Changelog$$$Tomcat 10.1.42 (schultz)$$$Catalina$$$Fix: Add support for the java:module namespace which mirrors the java:comp namespace. (markt)$$$Fix: Support parsing of multiple path parameters separated by ; in a single URL segment. Based on pull request #860 by Chenjp. (markt)$$$Add: Added support for limiting the number of parameters in HTTP requests through the new ParameterLimitValve. The valve allows configurable URL-specific limits on the number of parameters. (dsoumis)$$$Fix: 69699: Encode redirect URL used by the rewrite valve with the session id if appropriate; and handle cross context with different session configuration when using rewrite. (remm)

Changelog$$$Tomcat 10.1.41 (schultz)$$$Catalina$$$Fix: Fix use of SSS in SimpleDateFormat pattern for AccessLogValve. (rjung)$$$Fix: Process possible path parameters rewrite production in the rewrite valve. (remm)$$$Add: 69588: Enable allowLinking to be set on PreResources; JarResources and PostResources. If not set explicitly; the setting will be inherited from the Resources. (markt)$$$Fix: 69633: Add support for Filters using context root mappings. (markt)$$$Fix: 69643: Optimize directory listing for large amount of files. Patch submitted by Loic de lEprevier. (remm)$$$Fix: #843: Fix off by one validation logic for partial PUT ranges and associated test case. Submitted by Chenjp. (remm)$$$Code: Replace the unused buffer in org.apache.catalina.connector.InputBuffer with a static; zero length buffer. (markt)$$$Code: Refactor GCI servlet to access resources via the WebResource API. (markt)$$$Fix: 69662: Report name in exception message when a naming lookup failure occurs. Based on code submitted by Donald Smith. (remm)$$$Fix: Ensure that the FORM authentication attribute authenticationSessionTimeout works correctly when sessions have an infinite timeout when authentication starts. (markt)$$$Add: Provide a content type based on file extension when web application resources are accessed via a URL. (markt)$$$Coyote$$$Code: Refactor the SavedRequestInputFilter so the buffered data is used directly rather than copied. (markt)$$$Jasper$$$Fix: 69635: Add support to jakarta.el.ImportHandler for resolving inner classes. (markt)$$$Add: #842Add support for optimized execution of c:set and c:remove tags; when activated via JSP servlet param useNonstandardTagOptimizations. (jengebr)$$$Fix: Fix an edge case compilation bug for JSP and tag files on case insensitive file systems that was exposed by the test case for 69635. (markt)$$$Web applications$$$Fix: 68876: Documentation. Update the UML diagrams for server start-up; request processing and authentication using PlantUML and include the source files for each diagram. (markt)$$$Other$$$Fix: Set sun.io.useCanonCaches in service.bat Based on pull request #841 by Paul Lodge. (remm)$$$Update: Update Jacoco to 0.8.13. (remm)$$$Add: Explicitly set the locale to be used for Javadoc. For official releases; this locale will be English (US) to support reproducible builds. (schultz)$$$Update: Update Byte Buddy to 1.17.5. (markt)$$$Update: Update Checkstyle to 10.23.1. (markt)$$$Update: Update file extension to media type mappings to align with the current list used by the Apache Web Server (httpd). (markt)$$$Update: Improvements to French translations. (remm)$$$Update: Improvements to Japanese translations provided by tak7iji. (markt)

The notable changes in this release are:$$$$$$Remove the requirement that an MD5 implementation must be provided by JRE.$$$Improve the handling of %nn URL encoding in the RewriteValve$$$Various improvements to the JsonErrorReportValve

The notable changes in this release are:$$$$$$Improve the checks for exposure to and protection against CVE-2024-56337 so that reflection is not used unless required. The checks for whether the file system is case sensitive or not have been removed.$$$Use Transfer-Encoding for compression rather than Content-Encoding if the client submits a TE header containing gzip.$$$Add makensis as an option for building the Installer for Windows on non-Windows platforms.

