[pkgsrc/trunk]: pkgsrc/www/apache-tomcat7 Update to 7.0.54

[ryoon <ryoon%pkgsrc.org@localhost>]

details:   https://anonhg.NetBSD.org/pkgsrc/rev/08cba153b552
branches:  trunk
changeset: 635464:08cba153b552
user:      ryoon <ryoon%pkgsrc.org@localhost>
date:      Sat Jun 07 00:24:30 2014 +0000

description:
Update to 7.0.54

* Fix CVE-2014-0119

Changelog:
Tomcat 7.0.54 (violetagg)

    Catalina

        fix     Fix custom UTF-8 decoder so that a byte of value 0xC1 is always rejected immediately as it is never valid in a UTF-8 byte sequence. Update UTF-8 decoder tests to account for UTF-8 
decoding improvements in Java 8. The custom UTF-8 decoder is still required due to bugs in the UTF-8 decoder provided by Java. Java 8's decoder is better than Java 7's but it is still buggy. (markt)
        fix     56027: Add more options for managing FIPS mode in the AprLifecycleListener. (schultz/kkolinko)
        fix     56321: When a WAR is modified, undeploy the web application before deleting any expanded directory as the undeploy process may refer to classes that need to be loaded from the 
expanded directory. If the expanded directory is deleted first, any attempt to load a new class during undeploy will fail. (markt)
        fix     56339: Avoid an infinite loop if an application calls session.invalidate() from the session destroyed event for that session. (markt)
        update  56365: Simplify file name pattern matching code in StandardJarScanner. Ignore leading and trailing whitespace and empty strings when configuring patterns. Improve documentation. 
(kkolinko)
        fix     56369: Ensure that removing an MBean notification listener reverts all the operations performed when adding an MBean notification listener. (markt)
        add     56382: Information about finished deployment and its execution time is added to the log files. Patch is provided by Danila Galimov. (violetagg)
        add     56383: Properties for disabling server information and error report are added to the org.apache.catalina.valves.ErrorReportValve. Based on the patch provided by Nick Bunn. 
(violetagg/kkolinko)
        fix     Only create XML parsing objects if required and fix associated potential memory leak in the default Servlet. (markt)
        fix     Modify generic exception handling so that StackOverflowError is not treated as a fatal error and can handled and/or logged as required. (markt)
        fix     56409: Avoid StackOverflowError on non-Windows systems if a file named \ is encountered when scanning for TLDs. (markt)
        add     56430: Extend checks for suspicious URL patterns to include patterns of the form *.a.b which are not valid patterns for extension mappings. (markt)
        add     Extend XML factory, parser etc. memory leak protection to cover some additional locations where, theoretically, a memory leak could occur. (markt)
        fix     Ensure that a TLD parser obtained from the cache has the correct value of blockExternal. (markt)
        fix     56441: Raise the visibility of exceptions thrown when a problem is encountered calling a getter or setter on a component attribute. The logging level is raised from debug to warning. 
(markt)
        fix     56451: Make resources accessed via a context alias accessible via JNDI in the same way standard resources are available. (markt)
        add     56463: Property for disabling server information is added to the DefaultServlet. Server information is presented in the response sent to the client when directory listings is enabled. 
(violetagg)
        add     Add the org.apache.naming package to the packages requiring code to have the defineClassInPackage permission when running under a security manager. (markt)
        add     Add the org.apache.naming.resources package to the packages requiring code to have the accessClassInPackage permission when running under a security manager. (markt)
        fix     Make the naming context tokens for containers more robust. Require RuntimePermission when introducing a new token. (markt/kkolinko)
        fix     56472: Allow NamingContextListener to clean up on stop if its start failed. (kkolinko)
        add     56492: Avoid eclipse debugger pausing on uncaught exceptions when tomcat renews its threads. (slaurent)
        fix     Minor fixes to ThreadLocalLeakPreventionListener. Do not trigger threads renewal for failed contexts. Do not ignore threadRenewalDelay setting. Improve documentation. (kkolinko)
        fix     Correct regression introduced in r797162 that broke authentication of users when using the JAASMemoryLoginModule. (markt)
        fix     56501: HttpServletRequest.getContextPath() should return the undecoded context path used by the user agent. (markt)
        fix     56523: When using SPNEGO authentication, log the exceptions associated with failed user logins at debug level rather than error level. (markt)
        fix     56536: Ensure that HttpSessionBindingListener.valueUnbound() uses the correct class loader when the SingleSignOn valve is used. (markt)

    Coyote

        add     56399: Assert that both Coyote and Catalina request objects have been properly recycled. (kkolinko)
        fix     56416: Correct documentation for default value of socket linger for the AJP and HTTP connectors. (markt)

    Jasper

        fix     56334: Fix a regression in the handling of back-slash escaping introduced by the fix for 55735. (markt/kkolinko)
        fix     56425: Improve method matching for EL expressions. When looking for matching methods, an exact match between parameter types is preferred followed by an assignable match followed by a 
coercible match. (markt)
        fix     Correct the handling of back-slash escaping in the EL parser and no longer require that \$ or \# must be followed by { in order for the back-slash escaping to take effect. (markt)
        fix     56529: Avoid NoSuchElementException while handling attributes with empty string value in custom tags. Patch provided by Hariprasad Manchi. (violetagg)

