Update to 7.0.34

* CVE-2012-4431 is fixed in 7.0.32

Changelog:
Tomcat 7.0.34 (markt)	2012-12-12

    Catalina

        fix	53871: Improve error message if annotation scanning fails during web application start due to poor configuration or illegal cyclic inheritance with the application's classes. (markt)
        fix	Fix unit test for AccessLogValve when using non-GMT time zone. (rjung)
        fix	54170: Ensure correct registration of Filters and Servlets in the JMX registry if the Filter or Servlet name includes a character that must be quoted if used in an ObjectName value. (markt)
        add	Add new attribute renameOnRotate to the AccessLogValve. (rjung)
        fix	54190: Correct unit tests for BASIC authentication so that session timeout is correctly tested. Also refactor unit test to make it easier to add additional tests. Patch by Brian Burch. (markt)
        fix	54220: Ensure the ErrorReportValve only generates an error report if the error flag on the response has been set. (markt)
        fix	Simplify time zone handling in the access log valve and correctly handle various edge cases for non-standard DST changes. (markt)

    Web applications

        fix	54198: Clarify that HttpServletResponse.sendError(int) results in an HTML response by default. (markt)
        fix	54207: Correct JNDI factory package name in Javadoc for org.apache.naming.java.javaURLContextFactory. (markt)

    jdbc-pool

        code	Fix a handful of Eclipse warnings in the JDBC pool source code including the warnings reported in 53565. (markt)
        fix	54150: Make sure that SlowQueryReportJmx mbean deregistered during webapp shutdown. Reported by Alex Franken. (kfujino)
        fix	54194: Make sure that connection pool mbean is not registered when jmxEnabled is false. Patch provided by tobias.gierke. (kfujino)

    Other

        update	Update to Eclipse JDT Compiler 4.2.1. (markt)

Tomcat 7.0.33 (markt)	2012-11-21

    Catalina

        add	53960, 54115: Extensions to HttpClient test helper class. Patches by Brian Burch. (markt/kkolinko)
        fix	53993: Avoid a possible NPE in the AccessLogValve when the session ID is logged and a session is invalidated. (markt)
        fix	Add support for LAST_ACCESS_AT_START system property to PersistentManager. (kfujino)
        add	Update MIME type mapping with additional / updated mime.types from the Apache web server. (markt)
        fix	54007: Fix a memory leak that prevented deletion of a context.xml file associated with a Context that had failed to deploy. Also fix the problems uncovered with undeploying such a Context once the leak had been fixed and the file could be deleted. (markt)
        fix	54044: Correct bug in timestamp cache used by logging (including the access log valve) that meant entries could be made with an earlier timestamp than the true timestamp. (markt)
        fix	54054: Do not share shell environment variables between multiple instances of the CGI servlet. (markt)
        fix	54060: Use a simple parser rather than a regular expression to parse HTTP Digest authentication headers so the header is correctly parsed. The new approach is also faster and generates less garbage. (markt)
        fix	54068: Rewrite the web fragment ordering algorithm to resolve multiple issues that resulted in incorrect ordering or failure to find a correct, valid order. (markt)
        update	The HTTP header parser added to address 52811 has been removed and replaced with the light-weight HTTP header parser created to address 54060. The new parser includes a work-around for a bug in the Adobe Acrobat Reader 9.x plug-in for Microsoft Internet Explorer that was identified when the old parser was introduced (53814).
        fix	54076: Add an alternative work-around for clients that use SPNEGO authentication and expect the authenticated user to be cached per connection (Tomcat only does this if an HTTP session is available). (markt)
        fix	54087: Correctly handle (ignore) invalid If-Modified-Since header rather than throwing an exception. (markt)
        fix	54096: In web.xml, <env-entry> should accept any type that has a constructor that takes a single String or char. (markt)
        add	54127: Add support for sending a WebSocket Ping. Patch provided by Sean Winterberger. (markt)
        fix	In FormAuthenticator: If it is configured to change Session IDs, do the change before displaying the login form. (kkolinko)
        fix	Ensure AsyncListener.timeout() and AsyncListener.complete() are called with the correct thread context class loader. (fhanik)
        fix	54123: If an asynchronous request times out without any AsyncListeners defined, a 500 error will be triggered. (markt)
        fix	54124: Correct provided value of request attribute javax.servlet.async.request_uri and add missing request attribute javax.servlet.async.path_info. (markt)
        add	Add denyStatus initialization parameter to CsrfPreventionFilter, allowing to customize the HTTP status code used for denied requests. (kkolinko)
        fix	54141: Increase the permitted number of nested Realm levels from 2 to 3 by default and make the limit configurable via a system property. (markt)
        fix	Revert occasional API change in BaseDirContext class that was done in 7.0.32. Methods should not be final. (kkolinko)
        fix	Prevent failures in the AccessLogValve when running under a SecurityManager and the first request received is an asynchronous one. (markt)

