Changelog$$$Tomcat 9.0.107 (remm)$$$Catalina$$$Fix: Ensure application configured welcome files override the defaults when configuring an embedded web application programmatically. (markt)$$$Fix: Allow the default servlet to set the content length when the content length is known; no content has been written and a Writer is being used. (markt)$$$Fix: 69717: Correct a regression in the fix for CVE-2025-49125 that prevented access to PreResources and PostResources when mounted below the web application root with a path that was terminated with a file separator. (remm/markt)$$$Fix: 69731: Fix an issue that meant that the value of maxParameterCount applied was smaller than intended for multipart uploads with non-file parts when the parts were processed before query string parameters. (markt)$$$Fix: Align size tracking for multipart requests with FileUploads use of long. (schultz)$$$Coyote$$$Fix: 69710: Increase the default for maxPartCount from 10 to 50. Update the documentation to provide more details on the memory requirements to support multi-part uploads while avoiding a denial of service risk. (markt)$$$Fix: 69713: Correctly handle an HTTP/2 data frame that includes padding when the headers include a content-length. (remm/markt)$$$Fix: Correctly collect statistics for HTTP/2 requests and avoid counting one request multiple times. Based on pull request #868 by qingdaoheze. (markt)$$$Fix: Fix JMX value for keepAliveCount on the endpoint. Also add the value of useVirtualThreads in JMX. (remm)$$$Fix: Improve stability of APR/native connector. (markt)$$$Fix: 69728: Remove incorrect warning when HTTP/2 is used with optional certificate verification and improve the warnings when a web application tries to use CLIENT-CERT with either HTTP/2 or a JSSE implementation of TLS 1.3. (markt)$$$Fix: When setting the initial HTTP/2 connection limit; apply those limits earlier. (markt)$$$Jasper$$$Code: Remove IMPL_OBJ_START from EL grammar for IDENTIFIER. (markt)$$$Code: Remove the INSTANCEOF and FUNCTIONSUFFIX definitions from the EL grammar as both are unused. (markt)$$$Web applications$$$Add: Documentation. Provide more explicit guidance regarding the security considerations for enabling write access to the web application via WebDAV; HTTP PUT requests or similar. (markt)$$$Add: Documentation. Add a section on reverse proxies to the security considerations page. (markt)$$$Other$$$Update: Update UnboundID to 7.0.3. (markt)$$$Update: Update Checkstyle to 10.25.1. (markt)$$$Update: Improvements to French translations. (remm)$$$Update: Improvements to Japanese translations provided by tak7iji. (markt)

Tomcat 9.0.106 (remm)$$$Catalina$$$Fix: Add support for the java:module namespace which mirrors the java:comp namespace. (markt)$$$Fix: Support parsing of multiple path parameters separated by ; in a single URL segment. Based on pull request #860 by Chenjp. (markt)$$$Add: Added support for limiting the number of parameters in HTTP requests through the new ParameterLimitValve. The valve allows configurable URL-specific limits on the number of parameters. (dsoumis)$$$Fix: 69699: Encode redirect URL used by the rewrite valve with the session id if appropriate; and handle cross context with different session configuration when using rewrite. (remm)$$$Add: #863: Add support for comments at the end of lines in text rewrite map files to align behaviour with Apache httpd. Pull request provided by Chenjp. (markt)$$$Fix: 69706: Fix saved request serialization issue in FORM introduced when allowing infinite session timeouts. (remm)$$$Fix: Expand the path checks for Pre-Resources and Post-Resources mounted at a path within the web application. (markt)$$$Coyote$$$Code: #861: Refactor TaskQueue to use the new interface RetryableQueue which enables better integration of custom Executors which provide their own BlockingQueue implementation. Pull request provided by Paulo Almeida. (markt)$$$Add: Provide finer grained control of multi-part request processing via two new attributes on the Connector element. maxPartCount limits the total number of parts in a multi-part request and maxPartHeaderSize limits the size of the headers provided with each part. Add support for these new attributes to the ParameterLimitValve. (markt)$$$Jasper$$$Fix: 69696: Mark the JSP wrapper for reload after a failed compilation. (remm)$$$Web applications$$$Fix: 69694: Improve error reporting of deployment tasks done using the manager webapp when a copy operation fails. (remm)$$$Other$$$Fix: Add thread name to webappClassLoader.stackTraceRequestThread message. Patch provided by Felix Zhang. (schultz)$$$Update: Update the internal fork of Apache Commons FileUpload to 1.6.0-RC1 (2025-06-05). (markt)$$$Update: Update EasyMock to 5.6.0. (markt)$$$Update: Update Checkstyle to 10.25.0. (markt)$$$Add: #858: Extend improvements to CVE-2024-56337 protection to service.bat. Pull request provided by Markus Hoffrogge. (markt)$$$Fix: Use the full path when the installer for Windows sets calls icacls to set file permissions. (markt)$$$Update: Improvements to Japanese translations provided by tak7iji. (markt)

