTP WWW-Authenticate header when using BASIC or DIGEST authentication. (markt) fix 44041, 48694: Fix duplicate class definition under load. Avoid possible deadlock in class loading. (markt/kkolinko) fix 47774: Ensure web application class loader is used when calling session listeners. (kfujino) update 48179: Improve error handling when reading or writing TLD cache file ("tldCache.ser"). (kkolinko) fix 49398: ByteChunk.indexOf(String, int, int, int) could not find a string of length 1. (kkolinko) fix Ensure all required i18n messages are present for the APR/native Listener. (kkolinko) fix Fix possible overflows when calculating session statistics. (kkolinko) fix 49424: Avoid NPE if client provides no data with a chunked POST request. (markt) fix Minor code cleanup in AccessLogValve and FastCommonAccessLogValve classes. (kkolinko) Coyote fix Arrange filter logic. (jfclere) fix 48613: Only attempt APR/native connector initialization if the Listener element has been specified in server.xml. (fhanik/kkolinko) fix 48843: Prevent possible deadlock and correct queue handling for worker allocation in APR connectors. (kkolinko) fix Use chunked encoding for http 1.1 responses with no content-length (regardless of keep-alive) so client can differentiate between complete and partial responses. (markt) Jasper fix 42390, 48616: Fix compilation error with some nested tag files and simple tags. Do not declare or synchronize scripting variables for JSP fragments since they are scriptless. (kkolinko) fix 47878: Return “404”s rather than a permanent “500” if a JSP is deleted. Make sure first response after deletion is correct. (markt/kkolinko) fix 48701: Add a system property to allow disabling enforcement of JSP.5.3. The specification recommends, but does not require, this enforcement. (kkolinko) fix 48580: Prevent AccessControlException when running under a security manager if the first access is to a JSP that uses a FunctionMapper. (markt/kknko) fix 49196: Avoid NullPointerException in PageContext.getErrorData() if an error-handling JSP page is called directly. (kkolinko) Cluster fix 48717: When a node joins a cluster and it receives all the current sessions, ensure the sessionCreated event is fired if the Manager is configured to replicate session events. (markt) fix 49170: Do not send duplicated session. (kfujino) fix 49445: When session ID is changed after authentication, ensure the DeltaManager replicates the change in ID to the other nodes in the cluster. (kfujino) Webapps add Backport documentation stylesheet improvements from Tomcat 6: use CSS styles to provide printer-friendly layout, support generation of TOC tables, support links revision numbers, use underscores instead of spaces in anchor names. (kkolinko) Tomcat 5.5.29 (fhanik) released 2010-04-20 General add 37847: Make location and filename of catalina.out configurable in catalina.sh. (fhanik/kkolinko) fix 47609: Provide fail-safe EOL conversion for build process. (sebb/markt/kkolinko) fix 47689: Enable the test Ant target to work. (markt) fix 47712: Loading tcnative was broken in 5.5.28. (rjung) fix Correct CVE-2009-3548. When installed via the Windows installer and using defaults, don't create an administrative user with a blank password. Additionally, the administrative user is only created if the manager or host-manager web applications are selected for installation. (markt/kkolinko) update Deprecate the jni Buffer and Thread classes. (rjung) update Include 32-bit and 64-bit versions of Tomcat Native DLLs into the Windows installer, instead of downloading them from a web site during install, and allow it to automatically select the correct one for the current platform. (kkolinko/mturk) update Update Windows installer to use NSIS 2.45. (kkolinko) update Update to commons-pool 1.5.4. This fixes regressions in 1.5.2. (markt) fix Align server.xml installed by the Windows installer with the one bundled in zip/tar.gz archives. (kkolinko) fix Encode all property files using ascii escaped UTF-8. (rjung) fix Correct MD5 generation in the build process. (kkolinko) Catalina fix 37848: Re-fix. Don't display info output when there is no terminal. (markt) fix 39231: Call LoginModule.logout() when using JAASRealm. (markt/kkolinko) fix 39844: Fix NPE when performing a non-HTTP forward. (billbarker) fix 41059: Reduce the chances of errors when using ENABLE_CLEAR_REFERENCES. Patch by Curt Arnold. (markt) add 45255: Add the ability to change session ID on authentication to protect against session fixation attacks. This is disabled by default. (markt/kkolinko) fix 46967: Better handling of errors when trying to use Manager.randomFile. Based on a patch by Kirk Wolf. (kkolinko) fix 47518: Correct reference in Valve Javadoc that referred to an old method. Patch provided by Christopher Schultz. (markt) fix 47537: Return an error page rather than a zero length 200 response if the forward to the login or error page fails during FORM authentication. (markt) fix 47718: Fix file descriptor leak on context stop/reload. Patch provided by George Sexton. (markt) fix 47826: Correct error in debug message in org.apache.catalina.Bootstrap (markt) fix 47963: Ensure that any HTTP status messages are compliant with RFC2616. (markt/kkolinko) fix 47997: Enable the NamingResourcesMBean to work with non-Server (i.e. Context) containers. Patch provided by Michael Allman. (markt) fix 48004: Allow applications to set the Server header. (markt) fix 48007: Improve exception processing in CustomObjectInputStream. (kkolinko) fix 48049: Fix copy and paste error so NamingContext.destroySubContext() works correctly. Patch provided by gingyang.xu (markt) update 48097: Make WebappClassLoader to do not swallow AccessControlException. (kkolinko) fix 48097: Avoid throwing an AccessControlException which can lead to a NoClassDefFoundError on first access of first jsp. (kkolinko/markt) fix 48322: Single quote characters are not HTTP separators and should not be treated as such in the cookie handling. (markt) add Provide an option to allow the use of equals characters in cookie values. (markt) fix 48516: Prevent NPE in JNDIRealm if requested user does not exist. Patch provided by Kevin Conaway. (markt) fix 48577: Filter URL when displaying missing included page. (markt) fix 48760: Remove race condition that can result in multiple threads trying to use the same InputStream. (markt) fix Add an additional permission required by JULI when running under newer JDKs and a security manager. (markt) fix Close resource stream in WebappClassLoader after read error. (pero) fix Do not swallow exceptions in ApplicationContextFacade.doPrivileged() (kkolinko) fix Various related (un)deploy improvements including: better handling of failed (un)deployment; adding checking for invalid zip file entries that don't make sense in a WAR file; and improved validation of WAR file names. These changes address CVE-2009-2693, CVE-2009-2901 and CVE-2009-2902. Coyote fix 43327: Allow APR/native connector to work correctly on systems when IPv6 is enabled. (markt) fix 46950: Support SSL renegotiation with APR/native connector. Note that this requires APR/native 1.1.17 or later. (markt) fix 47225: Fix error in calculation of a buffer length in the mapper. (markt) fix 47744: Prevent a medium term memory leak if using SSl with the JSSE provider and also using a security manager. Based on a patch by Greg Vanore. (markt) fix 47987: Limit size of not found resources cache. (markt) fix 48109: Ensure InputStream is closed in WebappClassLoader on error conditions. (markt) fix 48311: APR should not be initialised if the APR life-cycle listener is not enabled. (markt) fix 48581: Avoid security exception on first access. (markt) fix 48584: Prevent the APR connector logging an error if the acceptor fails during shutdown since this is expected. (mturk) fix CVE-2009-3555. Provide option to disable legacy SSL renegotiation. (markt/costin) fix Fix Windows installer to bundle an up-to-date version of native/APR with it. When asked to install TC-Native it was downloading some very old (1.1.4) version of it from the HEAnet site. (kkolinko) update Update the native/APR library version bundled with Tomcat to 1.1.20. (kkolinko) update Update recommended version for native to 1.1.19. (rjung) fix Remove unneeded line from the method that normalizes decodedURI. (kkolinko) Jasper fix 38797: Fix regression in previous fix for this bug. (markt) fix 41661: Fix thread safety issue in JspConfig.init() (markt) fix 41824: Need to use canonical rather than binary form when writing code. (markt) fix 46907: Don't swallow input stream when debug logging is enabled. (markt) fix 48582: Avoid NPE on background compile. (markt) Cluster fix DeltaManager needs to replicate changed attributes even if session gets invalidated. Otherwise session listeners will not see the right data on the secondary nodes. (rjung) fix Remove unnecessary Java5 dependencies. (markt) fix 46384: Correct synchronisation issue that could lead to a cluster member disappering permanently. (markt) fix 47554: Include httpOnly attribute when re-writing session cookie after fail over. (markt) Webapps fix 41564: Add some information on installing Tomcat as a service on operating systems with User Account Control, e.g. Vista. (markt) fix 47656: Add information to documentation on system property replacement in configuration files. (markt) fix 47769: Clarify the JNDI docs with repect to use of <resource-ref> and related elements, specifically when they are required and when they may be omitted. (markt) fix 48381: Add information on how Tomcat treats host names to the host configuration documentation. (markt) add 48530: Add information on the Manager Server Status page to the Manager How-To in the documentation webapp. Based on a patch by Arnaud Espy. (markt) add 48532: Add information to the BIO/NIO SSL configuration page in the documentation web application to specify how the defaults for the various trust store attributes are determined. (markt) fix 48686: Fix deleting a host via the Administration web application rather than failign with a HTTP 500 response. (markt) add Make changelog.xml be directly rendered as HTML by certain browsers. (kkolinko) Tomcat 5.5.28 (fhanik) released 2009-09-04 General fix 39194: Make the setting of the classpath consistent for the .sh and .bat startup scripts. (markt/kkolinko) fix 45880: Include NOTICE file in Windows installer and make sure src files are excluded. (markt) update Update to NSIS 2.44 (kkolinko) update Build scripts: Use different values for ${tomcat-dbcp.home} and ${jasper-compiler-jdt.home} in tomcat-deps. Fix download task checks for commons-pool and commons-dbcp. (kkolinko) add Add the 64-bit windows service binaries to the distribution and get the Windows installer to automatically select the correct one for the current platform. (markt/kkolinko) update Update to commons-pool 1.5.2. This includes various fixes to prevent deadlocks, reduce syncs and make object allocation occur fairly - i.e. objects are allocated to threads in the order that the threads request them. This fixes a number of issues with the version of DBCP embedded within Tomcat. (markt) update Update Tomcat Windows service application (procrun) to version 2.0.5. It contains a fix for issue 41538 (mturk) fix 47149: Explicitly specify encoding when performing filtering during copy, fixcrlf or replace operations in build scripts. Don't add blank lines to files when fixing line endings. Explicitly specify encoding when compiling. (kkolinko) fix 47464: Some class files were accidentally included into the source distributions of TC 5.5.27. (kkolinko) docs Document that building Tomcat requires Ant 1.6.2 or later. (kkolinko) Catalina fix 37458: Fix sync error that may lead to NPE in rare circumstances. Patch by Konstantin Kolinko. (markt) fix 37498: Fall back to container log if application log is unavailable during context destruction. (markt) fix 37794: Handle POSTed parameters when sent with chunked encoding. (markt) fix 37984: Strip {MD5} as well as {SHA} if present in digest passwords in LDAP directories. (markt) fix 38553: A lack of certificates is normal if a user doesn't have a certificate. Return a 401 rather than a 400 in this case. (markt) fix 38570: When checking docBase against appBase, make sure we check for an exact match against the appBase. (markt) fix 39013: When testing for an invalid docBase, use an exact match for the appBase. (markt) fix 39396: Only include TRACE in an OPTIONS response if we know it has been enabled. (markt) fix Remove wrong "No role found" realm debug log message, even if a role was found. (rjung) fix 39997: Add the SSLRandomSeed option to the AprLifecycleListener to enable faster starts on development systems. (markt) fix 40380: Fix potential synchronization issue in StandardSession.expire(). (markt) fix 41407: JAAS Realm now works with CLIENT-CERT authentication. (markt) add 42419: Add a system property that enables the name of the session cookie and session path parameter to be configured. (markt) fix 42579: Support both relative and absolute search results in the JNDI Realm implementation. Patch provided by Brandon DuRette. (markt) fix 42707: Make adding a host alias via JMX take effect immediately. (markt) fix 43343: Correctly handle requesting a session we are in the middle of persisting. Based on a suggestion by Wade Chandler. (markt/kkolinko) add 44382: Add support for using httpOnly