Tomcat 10.1.36 (schultz)$$$Catalina$$$Fix: 69576: Avoid possible failure intializing JreCompat due to uncaught exception introduced for the check for CVE-2024-56337. (remm)$$$Other$$$Add: Add org.apache.juli.JsonFormatter to format log as one line JSON documents. (remm)

Tomcat 10.1.34 Released$$$The Apache Tomcat Project is proud to announce the release of version 10.1.34 of Apache Tomcat. This release implements specifications that are part of the Jakarta EE 10 platform.$$$$$$Applications that run on Tomcat 9 and earlier will not run on Tomcat 10 without changes. Java EE based applications designed for Tomcat 9 and earlier may be placed in the $CATALINA_BASE/webapps-javaee directory and Tomcat will automatically convert them to Jakarta EE and copy them to the webapps directory. This conversion is performed using the Apache Tomcat migration tool for Jakarta EE tool which is also available as a separate download for off-line use.$$$$$$The notable changes in this release are:$$$$$$Add strong ETag support for the WebDAV and default servlet; which can be enabled by using the useStrongETags init parameter with a value set to true. The ETag generated will be a SHA-1 checksum of the resource content.$$$Add support for RateLimit header fields for HTTP (RFC draft) in the RateLimitFilter. Based on pull request #775 provided by Chenjp$$$Update Tomcats fork of Commons DBCP to 2.13.0.

Tomcat 10.1.33 Released$$$The Apache Tomcat Project is proud to announce the release of version 10.1.33 of Apache Tomcat. This release implements specifications that are part of the Jakarta EE 10 platform.$$$$$$Applications that run on Tomcat 9 and earlier will not run on Tomcat 10 without changes. Java EE based applications designed for Tomcat 9 and earlier may be placed in the $CATALINA_BASE/webapps-javaee directory and Tomcat will automatically convert them to Jakarta EE and copy them to the webapps directory. This conversion is performed using the Apache Tomcat migration tool for Jakarta EE tool which is also available as a separate download for off-line use.$$$$$$The notable changes in this release are:$$$$$$Fix a regression caused by the improvement 69333 which caused the tag release to be called when using tag pooling; and to be skipped when not using it. Patch submitted by Michal Sobkiewicz.$$$Further WebDAV fixes and improvements.$$$Full details of these changes; and all the other changes; are available in the Tomcat 10.1 changelog.

2024-10-09$$$Tomcat 10.1.31 Released$$$The Apache Tomcat Project is proud to announce the release of version 10.1.31 of Apache Tomcat. This release implements specifications that are part of the Jakarta EE 10 platform.$$$$$$Applications that run on Tomcat 9 and earlier will not run on Tomcat 10 without changes. Java EE based applications designed for Tomcat 9 and earlier may be placed in the $CATALINA_BASE/webapps-javaee directory and Tomcat will automatically convert them to Jakarta EE and copy them to the webapps directory. This conversion is performed using the Apache Tomcat migration tool for Jakarta EE tool which is also available as a separate download for off-line use.$$$$$$The notable changes in this release are:$$$$$$Multiple fixes and improvements for WebDAV$$$Improvements to the recently adding request/response recycling for HTTP/2$$$Improve the stability of Tomcat Native during GC$$$Full details of these changes; and all the other changes; are available in the Tomcat 10.1 changelog.

Tomcat 10.1.30 Released$$$The Apache Tomcat Project is proud to announce the release of version 10.1.30 of Apache Tomcat. This release implements specifications that are part of the Jakarta EE 10 platform.$$$$$$Applications that run on Tomcat 9 and earlier will not run on Tomcat 10 without changes. Java EE based applications designed for Tomcat 9 and earlier may be placed in the $CATALINA_BASE/webapps-javaee directory and Tomcat will automatically convert them to Jakarta EE and copy them to the webapps directory. This conversion is performed using the Apache Tomcat migration tool for Jakarta EE tool which is also available as a separate download for off-line use.$$$The notable changes in this release are:$$$Fix the regression in HTTP/2 support introduced in 10.1.29.

Tomcat 10.1.29 Released$$$The Apache Tomcat Project is proud to announce the release of version 10.1.29 of Apache Tomcat. This release implements specifications that are part of the Jakarta EE 10 platform.$$$$$$Applications that run on Tomcat 9 and earlier will not run on Tomcat 10 without changes. Java EE based applications designed for Tomcat 9 and earlier may be placed in the $CATALINA_BASE/webapps-javaee directory and Tomcat will automatically convert them to Jakarta EE and copy them to the webapps directory. This conversion is performed using the Apache Tomcat migration tool for Jakarta EE tool which is also available as a separate download for off-line use.$$$$$$The notable changes in this release are:$$$$$$If an HTTP/2 client resets a stream before the request body is fully written; ensure that any ReadListener is notified via a call to ReadListener.onErrror().$$$An Exception being thrown during WebSocket message processing (e.g. in a method annotated with @onMessage) should not automatically cause the connection to close. The application should handle the exception and make the decision whether or not to close the connection.$$$Correct a regression in the fix for non-blocking reads of chunked request bodies that caused InputStream.available() to return a non-zero value when there was no data to read. In some circumstances this could cause a blocking read to block waiting for more data rather than return the data it had already received.$$$Full details of these changes; and all the other changes; are available in the Tomcat 10.1 changelog.