Tomcat 9.0.106 (remm)$$$Catalina$$$Fix: Add support for the java:module namespace which mirrors the java:comp namespace. (markt)$$$Fix: Support parsing of multiple path parameters separated by ; in a single URL segment. Based on pull request #860 by Chenjp. (markt)$$$Add: Added support for limiting the number of parameters in HTTP requests through the new ParameterLimitValve. The valve allows configurable URL-specific limits on the number of parameters. (dsoumis)$$$Fix: 69699: Encode redirect URL used by the rewrite valve with the session id if appropriate; and handle cross context with different session configuration when using rewrite. (remm)$$$Add: #863: Add support for comments at the end of lines in text rewrite map files to align behaviour with Apache httpd. Pull request provided by Chenjp. (markt)$$$Fix: 69706: Fix saved request serialization issue in FORM introduced when allowing infinite session timeouts. (remm)$$$Fix: Expand the path checks for Pre-Resources and Post-Resources mounted at a path within the web application. (markt)$$$Coyote$$$Code: #861: Refactor TaskQueue to use the new interface RetryableQueue which enables better integration of custom Executors which provide their own BlockingQueue implementation. Pull request provided by Paulo Almeida. (markt)$$$Add: Provide finer grained control of multi-part request processing via two new attributes on the Connector element. maxPartCount limits the total number of parts in a multi-part request and maxPartHeaderSize limits the size of the headers provided with each part. Add support for these new attributes to the ParameterLimitValve. (markt)$$$Jasper$$$Fix: 69696: Mark the JSP wrapper for reload after a failed compilation. (remm)$$$Web applications$$$Fix: 69694: Improve error reporting of deployment tasks done using the manager webapp when a copy operation fails. (remm)$$$Other$$$Fix: Add thread name to webappClassLoader.stackTraceRequestThread message. Patch provided by Felix Zhang. (schultz)$$$Update: Update the internal fork of Apache Commons FileUpload to 1.6.0-RC1 (2025-06-05). (markt)$$$Update: Update EasyMock to 5.6.0. (markt)$$$Update: Update Checkstyle to 10.25.0. (markt)$$$Add: #858: Extend improvements to CVE-2024-56337 protection to service.bat. Pull request provided by Markus Hoffrogge. (markt)$$$Fix: Use the full path when the installer for Windows sets calls icacls to set file permissions. (markt)$$$Update: Improvements to Japanese translations provided by tak7iji. (markt)

Changelog$$$Tomcat 9.0.105 (remm)$$$Catalina$$$Add: 69588: Enable allowLinking to be set on PreResources; JarResources and PostResources. If not set explicitly; the setting will be inherited from the Resources. (markt)$$$Fix: 69633: Add support for Filters using context root mappings. (markt)$$$Fix: #843: Fix off by one validation logic for partial PUT ranges and associated test case. Submitted by Chenjp. (remm)$$$Code: Replace the unused buffer in org.apache.catalina.connector.InputBuffer with a static; zero length buffer. (markt)$$$Code: Refactor GCI servlet to access resources via the WebResource API. (markt)$$$Fix: 69662: Report name in exception message when a naming lookup failure occurs. Based on code submitted by Donald Smith. (remm)$$$Fix: Ensure that the FORM authentication attribute authenticationSessionTimeout works correctly when sessions have an infinite timeout when authentication starts. (markt)$$$Add: Provide a content type based on file extension when web application resources are accessed via a URL. (markt)$$$Coyote$$$Code: Refactor the SavedRequestInputFilter so the buffered data is used directly rather than copied. (markt)$$$Jasper$$$Fix: 69635: Add support to jakarta.el.ImportHandler for resolving inner classes. (markt)$$$Add: #842Add support for optimized execution of c:set and c:remove tags; when activated via JSP servlet param useNonstandardTagOptimizations. (jengebr)$$$Fix: Fix an edge case compilation bug for JSP and tag files on case insensitive file systems that was exposed by the test case for 69635. (markt)$$$Web applications$$$Fix: 68876: Documentation. Update the UML diagrams for server start-up; request processing and authentication using PlantUML and include the source files for each diagram. (markt)$$$Other$$$Update: Update Jacoco to 0.8.13. (remm)$$$Add: Explicitly set the locale to be used for Javadoc. For official releases; this locale will be English (US) to support reproducible builds.$$$Update: Update Byte Buddy to 1.17.5. (markt)$$$Update: Update Checkstyle to 10.23.1. (markt)$$$Update: Update file extension to media type mappings to align with the current list used by the Apache Web Server (httpd). (markt)$$$Update: Improvements to French translations. (remm)$$$Update: Improvements to Japanese translations provided by tak7iji. (markt)

Tomcat 9.0.104 (remm)$$$Catalina$$$Fix: Fix use of SSS in SimpleDateFormat pattern for AccessLogValve. (rjung)$$$Fix: Process possible path parameters rewrite production in the rewrite valve. (remm)$$$Fix: 69643: Optimize directory listing for large amount of files. Patch submitted by Loic de lEprevier. (remm)$$$Other$$$Fix: Set sun.io.useCanonCaches in service.bat Based on pull request #841 by Paul Lodge. (remm)$$$Fix: The minimum Java version to build a release is now Java 22; mirroring Tomcat 10.1. This removes the need for using a java-ffm.home property. (remm)

Changelog$$$Tomcat 9.0.102 (remm)$$$Catalina$$$Fix: Weak etags in the If-Range header should not match as strong etags are required. (remm)

Tomcat 9.0.100 (remm)$$$Catalina$$$Fix: 69576: Avoid possible failure intializing JreCompat due to uncaught exception introduced for the check for CVE-2024-56337. (remm)$$$Other$$$Add: Add org.apache.juli.JsonFormatter to format log as one line JSON documents. (remm)

Tomcat 9.0.98 Released$$$The Apache Tomcat Project is proud to announce the release of version 9.0.98 of Apache Tomcat. This release implements specifications that are part of the Java EE 8 platform. The notable changes compared to 9.0.97 include:$$$$$$Add strong ETag support for the WebDAV and default servlet; which can be enabled by using the useStrongETags init parameter with a value set to true. The ETag generated will be a SHA-1 checksum of the resource content.$$$Add support for RateLimit header fields for HTTP (RFC draft) in the RateLimitFilter.$$$Update Tomcats fork of Commons DBCP to 2.13.0.

Tomcat 9.0.97 Released$$$The Apache Tomcat Project is proud to announce the release of version 9.0.97 of Apache Tomcat. This release implements specifications that are part of the Java EE 8 platform. The notable changes compared to 9.0.96 include:$$$$$$Fix a regression caused by the improvement 69333 which caused the tag release to be called when using tag pooling; and to be skipped when not using it$$$Further WebDAV fixes and improvements$$$Full details of these changes; and all the other changes; are available in the Tomcat 9 changelog.

$$$2024-10-08Tomcat 9.0.96 Released$$$The Apache Tomcat Project is proud to announce the release of version 9.0.96 of Apache Tomcat. This release implements specifications that are part of the Java EE 8 platform. The notable changes compared to 9.0.95 include:$$$$$$Multiple fixes and improvements for WebDAV$$$Improvements to the recently adding request/response recycling for HTTP/2$$$Improve the stability of Tomcat Native during GC$$$Full details of these changes; and all the other changes; are available in the Tomcat 9 changelog.

