CVS commit: pkgsrc/www/apache-tomcat7

["Ryo ONODERA" <ryoon%netbsd.org@localhost>]

Module Name:    pkgsrc
Committed By:   ryoon
Date:           Sun Dec 16 10:37:33 UTC 2012

Modified Files:
        pkgsrc/www/apache-tomcat7: Makefile PLIST distinfo

Log Message:
Update to 7.0.34

* CVE-2012-4431 is fixed in 7.0.32

Changelog:
Tomcat 7.0.34 (markt)   2012-12-12

    Catalina

        fix     53871: Improve error message if annotation scanning fails 
during web application start due to poor configuration or illegal cyclic 
inheritance with the application's classes. (markt)
        fix     Fix unit test for AccessLogValve when using non-GMT time zone. 
(rjung)
        fix     54170: Ensure correct registration of Filters and Servlets in 
the JMX registry if the Filter or Servlet name includes a character that must 
be quoted if used in an ObjectName value. (markt)
        add     Add new attribute renameOnRotate to the AccessLogValve. (rjung)
        fix     54190: Correct unit tests for BASIC authentication so that 
session timeout is correctly tested. Also refactor unit test to make it easier 
to add additional tests. Patch by Brian Burch. (markt)
        fix     54220: Ensure the ErrorReportValve only generates an error 
report if the error flag on the response has been set. (markt)
        fix     Simplify time zone handling in the access log valve and 
correctly handle various edge cases for non-standard DST changes. (markt)

    Web applications

        fix     54198: Clarify that HttpServletResponse.sendError(int) results 
in an HTML response by default. (markt)
        fix     54207: Correct JNDI factory package name in Javadoc for 
org.apache.naming.java.javaURLContextFactory. (markt)

    jdbc-pool

        code    Fix a handful of Eclipse warnings in the JDBC pool source code 
including the warnings reported in 53565. (markt)
        fix     54150: Make sure that SlowQueryReportJmx mbean deregistered 
during webapp shutdown. Reported by Alex Franken. (kfujino)
        fix     54194: Make sure that connection pool mbean is not registered 
when jmxEnabled is false. Patch provided by tobias.gierke. (kfujino)

    Other

        update  Update to Eclipse JDT Compiler 4.2.1. (markt)

Tomcat 7.0.33 (markt)   2012-11-21

    Catalina

        add     53960, 54115: Extensions to HttpClient test helper class. 
Patches by Brian Burch. (markt/kkolinko)
        fix     53993: Avoid a possible NPE in the AccessLogValve when the 
session ID is logged and a session is invalidated. (markt)
        fix     Add support for LAST_ACCESS_AT_START system property to 
PersistentManager. (kfujino)
        add     Update MIME type mapping with additional / updated mime.types 
from the Apache web server. (markt)
        fix     54007: Fix a memory leak that prevented deletion of a 
context.xml file associated with a Context that had failed to deploy. Also fix 
the problems uncovered with undeploying such a Context once the leak had been 
fixed and the file could be deleted. (markt)
        fix     54044: Correct bug in timestamp cache used by logging 
(including the access log valve) that meant entries could be made with an 
earlier timestamp than the true timestamp. (markt)
        fix     54054: Do not share shell environment variables between 
multiple instances of the CGI servlet. (markt)
        fix     54060: Use a simple parser rather than a regular expression to 
parse HTTP Digest authentication headers so the header is correctly parsed. The 
new approach is also faster and generates less garbage. (markt)
        fix     54068: Rewrite the web fragment ordering algorithm to resolve 
multiple issues that resulted in incorrect ordering or failure to find a 
correct, valid order. (markt)
        update  The HTTP header parser added to address 52811 has been removed 
and replaced with the light-weight HTTP header parser created to address 54060. 
The new parser includes a work-around for a bug in the Adobe Acrobat Reader 9.x 
plug-in for Microsoft Internet Explorer that was identified when the old parser 
was introduced (53814).
        fix     54076: Add an alternative work-around for clients that use 
SPNEGO authentication and expect the authenticated user to be cached per 
connection (Tomcat only does this if an HTTP session is available). (markt)
        fix     54087: Correctly handle (ignore) invalid If-Modified-Since 
header rather than throwing an exception. (markt)
        fix     54096: In web.xml, <env-entry> should accept any type that has 
a constructor that takes a single String or char. (markt)
        add     54127: Add support for sending a WebSocket Ping. Patch provided 
by Sean Winterberger. (markt)
        fix     In FormAuthenticator: If it is configured to change Session 
IDs, do the change before displaying the login form. (kkolinko)
        fix     Ensure AsyncListener.timeout() and AsyncListener.complete() are 
called with the correct thread context class loader. (fhanik)
        fix     54123: If an asynchronous request times out without any 
AsyncListeners defined, a 500 error will be triggered. (markt)
        fix     54124: Correct provided value of request attribute 
javax.servlet.async.request_uri and add missing request attribute 
javax.servlet.async.path_info. (markt)
        add     Add denyStatus initialization parameter to 
CsrfPreventionFilter, allowing to customize the HTTP status code used for 
denied requests. (kkolinko)
        fix     54141: Increase the permitted number of nested Realm levels 
from 2 to 3 by default and make the limit configurable via a system property. 
(markt)
        fix     Revert occasional API change in BaseDirContext class that was 
done in 7.0.32. Methods should not be final. (kkolinko)
        fix     Prevent failures in the AccessLogValve when running under a 
SecurityManager and the first request received is an asynchronous one. (markt)

