changelog.xml

<?xml version="1.0" encoding="UTF-8"?>
<!--
  Licensed to the Apache Software Foundation (ASF) under one or more
  contributor license agreements.  See the NOTICE file distributed with
  this work for additional information regarding copyright ownership.
  The ASF licenses this file to You under the Apache License, Version 2.0
  (the "License"); you may not use this file except in compliance with
  the License.  You may obtain a copy of the License at

      http://www.apache.org/licenses/LICENSE-2.0

  Unless required by applicable law or agreed to in writing, software
  distributed under the License is distributed on an "AS IS" BASIS,
  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  See the License for the specific language governing permissions and
  limitations under the License.
-->
<!DOCTYPE document [
  <!ENTITY project SYSTEM "project.xml">

  <!-- DTD is used to validate changelog structure at build time. BZ 64931. -->

  <!ELEMENT document (project?, properties, body)>
  <!ATTLIST document url CDATA #REQUIRED>

  <!-- body and title are used both in project.xml and in this document -->
  <!ELEMENT body ANY>
  <!ELEMENT title (#PCDATA)>

  <!-- Elements of project.xml -->
  <!ELEMENT project (title, logo, body)>
  <!ATTLIST project name CDATA #REQUIRED>
  <!ATTLIST project href CDATA #REQUIRED>

  <!ELEMENT logo (#PCDATA)>
  <!ATTLIST logo href CDATA #REQUIRED>

  <!ELEMENT menu (item+)>
  <!ATTLIST menu name CDATA #REQUIRED>

  <!ELEMENT item EMPTY>
  <!ATTLIST item name CDATA #REQUIRED>
  <!ATTLIST item href CDATA #REQUIRED>

  <!-- Elements of this document -->
  <!ELEMENT properties (author*, title, no-comments) >
  <!ELEMENT author (#PCDATA)>
  <!ATTLIST author email CDATA #IMPLIED>
  <!ELEMENT no-comments EMPTY>

  <!ELEMENT section (subsection)*>
  <!ATTLIST section name CDATA #REQUIRED>
  <!ATTLIST section rtext CDATA #IMPLIED>

  <!ELEMENT subsection (changelog+)>
  <!ATTLIST subsection name CDATA #REQUIRED>

  <!ELEMENT changelog (add|update|fix|scode|docs|design)*>
  <!ELEMENT add ANY>
  <!ELEMENT update ANY>
  <!ELEMENT fix ANY>
  <!ELEMENT scode ANY>
  <!ELEMENT docs ANY>
  <!ELEMENT design ANY>

  <!ELEMENT bug (#PCDATA)>
  <!ELEMENT rev (#PCDATA)>
  <!ELEMENT pr (#PCDATA)>

  <!-- Random HTML markup tags. Add more here as needed. -->
  <!ELEMENT a (#PCDATA)>
  <!ATTLIST a href CDATA #REQUIRED>
  <!ATTLIST a rel CDATA #IMPLIED>

  <!ELEMENT b (#PCDATA)>
  <!ELEMENT code (#PCDATA)>
  <!ELEMENT em (#PCDATA)>
  <!ELEMENT strong (#PCDATA)>
  <!ELEMENT tt (#PCDATA)>
]>
<?xml-stylesheet type="text/xsl" href="tomcat-docs.xsl"?>
<document url="changelog.html">

  &project;

  <properties>
    <title>Changelog</title>
    <no-comments />
  </properties>

<body>
<!--
  Subsection ordering:
  General, Catalina, Coyote, Jasper, Cluster, WebSocket, Web applications,
  Extras, Tribes, jdbc-pool, Other

  Item Ordering:

  Fixes having an issue number are sorted by their number, ascending.

  There is no ordering by add/update/fix/scode/docs/design.