Tomcat 9.0.95 (remm)$$$Coyote$$$Fix: Fix 69320; a regression in the fix for 69302 that meant the HTTP/2 processing was likely to be broken for all clients once any client sent an HTTP/2 reset frame. (markt)

Tomcat 9.0.94 (remm)$$$Catalina$$$Fix: Improve performance of ApplicationHttpRequest.parseParameters(). Based on sample code and test cases provided by John Engebretson. (markt)$$$Coyote$$$Fix: Correct a regression in the fix for non-blocking reads of chunked request bodies that caused InputStream.available() to return a non-zero value when there was no data to read. In some circumstances this could cause a blocking read to block waiting for more data rather than return the data it had already received. (markt)$$$Add: Add a new attribute cookiesWithoutEquals to the Rfc6265CookieProcessor. The default behaviour is unchanged. (markt)$$$Fix: Ensure that Tomcat sends a TLS close_notify message after receiving one from the client when using the OpenSSLImplementation. (markt)$$$Fix: 69301: Fix trailer headers replacing non-trailer headers when writing response headers to the access log. Based on a patch and test case provided by hypnoce. (markt)$$$Fix: 69302: If an HTTP/2 client resets a stream before the request body is fully written; ensure that any ReadListener is notified via a call to ReadListener.onErrror(). (markt)$$$Jasper$$$Fix: Switch the TldScanner back to logging detailed scan results at debug level rather than trace level. (markt)$$$WebSocket$$$Fix: If a blocking message write exceeds the timeout; dont attempt the write again before throwing the exception. (markt)$$$Fix: An EncodeException being thrown during a message write should not automatically cause the connection to close. The application should handle the exception and make the decision whether or not to close the connection. (markt)$$$Web applications$$$Fix: Documentation. Align the logging configuration documentation with the current defaults. (markt)$$$jdbc-pool$$$Fix: 69255: Correct a regression in the fix for 69206 that meant exceptions executing statements were wrapped in an java.lang.reflect.UndeclaredThrowableException rather than the application seeing the original SQLException. Fixed by pull request #744 provided by Michael Clarke. (markt)$$$Fix: 69279: Correct a regression in the fix for 69206 that meant that methods that previously returned a null ResultSet were returning a proxy with a null delegate. Fixed by pull request #745 provided by Huub de Beer. (markt)$$$Other$$$Add: Exclude the tomcat-coyote-ffm.jar from JAR scanning by default. (markt)$$$Fix: Change the default log handler level to ALL so log messages are not dropped by default if a logger is configured to use trace (FINEST) level logging. (markt)$$$Update: Update Hamcrest to 3.0. (markt)$$$Update: Update EasyMock to 5.4.0. (markt)$$$Update: Update Byte Buddy to 1.15.0. (markt)$$$Update: Update CheckStyle to 10.18.0. (markt)$$$Update: Update the internal fork of Apache Commons BCEL to 6.10.0. (markt)$$$Add: Improvements to Spanish translations by Fernando. (markt)$$$Add: Improvements to French translations. (remm)$$$Add: Improvements to Japanese translations by tak7iji. (markt)

Tomcat 9.0.93 (remm)$$$Coyote$$$Fix: Correct regressions in the refactoring that added recycling of the coyote request and response to the HTTP/2 processing. (markt)

Tomcat 9.0.91 (remm)$$$Catalina$$$Fix: Allow JAASRealm to use the configuration source to load a configured configFile; for easier use with testing. (remm)$$$Fix: Add missing algorithm callback to the JAASCallbackHandler. (remm)$$$Fix: 69131: Expand the implementation of the filter value of the Authenticator attribute allowCorsPreflight; so that it applies to all requests that match the configured URL patterns for the CORS filter; rather than only applying if the CORS filter is mapped to /*. (markt)$$$Coyote

