Changelog$$$Tomcat 11.0.9 (markt)$$$Catalina$$$Fix: Ensure application configured welcome files override the defaults when configuring an embedded web application programmatically. (markt)$$$Update: Optimize Request#getCharsetHolder to avoid repeated parsing when charset is null. Patch provided by morning-gu. (schultz)$$$Fix: Allow the default servlet to set the content length when the content length is known; no content has been written and a Writer is being used. (markt)$$$Fix: 69717: Correct a regression in the fix for CVE-2025-49125 that prevented access to PreResources and PostResources when mounted below the web application root with a path that was terminated with a file separator. (remm/markt)$$$Fix: 69731: Fix an issue that meant that the value of maxParameterCount applied was smaller than intended for multipart uploads with non-file parts when the parts were processed before query string parameters. (markt)$$$Fix: Align size tracking for multipart requests with FileUploads use of long. (schultz)$$$Coyote$$$Fix: 69710: Increase the default for maxPartCount from 10 to 50. Update the documentation to provide more details on the memory requirements to support multi-part uploads while avoiding a denial of service risk. (markt)$$$Fix: 69713: Correctly handle an HTTP/2 data frame that includes padding when the headers include a content-length. (remm/markt)$$$Fix: Correctly collect statistics for HTTP/2 requests and avoid counting one request multiple times. Based on pull request #868 by qingdaoheze. (markt)$$$Fix: Fix JMX value for keepAliveCount on the endpoint. Also add the value of useVirtualThreads in JMX. (remm)$$$Fix: 69728: Remove incorrect warning when HTTP/2 is used with optional certificate verification and improve the warnings when a web application tries to use CLIENT-CERT with either HTTP/2 or a JSSE implementation of TLS 1.3. (markt)$$$Fix: When setting the initial HTTP/2 connection limit; apply those limits earlier. (markt)$$$Jasper$$$Code: Remove IMPL_OBJ_START from EL grammar for IDENTIFIER. (markt)$$$Code: Remove the INSTANCEOF and FUNCTIONSUFFIX definitions from the EL grammar as both are unused. (markt)$$$Web applications$$$Add: Documentation. Provide more explicit guidance regarding the security considerations for enabling write access to the web application via WebDAV; HTTP PUT requests or similar. (markt)$$$Add: Documentation. Add a section on reverse proxies to the security considerations page. (markt)$$$Other$$$Update: Update to the Eclipse JDT compiler 4.36. (markt)$$$Update: Update UnboundID to 7.0.3. (markt)$$$Update: Update Checkstyle to 10.25.1. (markt)$$$Update: Improvements to French translations. (remm)$$$Update: Improvements to Japanese translations provided by tak7iji. (markt)

Tomcat 11.0.8 (markt)$$$Catalina$$$Fix: Add support for the java:module namespace which mirrors the java:comp namespace. (markt)$$$Fix: 69690: Calling HttpServletRequest.getParameter() and related methods for a request with content type multipart/form-data when the mapped servlet does not have a @MultipartConfig or equivalent should not trigger an exception. Note that calling getPart() or getParts() is these circumstances will trigger an exception. (markt)$$$Fix: Support parsing of multiple path parameters separated by ; in a single URL segment. Based on pull request #860 by Chenjp. (markt)$$$Fix: 69699: Encode redirect URL used by the rewrite valve with the session id if appropriate; and handle cross context with different session configuration when using rewrite. (remm)$$$Add: #863: Add support for comments at the end of lines in text rewrite map files to align behaviour with Apache httpd. Pull request provided by Chenjp. (markt)$$$Fix: 69706: Fix saved request serialization issue in FORM introduced when allowing infinite session timeouts. (remm)$$$Fix: Expand the path checks for Pre-Resources and Post-Resources mounted at a path within the web application. (markt)