  Other fixed issues are added to the end of the list, chronologically.
  They eventually become mixed with the numbered issues (i.e., numbered
  issues do not "pop up" wrt. others).
-->
<section name="Tomcat 11.0.0-M20 (markt)" rtext="in development">
  <subsection name="Catalina">
    <changelog>
      <update>
        Deprecate and remove <code>sessionCounter</code> (replaced by the
        addition of the active session count and the expired session count,
        as a reasonable approximation) and <code>duplicates</code> (which
        does not represent a possible event in current implementations)
        statistics from the session manager. (remm)
      </update>
      <fix>
        <bug>68890</bug> Align output encoding of JSPs in the Manager webapp
        with the XML declarations in those same files. (schultz)
      </fix>
      <fix>
        Update Basic authentication to implement the requirements of RFC 7617
        including the removal of the <code>trimCredentials</code> setting which
        is now hard-coded to <code>false</code>. (markt)
      </fix>
      <add>
        Small performance optimization when logging cookies with no values.
        (schultz)
      </add>
      <fix>
        Correct error handling for asynchronous requests. If the application
        performs an dispatch during <code>AsyncListener.onError()</code> the
        dispatch is now performed rather than completing the request using the
        error page mechanism. (markt)
      </fix>
      <add>
        Re-factor ElapsedTimeElement in AbstractAccessLogValve to use a customizable
        style. (schultz)
      </add>
      <add>
        Add more timescale options to AccessLogValve and ExtendedAccessLogValve.
        Allow timescales to apply to "time-taken" token in ExtendedAccessLogValve.
        (schultz)
      </add>
      <fix>
        Fix WebDAV lock null (locks for non existing resources) thread safety
        and removal. (remm)
      </fix>
      <fix>
        Add periodic checking for WebDAV locks expiration. (remm)
      </fix>
      <fix>
        Extend <code>Asn1Parser</code> to parse <code>UTF8String</code>s. (michaelo)
      </fix>
    </changelog>
  </subsection>
  <subsection name="Coyote">
    <changelog>
      <fix>
        Add OpenSSL FFM classes to <code>tomcat-embed-core.jar</code>. (remm)
      </fix>
      <fix>
        Align non-secure and secure writes with NIO and skip the write attempt
        when there are no bytes to be written. (markt)
      </fix>
      <fix>
        Allow any positive value for <code>socket.unlockTimeout</code>. If a
        negative or zero value is configured, the default of <code>250ms</code>
        will be used. (mark)
      </fix>
      <fix>
        Reduce the time spent waiting for the connector to unlock. The previous
        default of 10s was noticeably too long for cases where the unlock has
        failed. The wait time is now 100ms plus twice
        <code>socket.unlockTimeout</code>. (markt)
      </fix>
      <fix>
        Ensure that the <code>onAllDataRead()</code> event is triggered when the
        request body uses chunked encoding and is read using non-blocking IO.
        (markt)
      </fix>
      <fix>
        <bug>68934</bug>: Add debug logging in the latch object when exceeding
        <code>maxConnections</code>. (remm)
      </fix>
      <fix>
        Refactor trailer field handling to use a <code>MimeHeaders</code>
        instance to store trailer fields. (markt)
      </fix>
      <fix>
        Ensure that multiple instances of the same trailer field are handled
        correctly. (markt)
      </fix>
      <fix>
        Fix non-blocking reads of chunked request bodies. (markt)
      </fix>
      <scode>
        Refactor HTTP header parsing to use common parsing code. (markt)
      </scode>
    </changelog>
  </subsection>
  <subsection name="Jasper">
    <changelog>
      <add>
        Add support for specifying Java 23 (with the value <code>23</code>) as
        the compiler source and/or compiler target for JSP compilation. If used
        with an Eclipse JDT compiler version that does not support these values,
        a warning will be logged and the default will used.
        (markt)
      </add>
    </changelog>
  </subsection>
  <subsection name="WebSocket">
    <changelog>
      <fix>
        <bug>68884</bug>: Reduce the write timeout when writing WebSocket close
        messages for abnormal closes. The timeout defaults to 50 milliseconds
        and may be controlled using the
        <code>org.apache.tomcat.websocket.ABNORMAL_SESSION_CLOSE_SEND_TIMEOUT</code>
        property in the user properties collection associated with the WebSocket
        session. (markt)
      </fix>
    </changelog>
  </subsection>
  <subsection name="Web applications">
    <changelog>
      <fix>
        Examples: Improve performance of WebSocket chat application when
        multiple clients disconnect at the same time. (markt)
      </fix>
      <update>
        Examples: Increase the number of previous messages displayed when using
        the WebSocket chat application. (markt)
      </update>
      <fix>
        Examples: Improve performance of WebSocket snake application when
        multiple clients disconnect at the same time. (markt)
      </fix>
    </changelog>
  </subsection>
  <subsection name="Other">
    <changelog>
      <update>
        Switch to using the Base64 encoder and decoder provided by the JRE
        rather than the version provided by Commons Codec. This removes the
        internal fork of Commons Codec. (markt)
      </update>
      <update>
        Update to the Eclipse JDT compiler 4.31. (markt)
      </update>
      <update>
        Update NSIS to 3.10. (mark0t)
      </update>
      <update>
        Update UnboundID to 7.0.0. (markt)
      </update>
      <update>
        Update Checkstyle to 10.16.0. (markt)
      </update>
      <update>
        Update JaCoCo to 0.8.12. (markt)
      </update>
      <update>
        Update SpotBugs to 4.8.4. (markt)
      </update>
      <update>
        Update the internal fork of Apache Commons BCEL to 6.9.0. (markt)
      </update>
      <update>
        Update the internal fork of Apache Commons DBCP to 2.12.0. (markt)
