================================================================================ Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file distributed with this work for additional information regarding copyright ownership. The ASF licenses this file to You under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. ================================================================================ $Id$ ================================= Apache Tomcat 5.5 Patch Proposals ================================= PATCHES PROPOSED TO BACKPORT: [ New proposals should be added at the end of the list ] * Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=38743 Warn if the user tries to set an invalid property. Port of http://svn.apache.org/viewvc?view=rev&revision=565464 http://people.apache.org/~markt/patches/2009-07-02-bug38743.patch +1: markt 0: fhanik - big step for an old branch, could be risky, I'd wait until after next release if we consider it -1: * Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=39231 It is updated version of Mark's patch, where the new method in JAASRealm calls the old one. http://people.apache.org/~kkolinko/patches/2009-11-02_bug39231.patch +1: kkolinko, markt -1: * Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=39844 Port r588477 (fix for #43668) by billbarker that corrected this for Tomcat 6 http://people.apache.org/~markt/patches/2009-07-11-bug39844.patch +1: markt, kkolinko -1: * Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=43327 Port from 6.0.x Required to investigate 39997 http://people.apache.org/~markt/patches/2009-07-12-apr-ipv6.patch +1: markt, kkolinko -1: kkolinko: This patch is a backport of rev.697046 A comment in STATUS.txt there ([1]) says "use trunk >=r690600 of TC-native", thus it requires TC-native 1.1.15 or .16. Do we need to update REQUIRED_PATCH, RECOMMENDED_PV in AprLifecycleListener? [1] http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/STATUS.txt?r1=697046&r2=697045&pathrev=697046 markt: We should update recommended. * Minor cleanups for AccessLogValve classes Reuses StringBuffer, uses char instead of single-char String, etc. http://people.apache.org/~kkolinko/patches/2009-07-15_tc55_ALV.patch http://people.apache.org/~kkolinko/patches/2009-07-15_tc55_FCALV.patch +1: kkolinko -1: * Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=42390 Fix compilation error with some nested tag files and simple tags This is Konstantin's original patch Concerns were raised regarding possible regressions. I have tested tag files, simple tags and tags and can't find any regression issues. The TCK also passes. http://svn.apache.org/viewvc?rev=804734&view=rev +1: markt, kkolinko -1: * Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=44041 Threading issue in classloading. Adds a sync so please check performance http://svn.apache.org/viewvc?rev=805182&view=rev +1: markt -1: * Fix regression in fix for https://issues.apache.org/bugzilla/show_bug.cgi?id=38797 http://svn.apache.org/viewvc?rev=809131&view=rev +1: markt, kkolinko, mturk -1: * Port r795052 from modules/ha to modules/cluster Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=40551 Enable the JvmRouteBinderValve to work with PersistentManagers as well as clusters Patch by Chris Chandler http://svn.apache.org/viewvc?rev=795052&view=rev This has already been applied to OACC: http://svn.apache.org/viewvc?rev=812446&view=rev +1: rjung, markt, mturk -1: * Spurious startup errors in the cluster Although the secondary node is able to retrieve all sessions, the main thread doesn't see the changed stateTransfered flag, and thus waits until the transfer timeout occurs. Observed on Solaris. Switching to volatile fixes it. Backport from trunk: http://svn.apache.org/viewvc?rev=814024&view=rev Need to patch both copies of DeltaManager (ha and cluster). +1: rjung, markt, mturk -1: * Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=46384 Correct synchronisation problem that leads to cluster members permanently disappearing https://issues.apache.org/bugzilla/attachment.cgi?id=24253 +1: markt, rjung, kkolinko -1: rjung: the same fix seems to be necessary for container/modules/groupcom/src/share/org/apache/catalina/tribes/membership/McastServiceImpl.java (plus another use of the mutex also in receive() around membership.removeMember(m). kkolinko: re rjung's comment: Those /tribes/membership/ classes are not included in TC 5.5 releases. Thus no need to patch them. I wonder if those can be removed from /tc5.5.x/trunk, but I actually do not mind. * Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=46950 Adds support for SSL renegotiation when CLIENT-CERT auth is required due to a security constraint Note: Patch cannot be applied until tc-native 1.1.17 has been released since it depends on a new native method http://svn.apache.org/viewvc?rev=815418&view=rev +1: markt, mturk -1: * Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=47878 Return 404's rather than a permanent 500 if a JSP is deleted http://svn.apache.org/viewvc?view=rev&revision=439565 +1: markt -1: * Fix cluster replication problem for o.a.c.ha: session expiration uses a replication shortcut, so that attributes changed immediately before invalidation do not get replicated before the expiration replication message. That's a problem in case a session listener needs the changed attribute. Has already been fixed in trunk, OACC and tc5.5.x (only in o.a.c.cluster). http://svn.apache.org/viewvc?rev=818062&view=rev (trunk) +1: rjung, markt, mturk -1: * Refix https://issues.apache.org/bugzilla/show_bug.cgi?id=37848 Don't output info messages when there is no terminal http://svn.apache.org/viewvc?rev=828225&view=rev +1: markt, kkolinko, mturk -1: * Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=48097 There are two patches to be applied: 1) Make WebappClassLoader to do not swallow AccessControlException http://svn.apache.org/viewvc?rev=831828&view=rev +1: kkolinko, markt -1: 2) Add a new PrivilegedAction. Patch by markt http://svn.apache.org/viewvc?rev=834080&view=rev +1: kkolinko, markt -1: * Include root cause exception into the one produced by ApplicationContextFacade#doPrivileged() http://svn.apache.org/viewvc?rev=831819&view=rev +1: kkolinko, markt -1: * Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=46950 Adds support for SSL renegotiation when CLIENT-CERT auth is required due to a security constraint Backport of http://svn.apache.org/viewvc?rev=832222&view=rev http://people.apache.org/~rjung/patches/tc5.5.x-backport-BZ46950-r815418-20091102.patch +1: rjung, markt, mturk -1: * Fix CVE-2009-3548 - Windows installer uses insecure default password http://svn.apache.org/viewvc?rev=834047&view=rev +1: markt, mturk -1: kkolinko: It cannot be applied cleanly, because manager and host-manager are at different paths in TC5.5. Alternative patch: Fix CVE-2009-3548 - Windows installer uses insecure default password Also removes some old commented-out code and changes some message strings. This patch file is a backport of revs. 834047, 836036, 836045, 836209 http://people.apache.org/~kkolinko/patches/2009-11-14_Installer_password_tc55.patch +1: kkolinko -1: * Disable TLS renegotiation be default with an option to re-enable it Based on Costin's patch for trunk with Mark's modifications http://people.apache.org/~markt/patches/2009-11-10-cve-2009-3555-tc5.patch +1: markt, mturk, kkolinko -1: * Align server.xml installed by .exe installer with the one bundled in zip/tgz archives http://people.apache.org/~kkolinko/patches/2009-11-15_Installer_serverxml_tc55.patch +1: kkolinko -1: