security fixes (two of three) for a leaf package

Upstream changelog:

Catalina
--------

add	Allow to search the virtual paths before the webapp or after it.
	(rjung)
fix	27988: Improve reporting of missing files. (markt)
fix	28852: Add URL encoding where missing to parameters in URLs
	presented by Ant tasks to the Manager application.
	Based on a patch by Stephane Bailliez. (markt)
add	46252: Allow to specify character set to be used to write
	the access log in AccessLogValve. (kkolinko)
add	48863: Provide an warning if there is a problem with a class
	path entry but use debug level logging if it is expected due
	to catalina home/base split. (kkolinko)
add	49180: Add an option to disable file rotation in JULI FileHandler.
	(kkolinko)
fix	50189: Once the application has finished writing to the response,
	prevent further reads from the request since this causes various
	problems in the connectors which do not expect this. (markt)
fix	50700: Ensure that the override attribute of context parameters
	is correctly followed. (markt)
fix	50734: Return 404 rather than 400 for requests to the ROOT
	context when no ROOT context is deployed. Patch provided by
	Violeta Georgieva. (markt)
fix	50751: When authenticating with the JNDI Realm, only attempt
	to read user attributes from the directory if attributes are
	required. (markt)
fix	50752: Fix typo in debug message in
	org.apache.catalina.startup.Embedded. (markt)
fix	50855: Fix NPE on AuthenticatorBase.register() when debug
	logging is enabled. (markt)
fix	Correctly format the timestamp reported by version.[sh|bat].
	(markt)
fix	Remove unnecessary whitespace from MIME mapping entries in
	global web.xml file. (markt)
fix	51042: Don't trigger session creation listeners when a
	session ID is changed as part of the authentication process.
	(markt)
add	51119: Add JAAS authentication support to the
	JMXRemoteLifecycleListener. Patch provided by Neil Laurance.
	(markt)
update	Implement display of multiple request headers in AccessLogValve:
	print not just the value of the first header, but of the all
	of them, separated by commas. (kkolinko)
fix	Correct the SSLValve so it returns the SSL key size as an
	Integer rather than as a String. (markt)
fix	51162: Prevent possible NPE when removing a web application. (markt)
fix	51249: Improve system property replacement code in
	ClassLoaderLogManager of Tomcat JULI to cover some corner
	cases. (kkolinko)
fix	51315: Fix IAE when removing an authenticator valve from a
	container. Patch provided by Violeta Georgieva. (markt)
fix	51324: Improve handling of exceptions when flushing the
	response buffer to ensure that the doFlush flag does not get
	stuck in the enabled state. Patch provided by Jeremy Norris.
	(kkolinko)
fix	51348: Fix possible NPE when processing WebDAV locks. (markt)
add	Add a container event that is fired when a session's ID is
	changed, e.g. on authentication. (markt)
fix	Fix CVE-2011-2204. Prevent user passwords appearing in log files
	if a runtime exception (e.g. OOME) occurs while creating a
	new user for a MemoryUserDatabase via JMX. (markt)
fix	51400: Avoid jvm bottleneck on String/byte[] conversion
	triggered by a JVM bug. Based on patches by Dave Engberg and
	Konstantin Preißer. (markt)
add	51403: Avoid NPE in JULI FileHandler if formatter is
	misconfigured. (kkolinko)
update	Create a directory for access log or error log (in AccessLogValve
	and in JULI FileHandler) automatically when it is specified
	as a part of the file name, e.g. in the prefix attribute.
	Earlier this happened only if it was specified with the
	directory attribute. (kkolinko)
fix	Log a failure if access log file cannot be opened. Improve
	i18n of messages. (kkolinko)
fix	Improve handling of URLs with path parameters and prevent
	incorrect 404 responses that could occur when path parameters
	were present. (kkolinko)
fix	51473: Fix concatenation of values in
	SecurityConfig.setSecurityProperty(). (kkolinko)
fix	51509: Fix potential concurrency issue in CSRF prevention
	filter that may lead to some requests failing that should not.
	(markt)
fix	51588: Make it easier to extend the AccessLogValve to add
	support for custom elements. (markt)
fix	Unregister DataSource MBeans when web application stops. (kfujino)
add	Add additional configuration options to the DIGEST
	authenticator. (markt)

Coyote
------

fix	Reduce level of log message for invalid URL parameters from
	WARNING to INFO. (kkolinko)
add	48208: Provide an option to specify a custom trust manager
	for BIO and NIO HTTP connectors using SSL. Based on a patch
	by Luciana Moreira. (markt)
fix	49595: Protect against crashes when using the APR/native
	connector. (jfclere)
fix	49929: Make sure flush packet is not send after END_RESPONSE
	packet. (mturk/markt)
add	50887: Enable the provider to be configured when generating
	SSL certs. Based on a patch by pknopp. (markt)
fix	51073: Throw an exception and do not start the APR connector
	if it is configured for SSL and an invalid value is provided
	for SSLProtocol. (markt)
fix	Fix CVE 2011-2526. Protect against infinite loops (HTTP NIO)
	and crashes (HTTP APR) if sendfile is configured to send more
	data than is available in the file. (markt)
fix	Prevent NPEs when a socket is closed in non-error conditions
	after sendfile processing when using the HTTP NIO connector.
	(markt)
fix	51515: Prevent immediate socket close when comet is used over
	HTTPS. (markt)