for session cookies. This is disabled by default. (markt/fhanik) fix 45576: JAAS Realm now works with DIGEST authentication. (markt) fix 45628: JARs that do not declare any dependencies should always be considered as fulfilled. (markt) fix 45933: Don't use a web application provided parser to process TLD files. (markt) fix 45996: Add Accept-Ranges header to responses from the DefaultServlet with an option to disable it. (markt) fix 46105: Correctly set URI encoding when replaying a request after FORM authentication. (markt) fix 46408: Correct possible invalid case in SecurityUtil. (markt) fix 46552: Return a 400 response rather than a 200 response if the request headers are too large. (markt) fix 46597: Port all cookie handling changes from Tomcat 6.0.x. (markt) fix 46606: Make max depth limit for WebDAV servlet configurable. (markt) fix 46717: Fix hard to reproduce thread safety issue with session expiration. (markt) fix 46982: Fix DST problem with AccessLogValve. (markt) fix Improve handling of situation where web application tries to configure logging at the context level but the security policy prevents this. (markt/rjung) fix Fix an information disclosure vulnerability in a number of the Realms that allowed user enumeration when using FORM authentication. This is CVE-2009-0580. (markt) fix Fix various WebDAV compliance issues identified by the Litmus test suite. (markt) fix Use a better default (webapps) for a Host's appBase. (idarwin/markt) fix 44943: Reduce copy/paste issues caused by different engine names in server.xml. (markt, kkolinko) fix Remove obsolete classpath entry for commons-logging from start script. It is already present in the classpath set by the manifest in bootstrap.jar. (rjung) fix 38483: Thread safety issues in AccessLogValve classes. (kkolinko) add Allow log file encoding to be configured for JULI FileHandler. (kkolinko) Jasper fix 36923: Parse deactivated EL expressions correctly. (markt) fix 37084: Fix JspC compilation with Ant when compiling JSPs that use a custom taglib. (markt/kkolinko) fix 37515: Add options for Java 1.6 and 1.7 to the JDT compiler. (markt) fix 38197: Fix tag pooling when tags are used with jsp:attribute. (markt) fix 38352: Make the directory defined by javax.servlet.context.tempdir readable for JSPs when running under a security manager as required by the specification. (markt) fix 38797: Revert previous fix for 37933 and implement a new fix that does not have the side effects described in 38797. fix 38897: Add uri of broken TLD to error message to aid debugging. (markt) fix 41606: Fix double initialisation of JSPs. Patch provided by Chris Halstead. (markt) fix 45666: Fix infinite loop on include. Patch provided by Tom Wadzinski. (markt) fix 46354: Fix ArrayIndexOutOfBoundsException when using org.apache.jasper.runtime.BodyContentImpl.LIMIT_BUFFER=true. Patch provided by Konstantin Kolinko. (markt) fix 46909: Only include semi-colon in type attribute for <jsp:plugin> when it is required. (markt) Cluster fix Fix minor memory leak found by find bugs. (markt, rjung) fix 40551: Enable the JvmRouteBinderValve to work with PersistentManagers as well as clustering. Patch by Chris Chandler. (markt) fix 46357: Corrected test for host's parent must be an engine. (markt, rjung) update 45317: Properly log the value of the state transfer timeout flag. (fhanik, rjung) fix 45279: Properly close multicast socket. (fhanik, rjung) fix 45447: Add Spanish resource files. Patch provided by Jesus Marin. (markt, rjung) fix 46990: Fix synchronization issues in cluster membership reported by FindBugs. Patch provided by Sebb. (markt, rjung) fix 47389: DeltaManager doesn't do session replication if notifySessionListenersOnReplication=false. Patch by Keiichi Fujino. (fhanik, rjung) fix Separate statistics counter lock in FastAsyncSocketSender from inherited DataSender lock to reduce blocking during failed node detection. (rjung) fix Handle situation session ID rewriting on fail-over with parallel requests from the same client. (pero) fix 43641: Use of bind attribute for membership element breaks multicast. (rjung) Webapps fix Fix CVE-2009-0781. XSS in calendar example. (markt) fix 36574: Fix broken PDFs. (markt) fix 39603: Admin app only showed ROOT web application when clustering was enabled. (markt) fix 47032: Fix /status/all in Manager webapp when using the PersistentManager. (markt) fix 47235: Remove use of autoReconnect from MySQL examples. (mark) fix 46509: Use correct link on error page in JSP security example. Patch provided by Michael Moody. (markt) fix 46562: Close file when reading has finished when using SSI. (markt) Coyote fix 37869: Correctly extract client certificates, including the full certificate chain when using the APR/native HTTP connector. (markt) fix 39637: Correctly extract client certificates, including the full certificate chain when using the AJP connectors. Patch by Patrik Schnellmann. (markt) update Set remote port for AJP connectors from the optional request attribute AJP_REMOTE_PORT. (rjung) fix 45026: Never return an empty HTTP status reason phrase. mod_jk and httpd 2.x do not like that. (rjung) fix 45528: An invalid SSL configuration could cause an infinite logging loop on startup. (markt) fix 46984: Reject requests with invalid HTTP methods with a 400 rather than a 501. (markt) update Update the APR/native connector to 1.1.16. (markt, kkolinko) fix Correct potential DOS issue in Java AJP connector when processing invalid request headers. This is CVE-2009-0033. (markt) fix Make DateTool thread safe. (fhanik)
Pullup ticket #2525 - requested by abs apache-tomcat55: security update Revisions pulled up: - www/apache-tomcat55/Makefile 1.17 - www/apache-tomcat55/PLIST 1.6 - www/apache-tomcat55/distinfo 1.7 --- Module Name: pkgsrc Committed By: abs Date: Wed Sep 10 09:53:31 UTC 2008 Modified Files: pkgsrc/www/apache-tomcat55: Makefile PLIST distinfo Log Message: Updated www/apache-tomcat55 to 5.5.27 Tomcat 5.5.27 (fhanik) General 44463: War file upload in manager webapp fails due to missing commons-io dependency. Added commons-io 1.4. (rjung) Catalina 44021, 43013: Add support for # to signify multi-level contexts for directories and wars. 44494: Backport from 6.0 (rjung) Add additional checks for URI normalization. (remm) Don't throw an ArrayIndexOutOfBoundsException when empty URL is requested. Patch provided by Charles R Caldarale. (markt) 29936: Don't use parser from a webapp to parse web.xml and possibly context.xml files. (markt) 43079: Correct pattern verification for suspicious URLs. Patch provided by John Kew. (markt) 43080: Log suspicious URL pattern warnings to the correct web application. (markt) 43117: Setting an empty workDIR could delete all of