    Coyote

        fix	Correct an issue that prevented WebSockets from being used over SSL when using the HTTP NIO connector. (markt)
        fix	54022: Ensure the Comet END event is triggered on client disconnect with APR/native on Windows Vista/2k8 or later. Patch provided by Douglas Beachy. (markt)
        fix	54067: Ensure responses with 1xx response codes are correctly marked as not containing an entity body. This caused an issue for some WebSocket clients when an Transfer-Encoding header was sent with the 101 (HTTP upgrade) response. (markt)

    Jasper

        code	53867: Optimise the XML escaping provided by the PageContext implementation. Based on a patch by Sheldon Shao. (markt)
        code	53896: Use an optimised CompositeELResolver for Jasper that skips resolvers that are known to be unable to resolve the value. Patch by Jarek Gawor. (markt)
        fix	53986: Correct a regression introduced by the fix for 53713. JSP comments that ended with the sequence ---%> (or any similar sequence with a odd number of - characters) was not correctly parsed. (markt)
        fix	54011: Fix a bug in the tag plug-in for <c:out> that triggered a JSP compilation error if the escapeXml attribute was used. Patch provided by Sheldon Shao. (markt)
        code	Follow up to 5401. Simplify generated code for <c:out>. Based on a patch by Sheldon Shao. (markt)
        fix	54012: Fix a bug in the tag plug-in infrastructure that meant the <c:set> triggered a JSP compilation error when used in a tag file. Based on a patch provided byx	54144: Fix a bug in the tag plug-in for <c:out> that meant that if the value of the tag evaluated to a java.io.Reader object then it was not correctly handled. (markt)

    Cluster

        fix	Add getSessionIdsFull operation to mbeans-descriptor. listSpplications

        add	54143: Add display of the memory pools usage (including PermGen) to the Status page of the Manager web application. (kkolinko)

    Tribes

        fix	54045: Make sure getMembers() returns available member when TcpFailureDetector   fix	Revert multiple operation support for the JMXProxyServlet pending further discussion. (schultz)
        fix	CVE-2012-4431: Fix bypass of CsrfPreventionFilter when there is no session. Improve session management in the filter. (kkolinko)

    Web apit servlets (JSP and default) are marked as override-able when using embedded mode. (markt)
        fix	When the DefaultServlet is under heavy load, the HTTP header parser added to address 52811 generates large amounts of garbage and uses significant CPU time. A cache has been added that significantly reduces the overhead of this parser. (markt)
        fix	53854: Make directory listings work correctly when aliases are used. (markt)

    Jasper

        code	53713: Performance improvement of up to four times faster parsing of JSP pages. Patch provided by Sheldon Shao. (markt)

    Cluster

        add	Make the cluster members and the cluster deployer associated with the cluster accessible via JMX. (markt)
        fix	Fix a behavior of TcpPingInterceptor#uhread. If set to false, ping thread is never started. (kfujino)