Jasper
------

fix	36362: Handle the case where tag file attributes (which can
	use any valid XML name) have a name which is not a Java
	identifier. (markt)
fix	47371: Correctly coerce the empty string to zero when used
	as an operand in EL arithmetic. Patch provided by gbt. (markt)
fix	50726: Ensure that the use of the genStringAsCharArray does
	not result in String constants that are too long for valid
	Java code. (markt)
fix	50895: Don't initialize classes created during the compilation
	stage. (markt)
add	51124: Make Tomcat more robust if an OOME occurs. Usually
	after an OOME all bets are off but this change appears to help
	some users and the description of a 'recoverable' OOME in
	the bug is a plausible one. Based on a patch by Ramiro. (markt)
fix	51177: Ensure Tomcat's MapELResolver and ListELResolver
	always return Object.class for getType() as required by the
	EL specification. (markt)
fix	Correct possible threading issue in JSP compilation when
	development mode is used. (markt)
add	51220: Add a system property to enable tag pooling with JSPs
	that use a custom base class. Based on a patch by Dan Mikusa.
	(markt)
add	Broaden the exception handling in the EL Parser so that more
	failures to parse an expression include the failed expression
	in the exception message. Hopefully, this will help track
	down the cause of 51088. (markt)
add	Improve error reporting of Jasper compilation. (schultz)

Cluster
-------

fix	50646: Fix cluster message data corruption if message size
	exceeds the underlying buffer size. Patch provided by
	Olivier Costet. (markt)
fix	50771: Ensure HttpServletRequest#getAuthType() returns the
	name of the authentication scheme if request has already been
	authenticated. (kfujino)
fix	50950: Correct possible NotSerializableException for an
	authenticated session when running with a security manager.
	(markt)
fix	51306: Avoid NPE when handleSESSION_EXPIRED is processed while
	handleSESSION_CREATED is being processed. (kfujino)
fix	The change in session ID is notified to the container event
	listener on the backup node in cluster. This notification is
	controlled by notifyContainerListenersOnReplication. (kfujino)

Webapps
-------

fix	41498: Add the allRolesMode attribute to the Realm
	configuration page in the documentation web application. (markt)
fix	48997: Fixed some typos and improve cross-referencing to the
	HTTP Connector and APR documentation with the SSL How-To page
	of the documentation web application. (markt)
fix	50804: Update links for Servlet 2.5 and JSP 2.1 Javadoc. (markt)
update	Improve class loading documentation and logging documentation.
	(kkolinko)
update	Configure Security Manager How-To to include a copy of the
	actual conf/catalina.policy file when the documentation is
	built, rather than maintaining a copy of its content. (kkolinko)
fix	51147: Fix deployment via HTML Manager that was broken by
	addition of CRSF protection. Patch provided by Alexis Hassler.
	(markt)
fix	51156: Ensure session expiration option is available in
	Manager application was running web applications that were
	defined in server.xml. (markt)
fix	Correct the log4j configuration settings when defining
	conversion patterns in the documentation web application. (markt)
fix	Update Maven repository information in the documentation to
	reflect current usage. (markt)
fix	51346: Update the documentation web application to make clear
	the circumstances in which the RequestDumperValve will consume
	the request's InputStream. Based on a patch by pid. (markt)
fix	51443: Document the notifySessionListenersOnReplication
	attribute for the DeltaManager. (markt)
fix	51516: Correct documentation web application to show correct
	system property name for changing the name of the SSO session
	cookie. (markt)
update	Update documentation to be even more explicit about the
	implications of setting the path attribute on a Context element
	in server.xml. (markt/kkolinko)

Other
-----

update	Clarify error messages in *.sh files to mention that if a
	script is not found it might be because execute permission
	is needed. (kkolinko)
add	33262, 40510, 50949, 51135: Various improvements to the
	Windows installer to be able to install several copies of
	Tomcat 6 side by side. Allow to configure service name,
	connector and shutdown ports. Allow to choose whether to
	install Start menu shortcuts and Apache Tomcat monitor
	application for all users or for the current one only.
	Improve auto-detection of JAVA_HOME for 64-bit Windows
	platforms: autoselect 32-bit JRE if it exists and 64-bit
	one is not available. Improve server.xml file handling.
	Fix uninstallation icon. (markt/kkolinko)
fix	50854: Add additional entries to the default catalina.policy
	file to support running the manager web application from
	CATALINA_HOME or CATALINA_BASE. (markt)
fix	Update default download sources to use the central
	Apache Maven 2 repository as some libraries have been removed
	from the central Apache Maven 1 repository. (kkolinko)
fix	51155: Add comments to @deprecated tags that have none.
	Patch provided by sebb. (kkolinko)
fix	51309: Correct logic in catalina.sh stop when using a PID
	file to ensure the correct message is shown. Patch provided
	by Caio Cezar. (markt)
update	Update Apache Commons Pool to 1.5.6. (kkolinko)
update	Update Apache Commons Daemon to 1.0.7. (kkolinko)
update	At build time use two alternative download locations for
	components downloaded from apache.org. (kkolinko)

0 files changed, 0 insertions, 0 deletions