Tomcat 10.1.28 (schultz)$$$Coyote$$$Fix: Correct regressions in the refactoring that added recycling of the coyote request and response to the HTTP/2 processing. (markt)

Tomcat 10.1.26 Released$$$The Apache Tomcat Project is proud to announce the release of version 10.1.26 of Apache Tomcat. This release implements specifications that are part of the Jakarta EE 10 platform.$$$$$$Applications that run on Tomcat 9 and earlier will not run on Tomcat 10 without changes. Java EE based applications designed for Tomcat 9 and earlier may be placed in the $CATALINA_BASE/webapps-javaee directory and Tomcat will automatically convert them to Jakarta EE and copy them to the webapps directory. This conversion is performed using the Apache Tomcat migration tool for Jakarta EE tool which is also available as a separate download for off-line use.$$$$$$The notable changes in this release are:$$$$$$Move OpenSSL support using FFM to a separate JAR named tomcat-coyote-ffm.jar that advertises Java 22 in its manifest.$$$When using include directives in a tag file packaged in a JAR file; ensure that the include directives are processed correctly.$$$Expand the implementation of the filter value of the Authenticator attribute allowCorsPreflight; so that it applies to all requests that match the configured URL patterns for the CORS filter; rather than only applying if the CORS filter is mapped to /*$$$Full details of these changes; and all the other changes; are available in the Tomcat 10.1 changelog.

Tomcat 10.1.25 Released$$$The Apache Tomcat Project is proud to announce the release of version 10.1.25 of Apache Tomcat. This release implements specifications that are part of the Jakarta EE 10 platform.$$$$$$Applications that run on Tomcat 9 and earlier will not run on Tomcat 10 without changes. Java EE based applications designed for Tomcat 9 and earlier may be placed in the $CATALINA_BASE/webapps-javaee directory and Tomcat will automatically convert them to Jakarta EE and copy them to the webapps directory. This conversion is performed using the Apache Tomcat migration tool for Jakarta EE tool which is also available as a separate download for off-line use.$$$$$$The notable changes in this release are:$$$$$$Ensure that static resources deployed via a JAR file remain accessible when the context is configured to use a bloom filter. Based on pull request #730 provided by bergander.$$$Update to Commons Daemon 1.4.0$$$Improvements to HTTP/2 streams and timeouts$$$Full details of these changes; and all the other changes; are available in the Tomcat 10.1 changelog.$$$$$$

Apache Tomcat 10$$$Version 10.1.24; May 9 2024$$$$$$Changelog$$$Tomcat 10.1.24 (schultz)$$$Catalina$$$Add: Small performance optimization when logging cookies with no values. (schultz)$$$Fix: Correct error handling for asynchronous requests. If the application performs an dispatch during AsyncListener.onError() the dispatch is now performed rather than completing the request using the error page mechanism. (markt)$$$Add: Re-factor ElapsedTimeElement in AbstractAccessLogValve to use a customizable style. (schultz)$$$Add: Add more timescale options to AccessLogValve and ExtendedAccessLogValve. Allow timescales to apply to time-taken token in ExtendedAccessLogValve. (schultz)$$$Fix: Fix WebDAV lock null (locks for non existing resources) thread safety and removal. (remm)$$$Fix: Add periodic checking for WebDAV locks expiration. (remm)$$$Fix: Extend Asn1Parser to parse UTF8Strings. (michaelo)$$$Fix: Remove MBean metadata for attibutes that have been removed. Based on pull request #719 by Shawn Q. (markt)$$$Coyote$$$Fix: Align non-secure and secure writes with NIO and skip the write attempt when there are no bytes to be written. (markt)$$$Fix: Allow any positive value for socket.unlockTimeout. If a negative or zero value is configured; the default of 250ms will be used. (mark)$$$Fix: Reduce the time spent waiting for the connector to unlock. The previous default of 10s was noticeably too long for cases where the unlock has failed. The wait time is now 100ms plus twice socket.unlockTimeout. (markt)$$$Fix: Ensure that the onAllDataRead() event is triggered when the request body uses chunked encoding and is read using non-blocking IO. (markt)$$$Fix: 68934: Add debug logging in the latch object when exceeding maxConnections. (remm)$$$Fix: Refactor trailer field handling to use a MimeHeaders instance to store trailer fields. (markt)$$$Fix: Ensure that multiple instances of the same trailer field are handled correctly. (markt)$$$Fix: Fix non-blocking reads of chunked request bodies. (markt)$$$Fix: When an invalid HTTP response header was dropped; an off-by-one error meant that the first header in the response was also dropped. Fix based on pull request #710 by foremans. (markt)$$$Jasper$$$Add: Add support for specifying Java 23 (with the value 23) as the compiler source and/or compiler target for JSP compilation. If used with an Eclipse JDT compiler version that does not support these values; a warning will be logged and the default will used. (markt)$$$WebSocket$$$Fix: 68884: Reduce the write timeout when writing WebSocket close messages for abnormal closes. The timeout defaults to 50 milliseconds and may be controlled using the org.apache.tomcat.websocket.ABNORMAL_SESSION_CLOSE_SEND_TIMEOUT property in the user properties collection associated with the WebSocket session. (markt)$$$Web applications$$$Fix: Examples: Improve performance of WebSocket chat application when multiple clients disconnect at the same time. (markt)$$$Update: Examples: Increase the number of previous messages displayed when using the WebSocket chat application. (markt)$$$Fix: Examples: Improve performance of WebSocket snake application when multiple clients disconnect at the same time. (markt)$$$Other$$$Update: Switch to using the Base64 encoder and decoder provided by the JRE rather than the version provided by Commons Codec. The internal fork of Commons Codec has been deprecated and will be removed in Tomcat 11. (markt)$$$Update: Update NSIS to 3.10. (mark0t)$$$Update: Update UnboundID to 7.0.0. (markt)$$$Update: Update Checkstyle to 10.16.0. (markt)$$$Update: Update JaCoCo to 0.8.12. (markt)$$$Update: Update SpotBugs to 4.8.4. (markt)$$$Update: Update the internal fork of Apache Commons BCEL to 6.9.0. (markt)$$$Update: Update the internal fork of Apache Commons DBCP to 2.12.0. (markt)$$$Add: Improvements to French translations. (remm)$$$Add: Improvements to Japanese translations by tak7iji. (markt)