CATALINA_HOME. Patch provided by Takayuki Kaneko. (markt) 44282: Prevent security exception in trace level logging for web application class loader when running under a security manager. (markt) 44529: No roles specified (deny all) should take precedence over no auth-constraint specified (allow-all). (markt) 43578: Enable start on Linux if $CATALINA_HOME contains a space. Original patch provided by Ray Sauers with improvements by Ian Ward Comfort. (markt) 44673: Throw IOE if ServletInputStream is closed and a call is made to any read(), ready(), mark(), reset(), or skip() method as per javadocs for Reader. (markt) Enable the CGIServlet to work with Windows Vista. (markt) Add additional permission required to read JDK logging configuration when running with a security manager. (markt) 44943: Reduce copy/paste issues caused by different engine names in server.xml. (markt) 45195: Prevent NPE when calling Session.getAttribute(null) and Session.removeAttribute(null). The spec is unclear but this is a regression from 5.0.x. (markt) 45293: Update name of commons-logging jar in security policy. (markt) 45453: Fix race condition in JDBC Realm. Based on a patch provided by Santtu Hyrkk. (markt) JAAS Realm did not read role information for users. (markt) Connectors Log errors for AJP signoffs at DEBUG level, since it is harmless if mod_jk has hung up the phone. (billbarker) 42727: Handle request lines that are exact multiples of 4096 in length. Patch provided by Will Pugh. (markt) 43191: Compression could not be disabled for some file types. Based on a patch by Len Popp. (markt) 45591: Fix NPE on shutdown failure in some cases. Based on a patch by Matt Passell. (markt) Jasper 31257: Quote endorsed dirs if they contain a space. (markt) 42943: Make sure nested element is inside <jsp:text> element before throwing exception. (markt) 44877: Prevent collisions in tag pool names. (markt) 45015: Enfore JSP spec rules on quoting in attrbutes. This is configurable using the system property org.apache.jasper.compiler.Parser.STRICT_QUOTE_ESCAPING. (markt) Webapps 42899: When saving config from admin app, correctly handle case where the old config file does not exist. (markt) 44541: Document packetSize attribute for AJP connector. (markt) 44715: Document use of secret for AJP connector. (markt) 45323: Add note that context.xml files can only contain a single Context element. (markt) Update JNDI datasource docs since maxActive setting for unlimited changed in commons-pool > 1.2. (markt) Specification Use a localised error message if a user tries to write a negative length byte array during default processing of a HEAD request. (markt) 44562: HEAD requests cannot use includes. Patch provided by David Jencks. (markt)
Updated www/apache-tomcat55 to 5.5.27 Tomcat 5.5.27 (fhanik) General 44463: War file upload in manager webapp fails due to missing commons-io dependency. Added commons-io 1.4. (rjung) Catalina 44021, 43013: Add support for # to signify multi-level contexts for directories and wars. 44494: Backport from 6.0 (rjung) Add additional checks for URI normalization. (remm) Don't throw an ArrayIndexOutOfBoundsException when empty URL is requested. Patch provided by Charles R Caldarale. (markt) 29936: Don't use parser from a webapp to parse web.xml and possibly context.xml files. (markt) 43079: Correct pattern verification for suspicious URLs. Patch provided by John Kew. (markt) 43080: Log suspicious URL pattern warnings to the correct web application. (markt) 43117: Setting an empty workDIR could delete all of CATALINA_HOME. Patch provided by Takayuki Kaneko. (markt) 44282: Prevent security exception in trace level logging for web application class loader when running under a security manager. (markt) 44529: No roles specified (deny all) should take precedence over no auth-constraint specified (allow-all). (markt) 43578: Enable start on Linux if $CATALINA_HOME contains a space. Original patch provided by Ray Sauers with improvements by Ian Ward Comfort. (markt) 44673: Throw IOE if ServletInputStream is closed and a call is made to any read(), ready(), mark(), reset(), or skip() method as per javadocs for Reader. (markt) Enable the CGIServlet to work with Windows Vista. (markt) Add additional permission required to read JDK logging configuration when running with a security manager. (markt) 44943: Reduce copy/paste issues caused by different engine names in server.xml. (markt) 45195: Prevent NPE when calling Session.getAttribute(null) and Session.removeAttribute(null). The spec is unclear but this is a regression from 5.0.x. (markt) 45293: Update name of commons-logging jar in security policy. (markt) 45453: Fix race condition in JDBC Realm. Based on a patch provided by Santtu Hyrkk. (markt) JAAS Realm did not read role information for users. (markt) Connectors Log errors for AJP signoffs at DEBUG level, since it is harmless if mod_jk has hung up the phone. (billbarker) 42727: Handle request lines that are exact multiples of 4096 in length. Patch provided by Will Pugh. (markt) 43191: Compression could not be disabled for some file types. Based on a patch by Len Popp. (markt) 45591: Fix NPE on shutdown failure in some cases. Based on a patch by Matt Passell. (markt) Jasper 31257: Quote endorsed dirs if they contain a space. (markt) 42943: Make sure nested element is inside <jsp:text> element before throwing exception. (markt) 44877: Prevent collisions in tag pool names. (markt) 45015: Enfore JSP spec rules on quoting in attrbutes. This is configurable using the system property org.apache.jasper.compiler.Parser.STRICT_QUOTE_ESCAPING. (markt) Webapps 42899: When saving config from admin app, correctly handle case where the old config file does not exist. (markt) 44541: Document packetSize attribute for AJP connector. (markt) 44715: Document use of secret for AJP connector. (markt) 45323: Add note that context.xml files can only contain a single Context element. (markt) Update JNDI datasource docs since maxActive setting for unlimited changed in commons-pool > 1.2. (markt) Specification Use a localised error message if a user tries to write a negative length byte array during default processing of a HEAD request. (markt) 44562: HEAD requests cannot use includes. Patch provided by David Jencks. (markt)
Add DESTDIR support.
Second round of explicit pax dependencies. As reminded by tnn@, many packages used to use ${PAX}. Use the common way of directly calling pax, it is created as tool after all.
Explicitly add pax dependency in those Makefiles that use it (or have patches to add it). Drop pax from the default USE_TOOLS list. Make bsdtar the default for those places that wanted gtar to extract long links etc, as bsdtar can be built of the tree.