Tomcat 9.0.90 (remm)$$$Catalina$$$Add: Add support for shallow copies when using WebDAV. (markt)$$$Code: Deprecate the WebdavFixFilter as it is no longer required. (markt)$$$Fix: 69066: Fix regression in SPNEGO authenticator when processing Base64. Submitted by Daniel Lyko. (remm)$$$Update: Update minimum recommended version of Tomcat Native to 1.3.0. Pull request #728 provided by Dimitrios Soumis. (markt)$$$Update: The system property org.apache.catalina.connector.RECYCLE_FACADES will now default to true if not specified; which will in turn set the default value for the discardFacades connector attribute; thus causing facade objects to be discarded by default. (remm)$$$Add: Add RealmBase.getPrincipal(GSSName; GSSCredential; GSSContext) for retrieving extended/additional information from an established GSS context. (michaelo)$$$Fix: Correct a regression in the fix for 68721 that caused some instances of LinkageError to be reported as ClassNotFoundException. (markt)$$$Fix: Ensure that static resources deployed via a JAR file remain accessible when the context is configured to use a bloom filter. Based on pull request #730 provided by bergander. (markt)$$$Add: Introduce reference counting so the AprLifecycleListener is more robust. This particularly targets more complex embedded configurations with multiple server instances with independent lifecycles where more than one server instance requires the AprLifecycleListener. (markt)$$$Coyote$$$Fix: 69068: Ensure read timouts are triggered for asynchronous; non-blocking reads when using HTTP/2. (markt)$$$Update: 69133: Add task queue size configuration on the Connector element; similar to the Executor element; for consistency. (remm)$$$Fix: Make counting of active HTTP/2 streams per connection more robust. (markt)$$$Add: Add support for TLS 1.3 client initiated re-keying. (markt)$$$Jasper$$$Fix: 68546: Small additional optimisation for initial loading of Servlet code generated for JSPs. Based on a suggestion by Dan Armstrong. (markt)$$$Web applications$$$Add: Add the ability to set a sub-title for the Manager web application main page. This is intended to allow users with lots of instances to easily distinguish them. Based on pull request #724 by Simon Arame. (markt)$$$Other$$$Update: Revert Derby to 10.16.1.1 as that is the latest version of Derby that runs on Java 17. (markt)$$$Update: Update to Commons Daemon 1.4.0. (markt)$$$Update: Update to Objenesis 3.4. (markt)$$$Update: Update to Checkstyle 10.17.0. (markt)$$$Update: Update to SpotBugs 4.8.5. (markt)$$$Add: Improvements to French translations. (remm)$$$Add: Improvements to Japanese translations by tak7iji. (markt)

Tomcat 9.0.89 Released$$$The Apache Tomcat Project is proud to announce the release of version 9.0.89 of Apache Tomcat. This release implements specifications that are part of the Java EE 8 platform. The notable changes compared to 9.0.88 include:$$$$$$Refactor HTTP header parsing to use common parsing code and fix non-blocking reads of chunked request bodies including trailer fields.$$$Add more timescale options to AccessLogValve and ExtendedAccessLogValve.$$$WebDAV locking handling fixes.$$$Full details of these changes; and all the other changes; are available in the Tomcat 9 changelog (https://tomcat.apache.org/tomcat-9.0-doc/changelog.html#Tomcat_9.0.89_(remm))