Changelog$$$Tomcat 10.1.23 (schultz)$$$Catalina$$$Update: Deprecate and remove sessionCounter (replaced by the addition of the active session count and the expired session count; as a reasonable approximation) and duplicates (which does not represent a possible event in current implementations) statistics from the session manager. (remm)$$$Fix: 68890 Align output encoding of JSPs in the Manager webapp with the XML declarations in those same files. (schultz)$$$Fix: Update Basic authentication to implement the requirements of RFC 7617 including the changing of the trimCredentials setting which is now defaults to false. Note that the trimCredentials setting will be removed in Tomcat 11. (markt)$$$Coyote$$$Fix: Fix bnd jar descriptor to include the OpenSSL FFM support. (remm)$$$Fix: Add OpenSSL FFM classes to tomcat-embed-core.jar. (remm)

Tomcat 10.1.20 (schultz)$$$Catalina$$$Fix: Minor performance improvement for building filter chains. Based on ideas from #702 by Luke Miao. (remm)$$$Fix: Align error handling for Writer and OutputStream. Ensure use of either once the response has been recycled triggers a NullPointerException provided that discardFacades is configured with the default value of true. (markt)$$$Fix: 68692: The standard thread pool implementations that are configured using the Executor element now implement ExecutorService for better support NIO2. (remm)$$$Fix: 68495: When restoring a saved POST request after a successful FORM authentication; ensure that neither the URI; the query string nor the protocol are corrupted when restoring the request body. (markt)$$$Fix: After forwarding a request; attempt to unwrap the response in order to suspend it; instead of simply closing it if it was wrapped. Add a new suspendWrappedResponseAfterForward boolean attribute on Context to control the bahavior; defaulting to false. (remm)$$$Fix: 68721: Workaround a possible cause of duplicate class definitions when using ClassFileTransformers and the transformation of a class also triggers the loading of the same class. (markt)$$$Fix: The rewrite valve should not do a rewrite if the output is identical to the input. (remm)$$$Update: Add a new valveSkip (or VS) rule flag to the rewrite valve to allow skipping over the next valve in the Catalina pipeline. (remm)$$$Update: Add highConcurrencyStatus attribute to the SemaphoreValve to optionally allow the valve to return an error status code to the client when a permit cannot be acquired from the semaphore. (remm)$$$Add: Add checking of the age of the running Tomcat instance since its build-date to the SecurityListener; and log a warning if the server is old. (schultz)$$$Fix: When using the AsyncContext; throw an IllegalStateException; rather than allowing an NullPointerException; if an attempt is made to use the AsyncContext after it has been recycled. (markt)$$$Coyote$$$Fix: Improve the HTTP/2 stream prioritisation process. If a stream uses all of the connection windows and still has content to write; it will now be added to the backlog immediately rather than waiting until the write attempt for the remaining content. (markt)$$$Fix: Add threadsMaxIdleTime attribute to the endpoint; to allow configuring the amount of time before an internal executor will scale back to the configured minSpareThreads size. (remm)$$$Fix: Correct a regression in the support for user provided SSLContext instances that broke the org.apache.catalina.security.TLSCertificateReloadListener. (markt)$$$Jasper$$$Add: Add support for specifying Java 22 (with the value 22) as the compiler source and/or compiler target for JSP compilation. If used with an Eclipse JDT compiler version that does not support these values; a warning will be logged and the default will used. (markt)$$$Fix: Handle the case where the JSP engine forwards a request/response to a Servlet that uses an OutputStream rather than a Writer. This was triggering an IllegalStateException on code paths where there was a subsequent attempt to obtain a Writer. (markt)$$$Fix: Correctly handle the case where a tag library is packaged in a JAR file and the web application is deployed as a WAR file rather than an unpacked directory. (markt)$$$Cluster$$$Fix: Avoid updating request count stats on async. (remm)$$$Other$$$Add: Improvements to French translations. (remm)$$$Add: Improvements to Japanese translations by tak7iji. (markt)$$$Fix: 57130: Allow digest.(sh|bat) to accept password from a file or stdin. (csutherl/schultz)$$$Update: Update Checkstyle to 10.14.1. (markt)