Tomcat 11.0.8 (markt)$$$Catalina$$$Fix: Add support for the java:module namespace which mirrors the java:comp namespace. (markt)$$$Fix: 69690: Calling HttpServletRequest.getParameter() and related methods for a request with content type multipart/form-data when the mapped servlet does not have a @MultipartConfig or equivalent should not trigger an exception. Note that calling getPart() or getParts() is these circumstances will trigger an exception. (markt)$$$Fix: Support parsing of multiple path parameters separated by ; in a single URL segment. Based on pull request #860 by Chenjp. (markt)$$$Fix: 69699: Encode redirect URL used by the rewrite valve with the session id if appropriate; and handle cross context with different session configuration when using rewrite. (remm)$$$Add: #863: Add support for comments at the end of lines in text rewrite map files to align behaviour with Apache httpd. Pull request provided by Chenjp. (markt)$$$Fix: 69706: Fix saved request serialization issue in FORM introduced when allowing infinite session timeouts. (remm)$$$Fix: Expand the path checks for Pre-Resources and Post-Resources mounted at a path within the web application. (markt)

Tomcat 11.0.7 (markt)$$$Catalina$$$Fix: Process possible path parameters rewrite production in the rewrite valve. (remm)$$$Add: 69588: Enable allowLinking to be set on PreResources; JarResources and PostResources. If not set explicitly; the setting will be inherited from the Resources. (markt)$$$Fix: 69633: Add support for Filters using context root mappings. (markt)$$$Fix: 69643: Optimize directory listing for large amount of files. Patch submitted by Loic de lEprevier. (remm)$$$Fix: #843: Fix off by one validation logic for partial PUT ranges and associated test case. Submitted by Chenjp. (remm)$$$Code: Refactor GCI servlet to access resources via the WebResource API. (markt)$$$Fix: 69662: Report name in exception message when a naming lookup failure occurs. Based on code submitted by Donald Smith. (remm)$$$Fix: Ensure that the FORM authentication attribute authenticationSessionTimeout works correctly when sessions have an infinite timeout when authentication starts. (markt)$$$Add: Provide a content type based on file extension when web application resources are accessed via a URL. (markt)$$$Jasper$$$Fix: 69635: Add support to jakarta.el.ImportHandler for resolving inner classes. (markt)$$$Add: #842Add support for optimized execution of c:set and c:remove tags; when activated via JSP servlet param useNonstandardTagOptimizations. (jengebr)$$$Fix: Fix an edge case compilation bug for JSP and tag files on case insensitive file systems that was exposed by the test case for 69635. (markt)$$$Web applications$$$Fix: 68876: Documentation. Update the UML diagrams for server start-up; request processing and authentication using PlantUML and include the source files for each diagram. (markt)$$$Other$$$Update: Update Jacoco to 0.8.13. (remm)$$$Add: Explicitly set the locale to be used for Javadoc. For official releases; this locale will be English (US) to support reproducible builds. (schultz)$$$Update: Update Byte Buddy to 1.17.5. (markt)$$$Update: Update Checkstyle to 10.23.1. (markt)$$$Update: Update file extension to media type mappings to align with the current list used by the Apache Web Server (httpd). (markt)$$$Update: Improvements to French translations. (remm)$$$Update: Improvements to Japanese translations provided by tak7iji. (markt)

The notable changes in this release are:$$$$$$Remove the requirement that an MD5 implementation must be provided by JRE.$$$Improve the handling of %nn URL encoding in the RewriteValve$$$Various improvements to the JsonErrorReportValve$$$$$$Full details of these changes; and all the other changes; are available in the Tomcat 11 changelog - https://tomcat.apache.org/tomcat-11.0-doc/changelog.html#Tomcat_11.0.6_(markt)