Tomcat 9.0.88 (remm)$$$Catalina$$$Update: Add highConcurrencyStatus attribute to the SemaphoreValve to optionally allow the valve to return an error status code to the client when a permit cannot be acquired from the semaphore. (remm)$$$Add: Add checking of the age of the running Tomcat instance since its build-date to the SecurityListener; and log a warning if the server is old. (schultz)$$$Fix: When using the AsyncContext; throw an IllegalStateException; rather than allowing an NullPointerException; if an attempt is made to use the AsyncContext after it has been recycled. (markt)$$$Fix: Change the thread-safety mechanism for protecting StandardServer.services from a simple synchronized lock to a ReentrantReadWriteLock to allow multiple readers to operate simultaneously. Based upon a suggestion by Markus Wolfe. (schultz)$$$Fix: Improve Service connectors; Container children and Service executors access sync using a ReentrantReadWriteLock. (remm)$$$Fix: Improve handling of integer overflow if an attempt is made to upload a file via the Servlet API and the file is larger than Integer.MAX_VALUE. (markt)$$$Fix: 68862: Handle possible response commit when processing read errors. (remm)$$$Coyote$$$Fix: Add threadsMaxIdleTime attribute to the endpoint; to allow configuring the amount of time before an internal executor will scale back to the configured minSpareThreads size. (remm)$$$Jasper$$$Fix: Handle the case where the JSP engine forwards a request/response to a Servlet that uses an OutputStream rather than a Writer. This was triggering an IllegalStateException on code paths where there was a subsequent attempt to obtain a Writer. (markt)$$$Fix: Correctly handle the case where a tag library is packaged in a JAR file and the web application is deployed as a WAR file rather than an unpacked directory. (markt)$$$Fix: Prevent the web applications ClassLoader from being pinned by the JSP compiler if an application uses a custom XMLInputFactory. Based upon a suggestion from Simon Niederberger. (schultz)$$$Other$$$Update: Update Checkstyle to 10.14.1. (markt)$$$Update: Update the internal fork of Apache Commons BCEL to 6.8.2. (markt)$$$Update: Update the internal fork of Apache Commons Codec to 1.16.1. (markt)$$$Add: Improvements to French translations. (remm)$$$Add: Improvements to Japanese translations by tak7iji. (remm)$$$Add: Improvements to Chinese translations by leeyazhou. (remm)

Catalina$$$Fix: Minor performance improvement for building filter chains. Based on ideas from #702 by Luke Miao. (remm)$$$Fix: Align error handling for Writer and OutputStream. Ensure use of either once the response has been recycled triggers a NullPointerException provided that discardFacades is configured with the default value of true. (markt)$$$Fix: 68692: The standard thread pool implementations that are configured using the Executor element now implement ExecutorService for better support NIO2. (remm)$$$Fix: 68495: When restoring a saved POST request after a successful FORM authentication; ensure that neither the URI; the query string nor the protocol are corrupted when restoring the request body. (markt)$$$Fix: 68721: Workaround a possible cause of duplicate class definitions when using ClassFileTransformers and the transformation of a class also triggers the loading of the same class. (markt)$$$Fix: The rewrite valve should not do a rewrite if the output is identical to the input. (remm)$$$Update: Add a new valveSkip (or VS) rule flag to the rewrite valve to allow skipping over the next valve in the Catalina pipeline. (remm)$$$Coyote$$$Fix: Improve the HTTP/2 stream prioritisation process. If a stream uses all of the connection windows and still has content to write; it will now be added to the backlog immediately rather than waiting until the write attempt for the remaining content. (markt)$$$Jasper$$$Add: Add support for specifying Java 22 (with the value 22) as the compiler source and/or compiler target for JSP compilation. If used with an Eclipse JDT compiler version that does not support these values; a warning will be logged and the default will used. (markt)$$$Cluster$$$Fix: Avoid updating request count stats on async. (remm)$$$Other$$$Add: Improvements to French translations. (remm)$$$Add: Improvements to Japanese translations by tak7iji. (markt)