    Web applications

        add	Improve the documentation web application to clarify the difference between the tag and version parameters when using text interface of the Manager web application. (markt)
        add	Make sessions saved in the Store associated with a Manager that extends PersistentManager optionally visible (via the showProxySessions Servlet initialisation parameter in web.xml) to the Manager web application. (markt)

3 files changed, 8 insertions, 8 deletions

diff --git a/www/apache-tomcat7/Makefile b/www/apache-tomcat7/Makefile
index 9072bf758ec..ec82cc04b19 100644
--- a/www/apache-tomcat7/Makefile
+++ b/www/apache-tomcat7/Makefile
@@ -1,4 +1,4 @@
-# $NetBSD: Makefile,v 1.7 2012/11/23 11:46:24 fhajny Exp $
+# $NetBSD: Makefile,v 1.8 2012/12/16 10:37:32 ryoon Exp $
 #
 
 DISTNAME=	apache-tomcat-${TOMCAT_VER}
@@ -24,7 +24,7 @@ PKG_DESTDIR_SUPPORT=	destdir
 
 .include "../../mk/bsd.prefs.mk"
 
-TOMCAT_VER=		7.0.30
+TOMCAT_VER=		7.0.34
 TOMCAT_HOME=		${PREFIX}/share/tomcat
 EGDIR=			${PREFIX}/share/examples/tomcat
 DOCDIR=			${PREFIX}/share/doc/tomcat
diff --git a/www/apache-tomcat7/PLIST b/www/apache-tomcat7/PLIST
index 49ad852e453..8f4f82a753f 100644
--- a/www/apache-tomcat7/PLIST
+++ b/www/apache-tomcat7/PLIST
@@ -1,4 +1,4 @@
-@comment $NetBSD: PLIST,v 1.3 2012/10/06 12:05:24 ryoon Exp $
+@comment $NetBSD: PLIST,v 1.4 2012/12/16 10:37:32 ryoon Exp $
 share/doc/tomcat/LICENSE
 share/doc/tomcat/NOTICE
 share/doc/tomcat/RELEASE-NOTES
@@ -31,7 +31,7 @@ share/tomcat/lib/catalina-ant.jar
 share/tomcat/lib/catalina-ha.jar
 share/tomcat/lib/catalina-tribes.jar
 share/tomcat/lib/catalina.jar
-share/tomcat/lib/ecj-3.7.2.jar
+share/tomcat/lib/ecj-4.2.1.jar
 share/tomcat/lib/el-api.jar
 share/tomcat/lib/jasper-el.jar
 share/tomcat/lib/jasper.jar
diff --git a/www/apache-tomcat7/distinfo b/www/apache-tomcat7/distinfo
index 5ecd26fcacd..afc36b8cd85 100644
--- a/www/apache-tomcat7/distinfo
+++ b/www/apache-tomcat7/distinfo
@@ -1,5 +1,5 @@
-$NetBSD: distinfo,v 1.4 2012/10/06 12:05:24 ryoon Exp $
+$NetBSD: distinfo,v 1.5 2012/12/16 10:37:32 ryoon Exp $
 
-SHA1 (apache-tomcat-7.0.30.tar.gz) = 2632d72b2e980f874ddc4f5b0f39a941f9937158
-RMD160 (apache-tomcat-7.0.30.tar.gz) = 97cbfb436be00a15f6ebf58e4cb4719b449e2ddc
-Size (apache-tomcat-7.0.30.tar.gz) = 7697071 bytes
+SHA1 (apache-tomcat-7.0.34.tar.gz) = 881569860855458ed57c967e3cb10632ad951549
+RMD160 (apache-tomcat-7.0.34.tar.gz) = c202cd4cf7d4e8c0a7cd5b9e1e8fecbe3467c6c5
+Size (apache-tomcat-7.0.34.tar.gz) = 7744774 bytes