    Cluster

        fix     Remove cluster and replicationValve from cluster manager template. These instance are not necessary to template. (kfujino)
        fix     Add support for cross context session replication to org.apache.catalina.ha.session.BackupManager. (kfujino)
        fix     Remove the unnecessary cross context check. It does not matter whether the context that is referenced by other context is set to crossContext=true. The context that refers to the 
different context must be set to crossContext=true. (kfujino)
        code    Move to org.apache.catalina.ha.session.ClusterManagerBase common logics of org.apache.catalina.ha.session.BackupManager and org.apache.catalina.ha.session.DeltaManager. (kfujino)
        code    Simplify the code of o.a.c.ha.tcp.SimpleTcpCluster. In order to add or remove cluster valve to Container, use pipeline instead of IntrospectionUtils. (kfujino)
        fix     There is no need to set cluster instance when SimpleTcpCluster.unregisterClusterValve is called. Set null than cluster instance for cleanup. (kfujino)
        code    Backport refactoring of AbstractReplicatedMap to implement Map rather than extend ConcurrentHashMap to enable Tomcat 7 to be built with Java 8. (markt)

    WebSocket

        fix     56343: Avoid a NPE if Tomcat's Java WebSocket 1.0 implementation is used with the Java WebSocket 1.0 API JAR from the reference implementation. (markt)
        fix     Increase the default maximum size of the executor used by the WebSocket implementation for call backs associated with asynchronous writes from 10 to 200. (markt)
        add     Add a warning if the thread group created for WebSocket asynchronous write call backs can not be destroyed when the web application is stopped. (markt)
        fix     Ensure that threads created to support WebSocket clients are stopped when no longer required. This will happen automatically for WebSocket client connections initiated by web 
applications but stand alone clients must call WsWebSocketContainer.destroy(). (markt)
        fix     56449: When creating a new session, add the message handlers to the session before calling Endpoint.onOpen() so the message handlers are in place should the onOpen() method trigger 
the sending of any messages. (markt)
        fix     56458: Report WebSocket sessions that are created over secure connections as secure rather than as not secure. (markt)
        fix     Stop threads used for secure WebSocket client connections when they are no longer required and give them better names for easier debugging while they are running. (markt)

    Web applications

        fix     Add Support for copyXML attribute of Host to Host Manager. (kfujino)
        fix     Ensure that "name" request parameter is used as a application base of host if "webapps" request parameter is not set when adding host in HostManager Application. (kfujino)
        fix     Correct documentation on Windows service options, aligning it with Apache Commons Daemon documentation. (kkolinko)
        update  55215: Improve log4j configuration example. Clarify access logging documentation. Based on patches provided by Brian Burch. (kkolinko)
        update  55383: Backport improved HTML markup for tables and code fragments from Tomcat 8 documentation. (kkolinko)
        fix     56418: Ensure that the Manager web application does not report success for a web application deployment that fails. (slaurent)
        fix     Fix target and rel attributes on links in documentation. They were lost during XSLT transformation. (kkolinko)
        update  Improve valves documentation. Split valves into groups. (kkolinko)

    Other

        fix     Align DisplayName of Tomcat installed by service.bat with one installed by the *.exe installer. Print a warning in case if neither server nor client jvm is found by service.bat. 
(kkolinko)
        update  56363: Update to version 1.1.30 of Tomcat Native library. (schultz)
        update  Update package renamed Apache Commons BCEL to r1593495 to pick up some additional changes for Java 7 support and some code clean up. (markt)
        add     In tests: allow to configure directory where JUnit reports and access log are written to. (kkolinko)

diffstat:

 www/apache-tomcat7/Makefile |  4 ++--
 www/apache-tomcat7/distinfo |  8 ++++----
 2 files changed, 6 insertions(+), 6 deletions(-)

diffs (31 lines):

diff -r 1b34c17279bc -r 08cba153b552 www/apache-tomcat7/Makefile
--- a/www/apache-tomcat7/Makefile       Sat Jun 07 00:18:07 2014 +0000
+++ b/www/apache-tomcat7/Makefile       Sat Jun 07 00:24:30 2014 +0000
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile,v 1.18 2014/04/08 20:14:55 ryoon Exp $
+# $NetBSD: Makefile,v 1.19 2014/06/07 00:24:30 ryoon Exp $
 #
 
 DISTNAME=      apache-tomcat-${TOMCAT_VER}
@@ -23,7 +23,7 @@
 
 .include "../../mk/bsd.prefs.mk"
 
-TOMCAT_VER=            7.0.53
+TOMCAT_VER=            7.0.54
 TOMCAT_HOME=           ${PREFIX}/share/tomcat
 EGDIR=                 ${PREFIX}/share/examples/tomcat
 DOCDIR=                        ${PREFIX}/share/doc/tomcat
diff -r 1b34c17279bc -r 08cba153b552 www/apache-tomcat7/distinfo
--- a/www/apache-tomcat7/distinfo       Sat Jun 07 00:18:07 2014 +0000
+++ b/www/apache-tomcat7/distinfo       Sat Jun 07 00:24:30 2014 +0000
@@ -1,5 +1,5 @@
-$NetBSD: distinfo,v 1.12 2014/04/08 20:14:55 ryoon Exp $
+$NetBSD: distinfo,v 1.13 2014/06/07 00:24:30 ryoon Exp $
 
-SHA1 (apache-tomcat-7.0.53.tar.gz) = 269a01f03ed22e5ad7fa33dec300ef40cac96440
-RMD160 (apache-tomcat-7.0.53.tar.gz) = decafa075514517641e579ac127a4ff85424547c
-Size (apache-tomcat-7.0.53.tar.gz) = 8780629 bytes
+SHA1 (apache-tomcat-7.0.54.tar.gz) = b0db037619c5c10cbe8d17f7a1492fd759fa5805
+RMD160 (apache-tomcat-7.0.54.tar.gz) = 420013acf9c0c4c19ded3f99ba172acc36bbb715
+Size (apache-tomcat-7.0.54.tar.gz) = 8886891 bytes