Changelog$$$Tomcat 9.0.86 (remm)$$$Catalina$$$Fix: Correct JPMS and OSGi meta-data for tomcat-enbed-core.jar by removing reference to org.apache.catalina.ssi package that is no longer included in the JAR. Based on pull request #684 by Jendrik Johannes. (markt)$$$Fix: Fix ServiceBindingPropertySource so that trailing \r$$$ sequences are correctly removed from files containing property values when configured to do so. Bug identified by Coverity Scan. (markt)$$$Add: Add improvements to the CSRF prevention filter including the ability to skip adding nonces for resource name and subtree URL patterns. (schultz)$$$Fix: Review usage of debug logging and downgrade trace or data dumping operations from debug level to trace. (remm)$$$Fix: 68089: Further improve the performance of request attribute access for ApplicationHttpRequest and ApplicationRequest. (markt)$$$Fix: 68559: Allow asynchronous error handling to write to the response after an error during asynchronous processing. (markt)$$$Coyote$$$Fix: Make asynchronous error handling more robust. Ensure that once a connection is marked to be closed; further asynchronous processing cannot change that. (markt)$$$Fix: Make asynchronous error handling more robust. Ensure that once the call to AsyncListener.onError() has returned to the container; only container threads can access the AsyncContext. This protects against various race conditions that woudl otherwise occur if application threads continued to access the AsyncContext.$$$Fix: Review usage of debug logging and downgrade trace or data dumping operations from debug level to trace. In particular; most of the HTTP/2 debug logging has been changed to trace level. (remm)$$$Fix: Add support for user provided SSLContext instances configured on SSLHostConfigCertificate instances. Based on pull request #673 provided by Hakan Altindag. (markt)$$$Fix: Improve the Tomcat Native shutdown process to reduce the likelihood of a JVM crash during Tomcat shutdown. (markt)$$$Fix: Partial fix for 68558: Cache the result of converting to String for request URI; HTTP header names and the request Content-Type value to improve performance by reducing repeated byte[] to String conversions. (markt)$$$Fix: Improve error reporting to HTTP/2 clients for header processing errors by reporting problems at the end of the frame where the error was detected rather than at the end of the headers. (markt)$$$Fix: Remove the remaining reference to a stream once the stream has been recycled. This makes the stream eligible for garbage collection earlier and thereby improves scalability. (markt)$$$Jasper$$$Fix: 68546: Generate optimal size and types for JSP imports maps; as suggested by John Engebretson. (remm)$$$Fix: Review usage of debug logging and downgrade trace or data dumping operations from debug level to trace. (remm)$$$WebSocket$$$Fix: Correct a regression in the fix for 66508 that could cause an UpgradeProcessor leak in some circumstances. (markt)$$$Fix: Review usage of debug logging and downgrade trace or data dumping operations from debug level to trace. (remm)$$$Fix: Ensure that WebSocket connection closure completes if the connection is closed when the server side has used the proprietary suspend/resume feature to suspend the connection. (markt)$$$Web applications$$$Add: Add support for responses in JSON format from the examples application RequestHeaderExample. (schultz)$$$Other$$$Update: Update Checkstyle to 10.13.0. (markt)$$$Update: Update JSign to 6.0. (markt)$$$Update: Add strings for debug level messages. (remm)$$$Update: Update Tomcat Native to 1.3.0. (markt)$$$Add: Improvements to French translations. (remm)$$$Add: Improvements to Japanese translations by tak7iji. (markt)

Tomcat 9.0.85 (remm)$$$Catalina$$$Update: 68378: Align extension to MIME type mappings in the global web.xml with those in httpd by adding application/vnd.geogebra.slides for ggs; text/javascript for mjs and audio/ogg for opus. (markt)$$$Coyote$$$Fix: Refactor the VirtualThreadExecutor so that it can be used by the NIO2 connector which was using platform threads even when configured to use virtual threads. (markt)$$$Fix: Correct a regression in the fix for 67675 that broke TLS key file parsing for PKCS#8 format keys that do not specify an explicit pseudo-random function and rely on the default. This typically affects keys generated by OpenSSL 1.0.2. (markt)$$$Fix: Allow multiple operations with the same name on introspected mbeans; fixing a regression caused by the introduction of a second addSslHostConfig method. (remm)$$$Fix: Relax the check that the HTTP Host header is consistent with the host used in the request line; if any; to make the check case insensitive since host names are case insensitive. (markt)$$$Add: 68348: Add support for the partitioned attribute for cookies. (markt)$$$Web Applications$$$Fix: 68035: Additional fix to the Manager application to enable the deployment of a web application located in a Hosts appBase where the web application is specified by a bare (no path) WAR or directory name as shown in the documentation. (markt)$$$Other$$$Update: Update Checkstyle to 10.12.7. (markt)$$$Update: Update SpotBugs to 4.8.3. (markt)$$$Add: Improvements to French translations. (remm)$$$Add: Improvements to Japanese translations by tak7iji. (markt)

