Back

The Apache Software Foundation.
Patches for Apache Tomcat 8.5
Windows
7 patches available
Apache Tomcat, also known as Tomcat Server, proves to be a popular choice for web developers building and maintaining dynamic websites and applications based on the Java software platform.
Apache Tomcat 8.5 Version 8.5.100
Release Date
3/25/2024
Bug Fix?
Yes
Minor Release?
Yes
Patch Notes

Tomcat 8.5.100 (schultz)$$$Catalina$$$Fix: Align error handling for Writer and OutputStream. Ensure use of either once the response has been recycled triggers a NullPointerException provided that discardFacades is configured with the default value of true.$$$Fix: 68495: When restoring a saved POST request after a successful FORM authentication; ensure that neither the URI; the query string nor the protocol are corrupted when restoring the request body. (markt)$$$Fix: 68721: Workaround a possible cause of duplicate class definitions when using ClassFileTransformers and the transformation of a class also triggers the loading of the same class. (markt)$$$Fix: The rewrite valve should not do a rewrite if the output is identical to the input. (remm)$$$Update: Add a new valveSkip (or VS) rule flag to the rewrite valve to allow skipping over the next valve in the Catalina pipeline. (remm)$$$Add: Add checking of the age of the running Tomcat instance since its build-date to the SecurityListener; and log a warning if the server is old. (schultz)$$$Fix: When using the AsyncContext; throw an IllegalStateException; rather than allowing an NullPointerException; if an attempt is made to use the AsyncContext after it has been recycled. (markt)$$$Coyote$$$Fix: Improve the HTTP/2 stream prioritisation process. If a stream uses all of the connection windows and still has content to write; it will now be added to the backlog immediately rather than waiting until the write attempt for the remaining content. (markt)$$$Fix: Correct a regression in the support for user provided SSLContext instances that broke the org.apache.catalina.security.TLSCertificateReloadListener. (markt)$$$Jasper$$$Add: Add support for specifying Java 22 (with the value 22) as the compiler source and/or compiler target for JSP compilation. If used with an Eclipse JDT compiler version that does not support these values; a warning will be logged and the default will used. (markt)$$$Fix: Handle the case where the JSP engine forwards a request/response to a Servlet that uses an OutputStream rather than a Writer. This was triggering an IllegalStateException on code paths where there was a subsequent attempt to obtain a Writer. (markt)$$$Fix: Correctly handle the case where a tag library is packaged in a JAR file and the web application is deployed as a WAR file rather than an unpacked directory. (markt)$$$Other$$$Add: Improvements to French translations. (remm)$$$Add: Improvements to Japanese translations by tak7iji. (markt)$$$Fix: 57130: Allow digest.(sh|bat) to accept password from a file or stdin. (csutherl/schultz)$$$Update: Update Checkstyle to 10.14.1. (markt)
Apache Tomcat 8.5 Version 8.5.99
Release Date
2/19/2024
Bug Fix?
Yes
Minor Release?
Yes
Patch Notes

Tomcat 8.5.99 (schultz)$$$Catalina$$$Fix: Fix ServiceBindingPropertySource so that trailing \r$$$ sequences are correctly removed from files containing property values when configured to do so. Bug identified by Coverity Scan. (markt)$$$Add: Add improvements to the CSRF prevention filter including the ability to skip adding nonces for resource name and subtree URL patterns. (schultz)$$$Fix: Review usage of debug logging and downgrade trace or data dumping operations from debug level to trace. (remm)$$$Fix: 68089: Further improve the performance of request attribute access for ApplicationHttpRequest and ApplicationRequest. (markt)$$$Fix: 68559: Allow asynchronous error handling to write to the response after an error during asynchronous processing. (markt)$$$Coyote$$$Fix: Make asynchronous error handling more robust. Ensure that once a connection is marked to be closed; further asynchronous processing cannot change that. (markt)$$$Fix: Make asynchronous error handling more robust. Ensure that once the call to AsyncListener.onError() has returned to the container; only container threads can access the AsyncContext. This protects against various race conditions that woudl otherwise occur if application threads continued to access the AsyncContext.$$$Fix: Review usage of debug logging and downgrade trace or data dumping operations from debug level to trace. In particular; most of the HTTP/2 debug logging has been changed to trace level. (remm)$$$Fix: Add support for user provided SSLContext instances configured on SSLHostConfigCertificate instances. Based on pull request #673 provided by Hakan Altindag. (markt)$$$Fix: Improve the Tomcat Native shutdown process to reduce the likelihood of a JVM crash during Tomcat shutdown. (markt)$$$Fix: Partial fix for 68558: Cache the result of converting to String for request URI; HTTP header names and the request Content-Type value to improve performance by reducing repeated byte[] to String conversions. (markt)$$$Fix: Improve error reporting to HTTP/2 clients for header processing errors by reporting problems at the end of the frame where the error was detected rather than at the end of the headers. (markt)$$$Fix: Remove the remaining reference to a stream once the stream has been recycled. This makes the stream eligible for garbage collection earlier and thereby improves scalability. (markt)$$$Jasper$$$Fix: 68546: Generate optimal size and types for JSP imports maps; as suggested by John Engebretson. (remm)$$$Fix: Review usage of debug logging and downgrade trace or data dumping operations from debug level to trace. (remm)$$$WebSocket$$$Fix: Correct a regression in the fix for 66508 that could cause an UpgradeProcessor leak in some circumstances. (markt)$$$Fix: Review usage of debug logging and downgrade trace or data dumping operations from debug level to trace. (remm)$$$Fix: Ensure that WebSocket connection closure completes if the connection is closed when the server side has used the proprietary suspend/resume feature to suspend the connection. (markt)$$$Web applications$$$Add: Add support for responses in JSON format from the examples application RequestHeaderExample. (schultz)$$$Other$$$Update: Update Checkstyle to 10.13.0. (markt)$$$Update: Update JSign to 6.0. (markt)$$$Update: Add strings for debug level messages. (remm)$$$Add: Improvements to French translations. (remm)$$$Add: Improvements to Japanese translations by tak7iji. (markt)
Apache Tomcat 8.5 Version 8.5.98
Release Date
1/5/2024
Bug Fix?
Yes
Minor Release?
Yes
Patch Notes