    Coyote

        fix     Correct an issue that prevented WebSockets from being used over 
SSL when using the HTTP NIO connector. (markt)
        fix     54022: Ensure the Comet END event is triggered on client 
disconnect with APR/native on Windows Vista/2k8 or later. Patch provided by 
Douglas Beachy. (markt)
        fix     54067: Ensure responses with 1xx response codes are correctly 
marked as not containing an entity body. This caused an issue for some 
WebSocket clients when an Transfer-Encoding header was sent with the 101 (HTTP 
upgrade) response. (markt)

    Jasper

        code    53867: Optimise the XML escaping provided by the PageContext 
implementation. Based on a patch by Sheldon Shao. (markt)
        code    53896: Use an optimised CompositeELResolver for Jasper that 
skips resolvers that are known to be unable to resolve the value. Patch by 
Jarek Gawor. (markt)
        fix     53986: Correct a regression introduced by the fix for 53713. 
JSP comments that ended with the sequence ---%> (or any similar sequence with a 
odd number of - characters) was not correctly parsed. (markt)
        fix     54011: Fix a bug in the tag plug-in for <c:out> that triggered 
a JSP compilation error if the escapeXml attribute was used. Patch provided by 
Sheldon Shao. (markt)
        code    Follow up to 5401. Simplify generated code for <c:out>. Based 
on a patch by Sheldon Shao. (markt)
        fix     54012: Fix a bug in the tag plug-in infrastructure that meant 
the <c:set> triggered a JSP compilation error when used in a tag file. Based on 
a patch provided byx      54144: Fix a bug in the tag plug-in for <c:out> that 
meant that if the value of the tag evaluated to a java.io.Reader object then it 
was not correctly handled. (markt)

    Cluster

        fix     Add getSessionIdsFull operation to mbeans-descriptor. 
listSpplications

        add     54143: Add display of the memory pools usage (including 
PermGen) to the Status page of the Manager web application. (kkolinko)

    Tribes

        fix     54045: Make sure getMembers() returns available member when 
TcpFailureDetector   fix    Revert multiple operation support for the 
JMXProxyServlet pending further discussion. (schultz)
        fix     CVE-2012-4431: Fix bypass of CsrfPreventionFilter when there is 
no session. Improve session management in the filter. (kkolinko)

    Web apit servlets (JSP and default) are marked as override-able when using 
embedded mode. (markt)
        fix     When the DefaultServlet is under heavy load, the HTTP header 
parser added to address 52811 generates large amounts of garbage and uses 
significant CPU time. A cache has been added that significantly reduces the 
overhead of this parser. (markt)
        fix     53854: Make directory listings work correctly when aliases are 
used. (markt)

    Jasper

        code    53713: Performance improvement of up to four times faster 
parsing of JSP pages. Patch provided by Sheldon Shao. (markt)

    Cluster

        add     Make the cluster members and the cluster deployer associated 
with the cluster accessible via JMX. (markt)
        fix     Fix a behavior of TcpPingInterceptor#uhread. If set to false, 
ping thread is never started. (kfujino)

    Web applications

        add     Improve the documentation web application to clarify the 
difference between the tag and version parameters when using text interface of 
the Manager web application. (markt)
        add     Make sessions saved in the Store associated with a Manager that 
extends PersistentManager optionally visible (via the showProxySessions Servlet 
initialisation parameter in web.xml) to the Manager web application. (markt)


To generate a diff of this commit:
cvs rdiff -u -r1.7 -r1.8 pkgsrc/www/apache-tomcat7/Makefile
cvs rdiff -u -r1.3 -r1.4 pkgsrc/www/apache-tomcat7/PLIST
cvs rdiff -u -r1.4 -r1.5 pkgsrc/www/apache-tomcat7/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.