Tomcat 9.0.84 (remm)$$$Catalina$$$Fix: Background processes should not be run concurrently with lifecycle oprations of a container. (remm)$$$Fix: Correct unintended escaping of XML in some WebDAV responses. The XML list of support locks when provided in response to a PROPFIND request was incorrectly XML escaped. (markt)$$$Fix: 68227: Ensure that AsyncListener.onComplete() is called if AsyncListener.onError() calls AsyncContext.dispatch(). (markt)$$$Fix: 68228: Use a 408 status code if a read timeout occurs during HTTP request processing. Includes a test case based on code provided by adwsingh. (markt)$$$Jasper$$$Code: 68119: Refactor the CompositeELResolver to improve performance during type conversion operations. (markt)$$$Web Applications$$$Fix: Examples. Improve the error handling so snakes associated with a user that drops from the network are removed from the game. (markt)$$$Other$$$Update: Update UnboundID to 6.0.11. (markt)$$$Update: Update Checkstyle to 10.12.5. (markt)$$$Update: Update SpotBugs to 4.8.2. (markt)$$$Update: Update Derby to 10.17.1. (markt)$$$Add: Improvements to French translations. (remm)$$$Add: Improvements to Japanese translations by tak7iji. (markt)$$$Add: Improvements to Brazilian Portuguese translations by John William Vicente. (markt)$$$Add: Improvements to Russian translations by usmazat and remm. (markt)

Changelog$$$Tomcat 9.0.80 (markt)$$$Catalina$$$Fix: If an application or library sets both a non-500 error code and the javax.servlet.error.exception request attribute; use the provided error code during error page processing rather than assuming an error code of 500. (markt)$$$Fix: Update code comments and Tomcat output to use MiB for 1024 * 1024 bytes and KiB for 1024 bytes rather than MB and kB. (martk)$$$Fix: Avoid protocol relative redirects in FORM authentication. (markt)$$$Web applications$$$Fix: Documentation. Update documentation to use MiB for 1024 * 1024 bytes and KiB for 1024 bytes rather than MB and kB. (martk)$$$Other$$$Add: Improvements to Chinese translations. (lihan)$$$Add: Improvements to French translations. (remm)$$$Add: Improvements to Japanese translations by tak7iji. (markt)

Tomcat 9.0.78 (remm)$$$Other$$$Fix: Correct properties for JSign dependency. (rjung)

The Apache Tomcat Project is proud to announce the release of version 9.0.69 of Apache Tomcat. This release implements specifications that are part of the Java EE 8 platform. The notable changes compared to 9.0.68 include:$$$$$$Fix concurrency issue in evaluation of expression language containing lambda expressions.$$$Correct the date format used with the expires attribute of HTTP cookies. A single space rather than a single dash should be used to separate the day; month and year components to be compliant with RFC 6265.$$$Full details of these changes; and all the other changes; are available in the https://tomcat.apache.org/tomcat-9.0-doc/changelog.html#Tomcat_9.0.69_(remm)

The Apache Tomcat Project is proud to announce the release of version 9.0.69 of Apache Tomcat. This release implements specifications that are part of the Java EE 8 platform. The notable changes compared to 9.0.68 include:$$$$$$Fix concurrency issue in evaluation of expression language containing lambda expressions.$$$Correct the date format used with the expires attribute of HTTP cookies. A single space rather than a single dash should be used to separate the day; month and year components to be compliant with RFC 6265.$$$Full details of these changes; and all the other changes; are available in the https://tomcat.apache.org/tomcat-9.0-doc/changelog.html#Tomcat_9.0.69_(remm)