Lots of changes, see the changelog for all the details: http://tomcat.apache.org/tomcat-5.5-doc/changelog.html Of note: important: Data integrity CVE-2007-6286 important: Information disclosure CVE-2007-5461 low: Elevated privileges CVE-2007-5342 low: Session hi-jacking CVE-2007-5333 Are all fixed in this release.
Pullup ticket 2231 - requested by adrianp security update for apache-tomcat - pkgsrc/www/apache-tomcat55/Makefile 1.12 - pkgsrc/www/apache-tomcat55/PLIST 1.4 - pkgsrc/www/apache-tomcat55/distinfo 1.5 Module Name: pkgsrc Committed By: adrianp Date: Tue Nov 20 22:13:30 UTC 2007 Modified Files: pkgsrc/www/apache-tomcat55: Makefile PLIST distinfo Log Message: Update to 5.5.25 Fix install permissions to silence checkperms In brief: Fix WebDAV Servlet so it works correctly with MS clients. (markt) Fix XSS security vulnerability (CVE-2007-2450) in the Manager and Host Manager. Reported by Daiki Fukumori. (markt) Fix NPE when a ResourceLink in context.xml tries to override an env-entry in web.xml. (markt) Fix XSS security vulnerabilities (CVE-2007-2449) in the examples. Reported by Toshiharu Sugiyama. (markt) Add some additional mime-type mappings. (markt) Ensure JARs in webapps are scanned for TLDs when the Tomcat installation path contains spaces. (markt) Add link to httpd 2.2 mod_proxy_ajp docs in AJP connector doc. (yoavs) For all the details see: http://tomcat.apache.org/tomcat-5.5-doc/changelog.html
Update to 5.5.25 Fix install permissions to silence checkperms In brief: Fix WebDAV Servlet so it works correctly with MS clients. (markt) Fix XSS security vulnerability (CVE-2007-2450) in the Manager and Host Manager. Reported by Daiki Fukumori. (markt) Fix NPE when a ResourceLink in context.xml tries to override an env-entry in web.xml. (markt) Fix XSS security vulnerabilities (CVE-2007-2449) in the examples. Reported by Toshiharu Sugiyama. (markt) Add some additional mime-type mappings. (markt) Ensure JARs in webapps are scanned for TLDs when the Tomcat installation path contains spaces. (markt) Add link to httpd 2.2 mod_proxy_ajp docs in AJP connector doc. (yoavs) For all the details see: http://tomcat.apache.org/tomcat-5.5-doc/changelog.html
Pullup ticket 2115 - requested by lkundrak security update for apache-tomcat55 Revisions pulled up: - pkgsrc/www/apache-tomcat55/Makefile 1.11 - pkgsrc/www/apache-tomcat55/PLIST 1.3 - pkgsrc/www/apache-tomcat55/distinfo 1.4 Module Name: pkgsrc Committed By: obache Date: Wed Apr 25 06:14:45 UTC 2007 Modified Files: pkgsrc/www/apache-tomcat55: Makefile PLIST distinfo Log Message: Update apache-tomcat55 to 5.5.23. Tomcat 5.5.23 (fhanik) Catalina 41608 Make log levels consistent when Servlet.service() throws an exception. (markt) 41666 Correct handling of boundary conditions for If-Unmodified-Since and If-Modified-Since headers. Patch provided by Suzuki Yuichiro. (markt) 41674 Fix error messages when parsing context.xml that incorrectly referred to web.xml. (markt) 41739 Correct handling of servlets with a load-on-startup value of zero. These are now the first servlets to be started. (markt) Coyote Requests with multiple content-length headers are now rejected. (markt) Tomcat 5.5.22 (fhanik) General Fix regression in build that prevented connectors from building. (markt) Tomcat 5.5.21 (fhanik) Catalina 41401: StandardService.getConnectorNames() return array of Connector JMX objectnames. (pero) 29727: If env-entry values in web.xml are changed then ensure new values are applied when context is reloaded. (markt) 34956: Ensure request and response objects passed to a RequestDispatcher meet the requirements of SRV.8.2 and SRV.14.2.5.1. This is disabled by default. The Java option -Dorg.apache.catalina.STRICT_SERVLET_COMPLIANCE=true is required to enable this test. (markt) 36274: When including static content with the DefaultServlet also treat content types ending in xml as text. (markt) 36976: Don't use CATALINA_OPTS when stopping Tomcat. This allows options for starting and stopping to be set on JAVA_OPTS and options for starting only to be set on CATALINA_OPTS. Without this fix, some startup options (eg the port for remote JMX) would cause stop to fail. Based on a fix suggested by Michael Vorburger. (markt) 37070: Update mbean name documentation to include the StandardWrapper. (markt) 37356: Ensure sessions time out correctly. This has been fixed by removing the accessCount feature by default. This feature prevents the session from timing out whilst requests that last longer than the session time out are being processed. This feature is enabled by setting the Java option -Dorg.apache.catalina.STRICT_SERVLET_COMPLIANCE=true The feature is now implemented with synchronization which addresses the thread safety issues associated with the original bug report. (markt) 37439: Update documentation for Engine component to add the requirement that the name must be unique. (markt) 37458: Add syncs to the WebappClassloader to address rare issues when multiple threads attempt to load the same class concurrently. (markt) 37509: Do not remove whitespace from the end of values defined in logging.properties files. (markt) 38198: Add reference to Context documentation from Host documentation that explains how Context name is obtained from the Context filename. (markt) 39088: Prevent infinte loops when an exception is thrown that returns itself for getRootCause(). Based on a patch by Wouter Zelle. (markt) 39436: Correct MIME type for SVG. (markt) 39627: JULI no longer ignores a ".level=XXX" directive in logging.properties. Patch provided by Roger Keays and Richard Fearn. (markt) 39724: Removing the last valve from a pipeline did not return the pipeline to the original state. Patch provided by David Gagon. (markt) 40367: Update JK auto configuration documentation to clarify that workers.properties must also exist. (markt) 40524: HttpServletRequest.getAuthType() now returns CLIENT_CERT rather than CLIENT-CERT for certificate authentication as per the spec. Note that web.xml continues to use CLIENT-CERT to specify the certificate authentication should be used. (markt) 40526: Add support for JPDA_OPTS to catalina.bat and add a JPDA_SUSPEND environment variable to both startup scripts. Patch provided by Kurt Roy. (markt) 40528: Add missing message localisations as provided by Ben Clifford. (markt) 40585: Fix parameterised constructor for o.a.juli.FileHandler so parameters have an effect. (markt) 40625: Stop CGIServlet swallowing the root cause of