Tomcat 10.1.19 (schultz)$$$Catalina$$$Fix: Correct JPMS and OSGi meta-data for tomcat-enbed-core.jar by removing reference to org.apache.catalina.ssi package that is no longer included in the JAR. Based on pull request #684 by Jendrik Johannes. (markt)$$$Fix: Fix ServiceBindingPropertySource so that trailing \r$$$ sequences are correctly removed from files containing property values when configured to do so. Bug identified by Coverity Scan. (markt)$$$Add: Add improvements to the CSRF prevention filter including the ability to skip adding nonces for resource name and subtree URL patterns. (schultz)$$$Fix: Review usage of debug logging and downgrade trace or data dumping operations from debug level to trace. (remm)$$$Fix: 68089: Further improve the performance of request attribute access for ApplicationHttpRequest and ApplicationRequest. (markt)$$$Fix: 68559: Allow asynchronous error handling to write to the response after an error during asynchronous processing. (markt)$$$Coyote$$$Fix: Setting a null value for a cookie attribute should remove the attribute. (markt)$$$Fix: Make asynchronous error handling more robust. Ensure that once a connection is marked to be closed; further asynchronous processing cannot change that. (markt)$$$Fix: Make asynchronous error handling more robust. Ensure that once the call to AsyncListener.onError() has returned to the container; only container threads can access the AsyncContext. This protects against various race conditions that woudl otherwise occur if application threads continued to access the AsyncContext.$$$Fix: Review usage of debug logging and downgrade trace or data dumping operations from debug level to trace. In particular; most of the HTTP/2 debug logging has been changed to trace level. (remm)$$$Fix: Add support for user provided SSLContext instances configured on SSLHostConfigCertificate instances. Based on pull request #673 provided by Hakan Altindag. (markt)$$$Fix: Partial fix for 68558: Cache the result of converting to String for request URI; HTTP header names and the request Content-Type value to improve performance by reducing repeated byte[] to String conversions. (markt)$$$Fix: Improve error reporting to HTTP/2 clients for header processing errors by reporting problems at the end of the frame where the error was detected rather than at the end of the headers. (markt)$$$Fix: Remove the remaining reference to a stream once the stream has been recycled. This makes the stream eligible for garbage collection earlier and thereby improves scalability. (markt)$$$Jasper$$$Fix: 68546: Generate optimal size and types for JSP imports maps; as suggested by John Engebretson. (remm)$$$Fix: Review usage of debug logging and downgrade trace or data dumping operations from debug level to trace. (remm)$$$WebSocket$$$Fix: Correct a regression in the fix for 66508 that could cause an UpgradeProcessor leak in some circumstances. (markt)$$$Fix: Review usage of debug logging and downgrade trace or data dumping operations from debug level to trace. (remm)$$$Fix: Ensure that WebSocket connection closure completes if the connection is closed when the server side has used the proprietary suspend/resume feature to suspend the connection. (markt)$$$Web applications$$$Add: Add support for responses in JSON format from the examples application RequestHeaderExample. (schultz)$$$Other$$$Fix: Correct the remaining OSGi contract references in the manifest files to refer to the Jakarta EE contract names rather than the Java EE contract names. Based on pull request #685 provided by Paul A. Nicolucci. (markt)$$$Update: Update Checkstyle to 10.13.0. (markt)$$$Update: Update JSign to 6.0. (markt)$$$Update: Update the packaged version of the Tomcat Migration Tool for Jakarta EE to 1.0.7. (markt)$$$Update: Update Tomcat Native to 2.0.7. (markt)$$$Update: Add strings for debug level messages. (remm)$$$Add: Improvements to French translations. (remm)$$$Add: Improvements to Japanese translations by tak7iji. (markt)

