Uploaded image for project: 'Sakai'
  1. Sakai
  2. SAK-45494

Update Apache Tomcat 9.0.46



    • Type: Bug
    • Status: RESOLVED
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 21.0
    • Fix Version/s: 22.0 [Tentative]
    • Component/s: Master
    • Labels:


      Tomcat 9.0.46 (markt)


      •  Allow APR connector creation using the listener with the flag and the default HTTP/1.1 protocol. (rjung/remm)
      •  Expand coverage of unit tests for JNDIRealm using the UnboundID LDAP SDK for Java. (markt)
      •  65224: Ensure the correct escaping of attribute values and search filters in the JNDIRealm. (markt)
      •  65235: Add missing attributes to the MBean descriptor file for the RemoteIpValve. (markt)
      •  65244: HandlesTypes should include classes that use the specified annotation types on fields or methods. (remm)
      •  65251: Correct a regression introduced in 9.0.44 that meant that the auto-deployment process may attempt a second, concurrent deployment of a web application that is being deployed by the Manager resulting in one of the deployments failing and errors being reported. (markt)


      •  Ensure that all HTTP requests that contain an invalid character in the protocol component of the request line are rejected with a 400 response rather than some requests being rejected with a 505 response. (markt)
      •  When generating the error message for an HTTP request with an invalid request line, ensure that all the available data is included in the error message. (markt)
      •  65272: Restore the optional HTTP feature that allows LF to be treated as a line terminator for the request line and/or HTTP headers lines as well as the standard CRLF. This behaviour was previously removed as a side-effect of the fix for CVE-2020-1935. (markt)


      •  Review code used to generate Java source from JSPs and tags and remove code found to be unnecessary. (markt)
      •  <servlet> entries in web.xml that include a <jsp-file> element and a negative <load-no-startup> element that is not the default value of -1 will no longer be loaded at start-up. This makes it possible to define a <jsp-file> that will not be loaded at start-up. (markt)
      •  Allow the JSP configuration option useInstanceManagerForTags to be used with Tags that are implemented as inner classes. (markt)


      •  Refactor the way Tomcat passes path parameters to POJO end points to simplify the code. (markt)
      •  65262: Refactor the creation of WebSocket end point, decoder and encoder instances to be more IoC friendly. Instances are now created via the InstanceManager where possible. (markt)

        Web applications

      •  65235: Correct name of changeLocalName in the documentation for the RemoteIpValve. (markt)
      •  65265: Avoid getting the boot classpath when it is not available in the Manager diagnostics. (remm)


      •  Create OSGi Require-Capability sections in manifests for Jakarta API JARs manually rather than via the aQute.bnd.annotation.spi.ServiceConsumer annotation as this triggers TCK failures for downstream consumers of the API JARs. (markt)
      •  Update the packaged version of the Tomcat Native Library to 1.2.28. (markt)
      •  Update the OWB module to Apache OpenWebBeans 2.0.22. (remm)
      •  Update the CXF module to Apache CXF 3.4.3. (remm)
      •  Move SystemPropertySource to be a regular class to allow more precise configuration if needed. The system property source will still always be enabled. (remm)
      •  Improvements to Chinese translations. Provided by bytesgo. (mark)
      •  Improvements to French translations. (remm)
      •  Improvements to Korean translations. (woonsan)

        Gliffy Diagrams





                dhorwitz David Horwitz
                dhorwitz David Horwitz
                0 Vote for this issue
                1 Start watching this issue



                    Git Integration