an exception. Patch provided by Takayoshi Kimura. (markt) 40723: Correct table creation example in JavaDoc for JDBCAccessLogValve. (markt) 40802: Add jsp-api.jar to fileset in catalina-tasks.xml as provided by Daniel Santos. (pero) 40817: Correct problem where CGI scripts in the root of the ROOT context threw a StringIndexOutOfBoundsException. (markt) Set the SCRIPT_FILENAME environment variable required by PHP when using the CGIServlet to execute PHP. (markt) 40823: Update context doc to clarify use of ROOT.xml, multi-level context paths and to further discourage use of server.xml (markt) 40844: Add additional syncs to JDBCRealm to resolve NPE when two users try to authenticate using DIGEST authentication at the same time. (markt) 40860: Log exceptions and other problems during parameter processing. (markt) 40901: Encode directory listing output. Based on a patch provided by Chris Halstead. (markt) 40929: Correct JavaDoc for StandardCalssLoader. (markt) 41008: Allow POST to be used for indexed queries with CGI Servlet. Patch provided by Chris Halstead. (markt) 41020: Improve error message when custom error report Valve fails to load. Also remove requirement that custom error report Valves extend ValveBase. (markt) 41217: Set secure attribute on SSO cookie when cookie is created during a secure request. Patch provided by Chris Halstead. (markt) Ensure Accept-Language headers conform to RFC 2616. Ignore them if they do not. (markt) Make provided instances of RequestDisvs) 40160: add reference to the Filter proposed in this Bugzilla item to the WebdavServlet. While at it, give the WebdavServlet some long-overdue TLC by cleaning up some of the old datl JDK 1.4-compliant) interfaces. (yoavs) Add a virtual hosting how-to contributed by Hassan Schroeder. (markt) Cluster Add clustered SSO code and backport feature from Tomcat 6.0.x, subn (pero) Add better recovery at FastAsyncQueueSender. Made the startegy more robust for temporary connection problems (pero)
Update apache-tomcat55 to 5.5.23. Tomcat 5.5.23 (fhanik) Catalina 41608 Make log levels consistent when Servlet.service() throws an exception. (markt) 41666 Correct handling of boundary conditions for If-Unmodified-Since and If-Modified-Since headers. Patch provided by Suzuki Yuichiro. (markt) 41674 Fix error messages when parsing context.xml that incorrectly referred to web.xml. (markt) 41739 Correct handling of servlets with a load-on-startup value of zero. These are now the first servlets to be started. (markt) Coyote Requests with multiple content-length headers are now rejected. (markt) Tomcat 5.5.22 (fhanik) General Fix regression in build that prevented connectors from building. (markt) Tomcat 5.5.21 (fhanik) Catalina 41401: StandardService.getConnectorNames() return array of Connector JMX objectnames. (pero) 29727: If env-entry values in web.xml are changed then ensure new values are applied when context is reloaded. (markt) 34956: Ensure request and response objects passed to a RequestDispatcher meet the requirements of SRV.8.2 and SRV.14.2.5.1. This is disabled by default. The Java option -Dorg.apache.catalina.STRICT_SERVLET_COMPLIANCE=true is required to enable this test. (markt) 36274: When including static content with the DefaultServlet also treat content types ending in xml as text. (markt) 36976: Don't use CATALINA_OPTS when stopping Tomcat. This allows options for starting and stopping to be set on JAVA_OPTS and options for starting only to be set on CATALINA_OPTS. Without this fix, some startup options (eg the port for remote JMX) would cause stop to fail. Based on a fix suggested by Michael Vorburger. (markt) 37070: Update mbean name documentation to include the StandardWrapper. (markt) 37356: Ensure sessions time out correctly. This has been fixed by removing the accessCount feature by default. This feature prevents the session from timing out whilst requests that last longer than the session time out are being processed. This feature is enabled by setting the Java option -Dorg.apache.catalina.STRICT_SERVLET_COMPLIANCE=true The feature is now implemented with synchronization which addresses the thread safety issues associated with the original bug report. (markt) 37439: Update documentation for Engine component to add the requirement that the name must be unique. (markt) 37458: Add syncs to the WebappClassloader to address rare issues when multiple threads attempt to load the same class concurrently. (markt) 37509: Do not remove whitespace from the end of values defined in logging.properties files. (markt) 38198: Add reference to Context documentation from Host documentation that explains how Context name is obtained from the Context filename. (markt) 39088: Prevent infinte loops when an exception is thrown that returns itself for getRootCause(). Based on a patch by Wouter Zelle. (markt) 39436: Correct MIME type for SVG. (markt) 39627: JULI no longer ignores a ".level=XXX" directive in logging.properties. Patch provided by Roger Keays and Richard Fearn. (markt) 39724: Removing the last valve from a pipeline did not return the pipeline to the original state. Patch provided by David Gagon. (markt) 40367: Update JK auto configuration documentation to clarify that workers.properties must also exist. (markt) 40524: HttpServletRequest.getAuthType() now returns CLIENT_CERT rather than CLIENT-CERT for certificate authentication as per the spec. Note that web.xml continues to use CLIENT-CERT to specify the certificate authentication should be used. (markt) 40526: Add support for JPDA_OPTS to catalina.bat and add a JPDA_SUSPEND environment variable to both startup scripts. Patch provided by Kurt Roy. (markt) 40528: Add missing message localisations as provided by Ben Clifford. (markt) 40585: Fix parameterised constructor for o.a.juli.FileHandler so parameters have an effect. (markt) 40625: Stop CGIServlet swallowing the root cause of an exception. Patch provided by Takayoshi Kimura. (markt) 40723: Correct table creation example in JavaDoc for JDBCAccessLogValve. (markt) 40802: Add jsp-api.jar to fileset in catalina-tasks.xml as provided by Daniel Santos. (pero) 40817: Correct problem where CGI scripts in the root of the ROOT context threw a StringIndexOutOfBoundsException. (markt) Set the SCRIPT_FILENAME environment variable required by PHP when using the CGIServlet to execute PHP. (markt) 40823: Update context doc to clarify use of ROOT.xml, multi-level context paths and to further discourage use of