Tomcat 10.1.18 (schultz)$$$Catalina$$$Update: 68378: Align extension to MIME type mappings in the global web.xml with those in httpd by adding application/vnd.geogebra.slides for ggs; text/javascript for mjs and audio/ogg for opus. (markt)$$$Coyote$$$Fix: Refactor the VirtualThreadExecutor so that it can be used by the NIO2 connector which was using platform threads even when configured to use virtual threads. (markt)$$$Fix: Correct a regression in the fix for 67675 that broke TLS key file parsing for PKCS#8 format keys that do not specify an explicit pseudo-random function and rely on the default. This typically affects keys generated by OpenSSL 1.0.2. (markt)$$$Fix: Allow multiple operations with the same name on introspected mbeans; fixing a regression caused by the introduction of a second addSslHostConfig method. (remm)$$$Fix: Relax the check that the HTTP Host header is consistent with the host used in the request line; if any; to make the check case insensitive since host names are case insensitive. (markt)$$$Add: 68348: Add support for the partitioned attribute for cookies including session cookies. (markt)$$$Web Applications$$$Fix: 68035: Additional fix to the Manager application to enable the deployment of a web application located in a Hosts appBase where the web application is specified by a bare (no path) WAR or directory name as shown in the documentation. (markt)$$$Other$$$Update: Update Checkstyle to 10.12.7. (markt)$$$Update: Update SpotBugs to 4.8.3. (markt)$$$Add: Improvements to French translations. (remm)$$$Add: Improvements to Japanese translations by tak7iji. (markt)

Tomcat 10.1.17 (schultz)$$$Catalina$$$Fix: Background processes should not be run concurrently with lifecycle oprations of a container. (remm)$$$Fix: Correct unintended escaping of XML in some WebDAV responses. The XML list of support locks when provided in response to a PROPFIND request was incorrectly XML escaped. (markt)$$$Fix: 68227: Ensure that AsyncListener.onComplete() is called if AsyncListener.onError() calls AsyncContext.dispatch(). (markt)$$$Fix: 68228: Use a 408 status code if a read timeout occurs during HTTP request processing. Includes a test case based on code provided by adwsingh. (markt)$$$Jasper$$$Code: 68119: Refactor the CompositeELResolver to improve performance during type conversion operations. (markt)$$$Web Applications$$$Fix: Examples. Improve the error handling so snakes associated with a user that drops from the network are removed from the game. (markt)$$$Other$$$Fix: 68124: Migrate sample.war from javax to jakarta. (lihan)$$$Update: Update UnboundID to 6.0.11. (markt)$$$Update: Update Checkstyle to 10.12.5. (markt)$$$Update: Update SpotBugs to 4.8.2. (markt)$$$Update: Update Derby to 10.17.1. (markt)$$$Add: Improvements to French translations. (remm)$$$Add: Improvements to Japanese translations by tak7iji. (markt)$$$Add: Improvements to Brazilian Portuguese translations by John William Vicente. (markt)$$$Add: Improvements to Russian translations by usmazat and remm. (markt)

Tomcat 10.1.13 (markt)$$$Catalina$$$Fix: If an application or library sets both a non-500 error code and the jakarta.servlet.error.exception request attribute; use the provided error code during error page processing rather than assuming an error code of 500. (markt)$$$Fix: Update code comments and Tomcat output to use MiB for 1024 * 1024 bytes and KiB for 1024 bytes rather than MB and kB. (martk)$$$Fix: Avoid protocol relative redirects in FORM authentication. (markt)$$$Web applications$$$Fix: Documentation. Update documentation to use MiB for 1024 * 1024 bytes and KiB for 1024 bytes rather than MB and kB. (martk)$$$Other$$$Add: Improvements to Chinese translations. (lihan)$$$Add: Improvements to French translations. (remm)$$$Add: Improvements to Japanese translations by tak7iji. (markt)