Tomcat 8.5.98 (schultz)$$$Catalina$$$Update: 68378: Align extension to MIME type mappings in the global web.xml with those in httpd by adding application/vnd.geogebra.slides for ggs; text/javascript for mjs and audio/ogg for opus. (markt)$$$Coyote$$$Fix: Refactor the VirtualThreadExecutor so that it can be used by the NIO2 connector which was using platform threads even when configured to use virtual threads. (markt)$$$Fix: Correct a regression in the fix for 67675 that broke TLS key file parsing for PKCS#8 format keys that do not specify an explicit pseudo-random function and rely on the default. This typically affects keys generated by OpenSSL 1.0.2. (markt)$$$Fix: Allow multiple operations with the same name on introspected mbeans; fixing a regression caused by the introduction of a second addSslHostConfig method. (remm)$$$Fix: Relax the check that the HTTP Host header is consistent with the host used in the request line; if any; to make the check case insensitive since host names are case insensitive. (markt)$$$Add: 68348: Add support for the partitioned attribute for cookies. (markt)$$$Other$$$Update: Update Checkstyle to 10.12.7. (markt)$$$Update: Update SpotBugs to 4.8.3. (markt)$$$Add: Improvements to French translations. (remm)$$$Add: Improvements to Japanese translations by tak7iji. (markt)
Apache Tomcat 8.5 Version 8.5.97
Release Date
12/12/2023
Bug Fix?
Yes
Minor Release?
Yes
Patch Notes

Tomcat 8.5.97 (schultz)$$$Catalina$$$Fix: Background processes should not be run concurrently with lifecycle oprations of a container. (remm)$$$Fix: Correct unintended escaping of XML in some WebDAV responses. The XML list of support locks when provided in response to a PROPFIND request was incorrectly XML escaped. (markt)$$$Fix: 68227: Ensure that AsyncListener.onComplete() is called if AsyncListener.onError() calls AsyncContext.dispatch(). (markt)$$$Fix: 68228: Use a 408 status code if a read timeout occurs during HTTP request processing. Includes a test case based on code provided by adwsingh. (markt)$$$Jasper$$$Code: 68119: Refactor the CompositeELResolver to improve performance during type conversion operations. (markt)$$$Web Applications$$$Fix: Examples. Improve the error handling so snakes associated with a user that drops from the network are removed from the game. (markt)$$$Other$$$Update: Update UnboundID to 6.0.11. (markt)$$$Update: Update Checkstyle to 10.12.5. (markt)$$$Update: Update SpotBugs to 4.8.2. (markt)$$$Add: Improvements to French translations. (remm)$$$Add: Improvements to Japanese translations by tak7iji. (markt)$$$Add: Improvements to Russian translations by usmazat and remm. (markt)
Apache Tomcat 8.5 Version 8.5.93
Release Date
8/23/2023
Bug Fix?
Yes
Minor Release?
Yes
Patch Notes

Changelog$$$Tomcat 8.5.93 (markt)$$$Catalina$$$Fix: If an application or library sets both a non-500 error code and the javax.servlet.error.exception request attribute; use the provided error code during error page processing rather than assuming an error code of 500. (markt)$$$Fix: Update code comments and Tomcat output to use MiB for 1024 * 1024 bytes and KiB for 1024 bytes rather than MB and kB. (martk)$$$Fix: Avoid protocol relative redirects in FORM authentication. (markt)$$$Web applications$$$Fix: Documentation. Update documentation to use MiB for 1024 * 1024 bytes and KiB for 1024 bytes rather than MB and kB. (martk)$$$Other$$$Add: Improvements to Chinese translations. (lihan)$$$Add: Improvements to French translations. (remm)$$$Add: Improvements to Japanese translations by tak7iji. (markt)
Apache Tomcat 8.5 Version 8.5.91
Release Date
7/10/2023
Bug Fix?
Yes
Minor Release?
Yes
Patch Notes