Tomcat 11.0.5 (markt)$$$Catalina$$$Fix: When looking up class loader resources by resource name; the resource name should not start with /. If the resource name does start with /; Tomcat is lenient and looks it up as if the / was not present. When the web application class loader was configured with external repositories and names starting with / were used for lookups; it was possible that cached not found results could effectively hide lookup results using the correct resource name. (markt)$$$Fix: Enable the JNDIRealm to validate credentials provided to HttpServletRequest.login(String username; String password) when the realm is configured to use GSSAPI authentication. (markt)$$$Fix: Improve the checks for exposure to and protection against CVE-2024-56337 so that reflection is not used unless required. The checks for whether the file system is case sensitive or not have been removed. (markt)$$$Fix: Fix a bug in the JRE compatibility detection that incorrectly identified Java 19 and Java 20 as supporting Java 21 features. (markt)$$$Add: Add support for logging the connection ID (as returned by ServletRequest.getServletConnection().getConnectionId()) with the AccessLogValve and ExtendedAccessLogValve. Based on pull request #814 by Dmole. (markt)$$$Fix: Avoid scenarios where temporary files used for partial PUT would not be deleted. (remm)

Tomcat 11.0.4 (markt)$$$Catalina$$$Fix: 69576: Avoid possible failure intializing JreCompat due to uncaught exception introduced for the check for CVE-2024-56337. (remm)$$$Other$$$Add: Add org.apache.juli.JsonFormatter to format log as one line JSON documents. (remm)

Tomcat 11.0.2 Released$$$The Apache Tomcat Project is proud to announce the release of version 11.0.2 of Apache Tomcat. This release implements specifications that are part of the Jakarta EE 11 platform.$$$$$$Users of Tomcat 10 onwards should be aware that; as a result of the move from Java EE to Jakarta EE as part of the transfer of Java EE to the Eclipse Foundation; the primary package for all implemented APIs has changed from javax.* to jakarta.*. This will almost certainly require code changes to enable applications to migrate from Tomcat 9 and earlier to Tomcat 10 and later. A migration tool is available to aid this process.$$$$$$The notable changes in this release are:$$$$$$Add strong ETag support for the WebDAV and default servlet; which can be enabled by using the useStrongETags init parameter with a value set to true. The ETag generated will be a SHA-1 checksum of the resource content.$$$Add support for RateLimit header fields for HTTP (RFC draft) in the RateLimitFilter. Based on pull request #775 provided by Chenjp.$$$Update Tomcats fork of Commons DBCP to 2.13.0.

Tomcat 11.0.1 Released$$$The Apache Tomcat Project is proud to announce the release of version 11.0.1 of Apache Tomcat. This release implements specifications that are part of the Jakarta EE 11 platform.$$$$$$Users of Tomcat 10 onwards should be aware that; as a result of the move from Java EE to Jakarta EE as part of the transfer of Java EE to the Eclipse Foundation; the primary package for all implemented APIs has changed from javax.* to jakarta.*. This will almost certainly require code changes to enable applications to migrate from Tomcat 9 and earlier to Tomcat 10 and later. A migration tool is available to aid this process.$$$$$$The notable changes in this release are:$$$$$$Fix a regression caused by the improvement 69333 which caused the tag release to be called when using tag pooling; and to be skipped when not using it. Patch submitted by Michal Sobkiewicz.$$$Further WebDAV fixes and improvements.$$$Restore providing a value (rather than null) for Class.getProtectionDomain().getCodeSource().getLocation() as a number of libraries and JRE features depend on this being non-null even when a SecurityManager is not in use.$$$Full details of these changes; and all the other changes; are available in the Tomcat 11 changelog.

2024-10-09Tomcat 11.0.0 Released$$$The Apache Tomcat Project is proud to announce the release of version 11.0.0 of Apache Tomcat. This release is targeted at Jakarta EE 11.$$$$$$Users of Tomcat 10 onwards should be aware that; as a result of the move from Java EE to Jakarta EE as part of the transfer of Java EE to the Eclipse Foundation; the primary package for all implemented APIs has changed from javax.* to jakarta.*. This will almost certainly require code changes to enable applications to migrate from Tomcat 9 and earlier to Tomcat 10 and later. A migration tool is available to aid this process.$$$$$$The notable changes in this release are:$$$$$$Multiple fixes and improvements for WebDAV$$$Improvements to the recently adding request/response recycling for HTTP/2$$$Improve the stability of Tomcat Native during GC$$$Full details of these changes; and all the other changes; are available in the Tomcat 11 changelog.