Tomcat 10.1.11 (schultz)$$$Catalina$$$Add: 59232: Add org.apache.catalina.core.ContextNamingInfoListener; a listener which creates context naming information environment entries. (michaelo)$$$Add: 66665: Add org.apache.catalina.core.PropertiesRoleMappingListener; a listener which populates the contexts role mapping from a properties file. (michaelo)$$$Fix: Fix an edge case where intra-web application symlinks would be followed if the web applications were deliberately crafted to allow it even when allowLinking was set to false. (markt)$$$Update: Add utlity config file resource lookup on Context to allow looking up resources from the webapp (prefixed with webapp:) and make the resource lookup API more visible. (remm)$$$Fix: Fix potential database connection leaks in DataSourceUserDatabase identified by Coverity Scan. (markt)$$$Fix: Make parsing of ExtendedAccessLogValve patterns more robust. (markt)$$$Coyote$$$Fix: 66627: Restore the documented behaviour of MessageBytes.getType() that it returns the type of the original content rather than reflecting the most recent conversion. (markt)$$$Fix: 66635: Correct certificate logging on start-up so it differentiates between keystore based keys/certificates and PEM file based keys/certificates and logs the relevant information for each. (markt)$$$Fix: Refactor blocking reads and writes for the NIO connector to remove code paths that could allow a notification from the Poller to be missed resuting in a timeout rather than the expected read or write. (markt)$$$Fix: Refactor waiting for an HTTP/2 stream or connection window update to handle spurious wake-ups during the wait. (markt)$$$WebSocket$$$Fix: Improve handling of error conditions for the WebSocket server; particularly during Tomcat shutdown. (markt)$$$Fix: Correct a regression in the fix for 66574 that meant the WebSocket session could return false for onOpen() before the onClose() event had been completed. (markt)$$$Web applications$$$Add: Documentation. Expand the security guidance to cover the embedded use case and add notes on the uses made of the java.io.tmpdir system property. (markt)$$$Fix: 66662: Documentation. Fix a typo in the name of the algorithms attribute in the configuration section for the Digest authentication valve. Pull request #629 provided by gohilmca. (markt)$$$Other$$$Add: Include the Windows specific binary distributions in the files uploaded to Maven Central. (markt)$$$Add: Improvements to French translations. (remm)$$$Add: Improvements to Japanese translations. Contributed by tak7iji. (markt)$$$Update: Update UnboundID to 6.0.9. (markt)$$$Update: Update Checkstyle to 10.12.1. (markt)$$$Update: Update BND to 6.4.1. (markt)$$$Update: Update JSign to 5.0. (markt/rjung)

Tomcat 10.1.9 (schultz)$$$Catalina$$$Fix: 66567: Fix missing IllegalArgumentException after the Tomcat code was converted to using URI instead of URL. (remm)$$$Fix: Escape timestamp output in AccessLogValve if a SimpleDateFormat is used which contains verbatim characters that need escaping. (rjung)$$$Update: Change output of vertical tab in AccessLogValve from \v to \u000b. (rjung)$$$Update: Improve performance of escaping in AccessLogValve roughly by a factor of two. (rjung)$$$Update: Improve JsonAccessLogValve: support more patterns like for headers and attributes. Those will be logged as sub objects. (rjung)$$$Fix: #613: Fix possible partial corrupted file copies when using file locking protection or the manager servlet. Submitted by Jack Shirazi. (remm)$$$Add: Add RateLimitFilter which can be used to mitigate DoS and Brute Force attacks. (isapir)$$$Coyote$$$Add: Add support for a new character set; gb18030-2022 - introduced in Java 21; to the character set caching mechanism. (markt)$$$Fix: Fix an edge case in HTTP header parsing and ensure that HTTP headers without names are treated as invalid. (markt)$$$Update: Deprecate the HTTP Connector settings rejectIllegalHeader and allowHostHeaderMismatch as they have been removed in Tomcat 11 onwards. (markt)$$$Fix: 66591: Fix a regression introduced in the fix for 66512 that meant that an AJP Send Headers was not sent for responses where no HTTP headers were set. (markt)$$$Jasper$$$Fix: 66582: Account for EL having stricter requirements for static imports than JSPs when adding JSP static imports to the EL context. (markt)$$$WebSocket$$$Fix: 66574: Refactor WebSocket session close to remove the lock on the SocketWrapper which was a potential cause of deadlocks if the application code used simulated blocking. (markt)$$$Fix: 66575: Avoid unchecked use of the backing array of a buffer provided by the user in the compression transformation. (remm)$$$Fix: Improve exception handling when flushing batched messages during WebSocket session close. (markt)$$$Fix: 66581: Update AsyncChannelGroupUtil to align it with the current defaults for AsynchronousChannelGroup. Pull request #612 by Matthew Painter. (markt)$$$Other$$$Add: Improvements to French translations. (remm)$$$Add: Improvements to Chinese translations. (lihan)$$$Update: Update Checkstyle to 10.10.0. (markt)$$$Update: Update Jacoco to 0.8.10. (markt)$$$Update: Update the packaged version of the Tomcat Migration Tool for Jakarta EE to 1.0.7. (markt)