Tomcat 8.5.91 (schultz)$$$Catalina$$$Add: 59232: Add org.apache.catalina.core.ContextNamingInfoListener; a listener which creates context naming information environment entries. (michaelo)$$$Add: 66665: Add org.apache.catalina.core.PropertiesRoleMappingListener; a listener which populates the contexts role mapping from a properties file. (michaelo)$$$Fix: Fix an edge case where intra-web application symlinks would be followed if the web applications were deliberately crafted to allow it even when allowLinking was set to false. (markt)$$$Fix: Make parsing of ExtendedAccessLogValve patterns more robust. (markt)$$$Coyote$$$Fix: 66627: Restore the documented behaviour of MessageBytes.getType() that it returns the type of the original content rather than reflecting the most recent conversion. (markt)$$$Fix: 66635: Correct certificate logging on start-up so it differentiates between keystore based keys/certificates and PEM file based keys/certificates and logs the relevant information for each. (markt)$$$Fix: Refactor blocking reads and writes for the NIO connector to remove code paths that could allow a notification from the Poller to be missed resuting in a timeout rather than the expected read or write. (markt)$$$Fix: Refactor waiting for an HTTP/2 stream or connection window update to handle spurious wake-ups during the wait. (markt)$$$WebSocket$$$Fix: Improve handling of error conditions for the WebSocket server; particularly during Tomcat shutdown. (markt)$$$Fix: Correct a regression in the fix for 66574 that meant the WebSocket session could return false for onOpen() before the onClose() event had been completed. (markt)$$$Web applications$$$Add: Documentation. Expand the security guidance to cover the embedded use case and add notes on the uses made of the java.io.tmpdir system property. (markt)$$$Fix: 66662: Documentation. Fix a typo in the name of the algorithms attribute in the configuration section for the Digest authentication valve. Pull request #629 provided by gohilmca. (markt)$$$Other$$$Add: Include the Windows specific binary distributions in the files uploaded to Maven Central. (markt)$$$Add: Improvements to French translations. (remm)$$$Add: Improvements to Japanese translations. Contributed by tak7iji. (markt)$$$Update: Update UnboundID to 6.0.9. (markt)$$$Update: Update Checkstyle to 10.12.1. (markt)$$$Update: Update JSign to 5.0. (markt/rjung)
Apache Tomcat 8.5 Version 8.5.89
Release Date
5/19/2023
Bug Fix?
Yes
Minor Release?
Yes
Patch Notes

Tomcat 8.5.89 (schultz)$$$Catalina$$$Fix: 66567: Fix missing IllegalArgumentException after the Tomcat code was converted to using URI instead of URL. (remm)$$$Fix: Escape timestamp output in AccessLogValve if a SimpleDateFormat is used which contains verbatim characters that need escaping. (rjung)$$$Update: Change output of vertical tab in AccessLogValve from \v to \u000b. (rjung)$$$Update: Improve performance of escaping in AccessLogValve roughly by a factor of two. (rjung)$$$Update: Improve JsonAccessLogValve: support more patterns like for headers and attributes. Those will be logged as sub objects. (rjung)$$$Fix: #613: Fix possible partial corrupted file copies when using file locking protection or the manager servlet. Submitted by Jack Shirazi. (remm)$$$Add: Add RateLimitFilter which can be used to mitigate DoS and Brute Force attacks. (isapir)$$$Coyote$$$Add: Add support for a new character set; gb18030-2022 - introduced in Java 21; to the character set caching mechanism. (markt)$$$Code: The default for the HTTP Connector attribute allowHostHeaderMismatch has been changed from true to false to harden the default configuration. (markt)$$$Code: The default for the HTTP Connector attribute rejectIllegalHeader has been changed from false to true to harden the default configuration. (markt)$$$Fix: Fix an edge case in HTTP header parsing and ensure that HTTP headers without names are treated as invalid. (markt)$$$Update: Deprecate the HTTP Connector settings rejectIllegalHeader and allowHostHeaderMismatch as they have been removed in Tomcat 11 onwards. (markt)$$$Fix: 66591: Fix a regression introduced in the fix for 66512 that meant that an AJP Send Headers was not sent for responses where no HTTP headers were set. (markt)$$$Jasper$$$Fix: 66582: Account for EL having stricter requirements for static imports than JSPs when adding JSP static imports to the EL context. (markt)$$$WebSocket$$$Fix: 66574: Refactor WebSocket session close to remove the lock on the SocketWrapper which was a potential cause of deadlocks if the application code used simulated blocking. (markt)$$$Fix: 66575: Avoid unchecked use of the backing array of a buffer provided by the user in the compression transformation. (remm)$$$Fix: Improve exception handling when flushing batched messages during WebSocket session close. (markt)$$$Fix: 66581: Update AsyncChannelGroupUtil to align it with the current defaults for AsynchronousChannelGroup. Pull request #612 by Matthew Painter. (markt)$$$Other$$$Add: Improvements to French translations. (remm)$$$Add: Improvements to Chinese translations. (lihan)$$$Update: Update Checkstyle to 10.10.0. (markt)$$$Update: Update Jacoco to 0.8.10. (markt)
Interested in automating patching for Apache Tomcat 8.5?