server.xml (markt) 40844: Add additional syncs to JDBCRealm to resolve NPE when two users try to authenticate using DIGEST authentication at the same time. (markt) 40860: Log exceptions and other problems during parameter processing. (markt) 40901: Encode directory listing output. Based on a patch provided by Chris Halstead. (markt) 40929: Correct JavaDoc for StandardCalssLoader. (markt) 41008: Allow POST to be used for indexed queries with CGI Servlet. Patch provided by Chris Halstead. (markt) 41020: Improve error message when custom error report Valve fails to load. Also remove requirement that custom error report Valves extend ValveBase. (markt) 41217: Set secure attribute on SSO cookie when cookie is created during a secure request. Patch provided by Chris Halstead. (markt) Ensure Accept-Language headers conform to RFC 2616. Ignore them if they do not. (markt) Make provided instances of RequestDispatcher thread safe. (markt) Fix formatting of CGI variable SCRIPT_NAME. (markt) 34643: Improved documentation for per-user / per-session clientAuth usage in SSL Authenticator. Docs provided by jack and Ralf Hauser. (yoavs) 40668: Update release notes and readme files specific to v5.5.20 to notify users of missing MailSessionFactory in distribution, suggest workarounds, and link to relevant Bugzilla issue. (yoavs) 37977: adapt BUILDING.txt and net build.xml for SVN. Patch by Christopher Sahnwaldt. (yoavs) 39055: Link to sample workaround code for using JSR160 JMX monitoring with a local firewall. Thanks to George Lindholm for the patch. (yoavs) 39476: add xml declaration to most build.xml files, as suggested by Gregory S. Hoerner Sr. (yoavs) 40326: stop using File#deleteOnExit in DefaultServlet to avoid JVM memory leak, as suggested by quartz. (yoavs) 40192: update setup.html notes regarding Windows tray icon. (yoavs) 40177: add more warnings to documentation about RequestDumperValve character encoding. (yoavs) 39255: NPE in AuthenticatorBase when logging level is set to DEBUG and no prinicpal found. (yoavs) 41437: Make log messages and loglevel consistent during Context start. Patch provided by Suzuki Yuichiro. (markt) Coyote 38332: Add backlog attribute to ChannelSocket as provided by Takayoshi Kimura. (pero) Backport packetSize feature from Tomcat 6.0.x at standard coyote AJP Jk handler. (pero) 40771: Fix implementation of SavedRequestInputFilter.doRead() so POST data may be read using a Valve or Filter. Patch provided by Michael Dufel. (markt) 41017: Restore behaviour of MessageBytes.setString(null). (remm/markt) 41057: Modify StringCache to add a configurable upper bound to the length of cached strings. (remm/markt) 38774: Check javax.net.ssl.keyStorePassword system property as a secondary source for keystore password in JSSESocketFactory, as suggested by Ted X. Toth. (yoavs) 39402: Modify existing Vary HTTP header, rather than overwrite it, if it exists when using GZip compression. Patch by Matthew Cooke. (yoavs) 40241: Catch Exceptions instead of Throwables in Default and SSI servlets. Also improve relevant logging while we're at it. (yoavs) 40133: Better error message when context name is not available on startup, as suggested by Andreas Plesner Jacobsen. (yoavs) Jasper 39975: don't have static Log references to prevent classloader leaks. (yoavs) 40104: When displaying JSP source after an exception, handle included files. (markt) 40797: This was a regression as a result of the fix for 33407. TLD validation was failing as a result of the use of the escape character (0x1b) as a temporary replacement for \$. An alternative character (0xe000) from the unicode private use range is now used. (markt) 41057: Make jsp:plugin output XHTML compliant. (markt) 41327: Show full URI for a 404. Patch provided by Vijay. (markt) 41265: Allow JspServlet checkInterval init parameter to be explicitly set to the stated default value of zero by removing the code that resets it to 300 if explicitly specified as zero. (markt) Display the JSP source when a compilation error occurs and display the correct line number rather than start of a scriptlet block. (markt) Webapps 34952: Clarify that the Windows Installer always installs a Windows service. (markt) 35968: Make environment entry properties input a text area. Patch provided by Tristan Marly. (markt) 37588: Fix creation of JNDI Realm in admin application. Patch provided by Terry Zhou. (markt) 38048: Fix memory leak assoaciated with use of expression language in JSPs. Patch provided by Taras Tielkes. (markt) 39572: Improvements to CompressionFilter example provided by Eric Hedstrom. (markt) 40507: Update host-manager and servlet-examples web-apps to use the servlet 2.4 xsd. Patch provided by Chris Halstead. (markt) 40581: Add information on the use of a symbloic link as the docBase for a Context to the Context documentation. (markt) 40633: Remove references to the DefaultContext from the documentation. (markt) 40677: Update SSL documentation to indicate that PKCS11 keystores may be used. (markt) 40714: Admin webapp no longer requires a username for a DataSource since it is not required in all cases. (markt) 40720: Fix exception in admin webapp when adding a group to a user. (markt) 40874: Correct log4j configuration in documentation webapp. Patch provided by Franck Borel. (markt) 40999: Add trust store configuration for SSL connectors to the admin webapp. (markt) 41051: Add information on keystore aliases and case sensitivity to SSL HOW-TO. (markt) 41182: Update the Jasper documentation for the classpath attribute. (markt) 41493: Fix handling of APR connectors in Admin webapp. (markt) 41512: Version number was not inserted in release notes. (markt) 40257: Update Manager webapp howto on remote deployment to reflect need for explicit path in one specific use-case. Thanks to Venkatesh Jayaraman. (yoavs) 40160: add reference to the Filter proposed in this Bugzilla item to the WebdavServlet. While at it, give the WebdavServlet some long-overdue TLC by cleaning up some of the old data structures in favor of modern (but still JDK 1.4-compliant) interfaces. (yoavs) Add a virtual hosting how-to contributed by Hassan Schroeder. (markt) Cluster Add clustered SSO code and backport feature from Tomcat 6.0.x, submitted by Fabien Carrion (pero) Add better recovery at FastAsyncQueueSender. Made the startegy more robust for temporary connection problems (pero)
Whitespace cleanup, courtesy of pkglint. Patch provided by Sergey Svishchev in private mail.