The notable changes in this release are:$$$$$$Fix concurrency issue in evaluation of expression language containing lambda expressions.$$$Update the packaged version of the Apache Tomcat Native Library to 2.0.2 to pick up the Windows binaries built with with OpenSSL 3.0.7.$$$Correct the date format used with the expires attribute of HTTP cookies. A single space rather than a single dash should be used to separate the day; month and year components to be compliant with RFC 6265.$$$Full details of these changes; and all the other changes; are available in the Tomcat 10.1 changelog.

The notable changes in this release are:$$$$$$Fix bug 66277; a refactoring regression that broke JSP includes amongst other functionality$$$Fix unexpected timeouts that may appear as client disconnections when using HTTP/2 and NIO2$$$Enforce the requirement of RFC 7230 onwards that a request with a malformed content-length header should always be rejected with a 400 response.

Catalina$$$Fix: 66104: Avoid error message by not trying to clean up old files from the logging directory before the directory has been created. Based on #521 by HanLi. (markt)$$$Coyote$$$Add: Provide dedicated loggers (org.apache.tomcat.util.net.NioEndpoint.handshake / org.apache.tomcat.util.net.Nio2Endpoint.handshake) for TLS handshake failures. (markt)$$$Add: Enable the use of the FIPS provider for TLS enabled Connectors when using Tomcat Native 1.2.34 onwards built with OpenSSL 3.0.x onwards. (markt)$$$Code: Deprecated the jmvRoute system property used to configure a default value for the jmvRoute attribute of an Engine. (markt)$$$Fix: Fix duplicate Poller registration with HTTP/2; NIO and async IO that could cause HTTP/2 connections to unexpectedly fail. (markt)$$$Jasper$$$Add: Add support for specifying Java 19 (with the value 19) as the compiler source and/or compiler target for JSP compilation. If used with an Eclipse JDT compiler version that does not support these values; a warning will be logged and the default will used. (markt)$$$Web applications$$$Fix: Documentation. 62245: Include contextXsltFile when discussing options for configuring directory listings. (markt)$$$Fix: Examples. Fix CVE-2022-34305; a low severity XSS vulnerability in the Form authentication example. (markt)$$$Fix: Documentation. Expand the description of the useSendfile attribute for HTTP/2 and reference the possibility of file locking when using this feature on Windows operating systems. (markt)$$$Other$$$Update: Update to bnd 6.3.1. (markt)$$$Update: The minimum Ant version required to build Tomcat 10.1.x is now 1.10.2. (markt)$$$Add: Add additional automation to the build process to reduce the number of manual steps that release managers must perform. (schultz)$$$Add: Implement support for reproducible builds. Reproducible builds are independent of operating system but require the same Ant version and same JDK (vendor and version) to be used as associated version information is embedded in a number of build outputs such as JAR file manifests. (markt)$$$Update: Update the packaged version of the Tomcat Native Library to 1.2.34 to improve the support for building with OpenSSL 3.0.x.(markt)$$$Fix: Remove and/or update references to the removed org.apache.tomcat.util.threads.res package. The LocalStrings*.properties files in that package were moved to org.apache.tomcat.util.threads package for consistency with the rest of the Tomcat code base.$$$Fix: 66134: The NSIS based Tomcat installer for Windows now correctly handles the combination of TomcatAdminRoles defined in a configuration file and selecting the Manager and/or Host Manager web applications in the installers GUI. (markt)$$$Update: Update the OWB module to Apache OpenWebBeans 2.0.27. (remm)$$$Update: Update the CXF module to Apache CXF 3.5.3. (remm)$$$Update: Update the Apache Tomcat migration tool for Jakarta EE library to 1.0.1. (markt)$$$Add: Improvements to French translations. (remm)$$$Add: Improvements to Japanese translations contributed by tak7iji. (markt)$$$Update: Update the packaged version of the Tomcat Native Library to 1.2.35 to pick up Windows binaries built with OpenSSL 1.1.1q.(markt)