Update apache-tomcat55 from 5.5.17 to 5.5.20 Changes: Tomcat 5.5.20 (fhanik) Catalina fix Fix logic error in UserDatbaseRealm.getprincipal() that caused user roles assigned via groups to be ignored. (markt) Jasper fix 31804: Unnested tags within a tag file are now configured with the Tag represented by the containing tag file as their parent tag. (markt) fix 33356: Tag attributes that contained $ followed by 1 or more non-special characters and then a { character caused an exception. (markt) fix 33407: The string \$ in template text was reduced to $ when the isELIgnored page directive was set to true. (markt) Tomcat 5.5.19 (fhanik) General update Add multi attribute setting to jmx:set JMX remote ant task. Patch contributed by Didier Donsez (pero) Catalina fix 30762: Re-fix this bug that was re-introduced by the fix to 37264. (markt) fix 37588: Fix JNDI realm creation through JMX. Patch contributed by TerryZhou (fhanik) fix 39704: The use of custom classloaders failed when the context was specified in server.xml. Correction of the fault will require setting the new loader attribute useSystemClassLoaderAsParent to false. (markt) Coyote fix 40418: APR Endpoint socket evaluation (remm) Webapps fix 31339: Admin app threw exceptions if a name other than Catalina was configured for the Engine. Patch based on a suggestion from Amila Suriarachchi. (markt) Tomcat 5.5.18 (yoavs) General update Change MD5 release signature files to have md5 (lowercase) extension instead of MD5 (uppercase), as suggested by Henk Penning and specified in the ASF release publishing guidelines. (yoavs) Catalina fix Fix that ManagerBase increment expireSessions counter at background task two times. (pero) fix 39406: Fix that StandardSession#getLastAccessedTime() uses correct exception message, suggested by Takayoshi Kimura. (pero) add 39661: Add documentation on JULI FileHandler properties. (yoavs) add 39657: Warn (and don't load jar) if JSP API is in webapp classloader repository, as suggested by David Sanchez Crespillo. (yoavs) add 39674: Support JRockit JVM in service.bat script, as suggested by lizongbo. (yoavs) fix 39711: Update Loader configuration documentation, as suggested by Stephane Bailliez. (yoavs) fix 39865: Add Open Office mime types to conf/web.xml. (markt) fix 38814: Align CGI handling of indexed queries, parameters and POST content with other CGI providers. The changes: only provide parameters on the command line for indexed queries; always provide the query string via the QUERY_STRING environment variable; provide POST content unmodified to stdin; and never call getParameters(). (markt) fix 34801: Partial fix that adds handling of IOExceptions during long running CGI requests. Based on a patch by Chris Davey. (markt) fix 39689: Allow single quotes (') and backticks (`) as well as double quotes (") to be used to delimit SSI attribute values. (markt) fix 40053: Correct application deployment documentation so it agrees with the classloader documentation regarding shared lib and CATALINA_BASE. (markt) fix 39592: Stop HEAD requests for resources handled by SSI servlet or filter generating stack traces in the logs. (markt) fix Improve handling of the ';' character in the URL so that it is now allowed if properly %xx encoded. (remm) Coyote fix Fix APR endpoint so that the acceptor thread now only processes socket accepts. (remm) Webapps fix 39813: Correct handling of new line characters in JMX attributes. Patch provided by R Bramley. (markt) fix 37781: Make sure that StoreConfig save external referenced war files at context.xml correct. (pero) fix 39791: Use correct default for useNaming within a Context. (markt) fix Correctly generate re-direct for admin app index.jsp to prevent login page being displayed twice when cookies are disabled. (markt) Cluster fix 39473: Session timeout much shorter than setting at web.xml at cluster environment, suggested by Jin Jiang. (pero)
Apply the "convention over configuration" principle: If ${FILESDIR}/getsite.sh exists, then use it to determine the fetch URL for each of the distfiles for the package. Otherwise, use SITE_<file> and MASTER_SITES, in order, to determine the URL for each distfile. If the script path differs from ${FILESDIR}/getsite.sh, then set DYNAMIC_SITE_SCRIPT to the full path to that script. Remove the need to set DYNAMIC_MASTER_SITES explicitly in the package Makefile for: graphics/ns-cult3d wm/sawfish-themes www/apache-tomcat55 www/jakarta-tomcat4 www/jakarta-tomcat5
enable ap2-jk
Pullup ticket 1734 - requested by minskim build and runtime fixes for apache-tomcat55 Revisions pulled up: - pkgsrc/www/apache-tomcat55/Makefile 1.5, 1.6 Module Name: pkgsrc Committed By: minskim Date: Fri Jul 7 03:02:13 UTC 2006 Modified Files: pkgsrc/www/apache-tomcat55: Makefile Log Message: This package does not need JDK. Set USE_JAVAàun. --- Module Name: pkgsrc Committed By: minskim Date: Fri Jul 7 03:12:19 UTC 2006 Modified Files: pkgsrc/www/apache-tomcat55: Makefile Log Message: Correct a variable name (PKG_JAVA_HOME). Bump PKGREVISION.
Correct a variable name (PKG_JAVA_HOME). Bump PKGREVISION.
This package does not need JDK. Set USE_JAVA=run.
Remove temporary files before installation.
Recursive revision bump / recommended bump for gettext ABI change.
Update package Makefile now that bsd.pkg.extract.mk is using the "extract" script for extraction. Many cases where a custom EXTRACT_CMD simply copied the distfile into the work directory are no longer needed. The extract script also hides differences between pax and tar behind a common command-line interface, so we no longer need code that's conditional on whether EXTRACT_USING is tar or pax.
Import apache-tomcat55 5.5.14 into pkgsrc: Tomcat is the Java Servlet / Java Server Page environment produced by the Apache Foundation's Tomcat Project. Tomcat can be run as a standalone web server with Servlet and JSP support, or using Apache Server as its web server via the mod_jk Apache module (www/ap-jk). This is the Tomcat 5.5 package, which is a Java Serlet 2.4 and JSP 2.0 server. This replaces jakarta-tomcat55, the old name for apache-tomcat. pkgsrc previously had pkgsrc jakarta-tomcat55 was 5.5.9 - there are over 300 lines of changelog between that and 5.5.14: http://tomcat.apache.org/tomcat-5.5-doc/changelog.html
Initial revision