      </update>
      <add>
        Improvements to Japanese translations by tak7iji. (remm)
      </add>
    </changelog>
  </subsection>
</section>
<section name="Tomcat 11.0.0-M19 (remm)" rtext="2024-04-16">
  <subsection name="Catalina">
    <changelog>
      <update>
        Add <code>highConcurrencyStatus</code> attribute to the
        <code>SemaphoreValve</code> to optionally allow the valve to return an
        error status code to the client when a permit cannot be acquired from
        the semaphore. (remm)
      </update>
      <add>
        Add checking of the "age" of the running Tomcat instance since its
        build-date to the SecurityListener, and log a warning if the server
        is old. (schultz)
      </add>
      <fix>
        When using the <code>AsyncContext</code>, throw an
        <code>IllegalStateException</code>, rather than allowing an
        <code>NullPointerException</code>, if an attempt is made to use the
        <code>AsyncContext</code> after it has been recycled. (markt)
      </fix>
      <add>
        Add a default implementation for <code>HttpSession.getAccessor()</code>
        to align with the Servlet 6.1 API. (markt)
      </add>
      <add>
        Add the Jakarta EE 11 XML schemas and update Tomcat and included web
        applications to use them. (markt)
      </add>
      <fix>
        Change the thread-safety mechanism for protecting StandardServer.services
        from a simple synchronized lock to a ReentrantReadWriteLock to allow
        multiple readers to operate simultaneously. Based upon a suggestion by
        Markus Wolfe. (schultz)
      </fix>
      <fix>
        Improve Service connectors, Container children and Service executors
        access sync using a ReentrantReadWriteLock. (remm)
      </fix>
      <fix>
        Improve handling of integer overflow if an attempt is made to upload a
        file via the Servlet API and the file is larger than
        <code>Integer.MAX_VALUE</code>. (markt)
      </fix>
      <fix>
        <bug>68862</bug>: Handle possible response commit when processing read
        errors. (remm)
      </fix>
    </changelog>
  </subsection>
  <subsection name="Coyote">
    <changelog>
      <fix>
        Add <code>threadsMaxIdleTime</code> attribute to the endpoint,
        to allow configuring the amount of time before an internal executor
        will scale back to the configured <code>minSpareThreads</code> size.
        (remm)
      </fix>
      <update>
        Adjust the <code>Set-Cookie</code> header generated by the
        <code>Rfc6265CookieProcessor</code> so that attributes with a value of
        the empty string will be output as bare attribute names without an
        equals sign or value. This will simplify future support for similar new
        attributes by removing the need for special handling. (markt)
      </update>
      <scode>
        Refactor the internal representation of the <code>HttpOnly</code> and
        <code>Secure</code> attributes to use the empty string as the value for
        consistency with the recent changes to <code>Set-Cookie</code> header
        generation. (markt)
      </scode>
      <fix>
        Do not generate the <code>Max-Age</code> attribute for
        <code>Set-Cookie</code> headers associated with cookies that have been
        configured with a <code>Max-Age</code> value of zero as RFC 6265 does
        not permit a value of zero in this case. (markt)
      </fix>
      <fix>
        Correct a regression in the support for user provided
        <code>SSLContext</code> instances that broke the
        <code>org.apache.catalina.security.TLSCertificateReloadListener</code>.
        (markt)
      </fix>
    </changelog>
  </subsection>
  <subsection name="Jasper">
    <changelog>
      <fix>
        Handle the case where the JSP engine forwards a request/response to a
        Servlet that uses an <code>OutputStream</code> rather than a
        <code>Writer</code>. This was triggering an
        <code>IllegalStateException</code> on code paths where there was a
        subsequent attempt to obtain a <code>Writer</code>. (markt)
      </fix>
      <fix>
        Correctly handle the case where a tag library is packaged in a JAR file
        and the web application is deployed as a WAR file rather than an
        unpacked directory. (markt)
      </fix>
      <fix>
        Prevent the web application's ClassLoader from being pinned by the JSP
        compiler if an application uses a custom XMLInputFactory. Based upon a
        suggestion from Simon Niederberger. (schultz)
      </fix>
    </changelog>
  </subsection>
  <subsection name="Other">
    <changelog>
      <update>
        Update Checkstyle to 10.14.1. (markt)
      </update>
      <update>
        Update the internal fork of Apache Commons BCEL to 6.8.2. (markt)
      </update>
      <update>
        Update the internal fork of Apache Commons Codec to 1.16.1. (markt)
      </update>
      <add>
        Improvements to French translations. (remm)
      </add>
      <add>
        Improvements to Japanese translations by tak7iji. (remm)
      </add>
      <add>
        Improvements to Chinese translations by leeyazhou. (remm)
      </add>
    </changelog>
  </subsection>
</section>
<section name="Tomcat 11.0.0-M18 (markt)" rtext="2024-03-14">
  <subsection name="General">
    <changelog>
      <update>
        Reduce the minimum supported Java version to Java 17. (markt)
      </update>
    </changelog>
  </subsection>
  <subsection name="Catalina">
    <changelog>
      <fix>
        Minor performance improvement for building filter chains. Based on
        ideas from <pr>702</pr> by Luke Miao. (remm)
      </fix>
      <fix>
        Align error handling for <code>Writer</code> and
        <code>OutputStream</code>. Ensure use of either once the response has
        been recycled triggers a <code>NullPointerException</code> provided that
        <code>discardFacades</code> is configured with the default value of
        <code>true</code>. (markt)
      </fix>
      <fix>
        <bug>68692</bug>: The standard thread pool implementations that are
        configured using the <code>Executor</code> element now implement
        <code>ExecutorService</code> for better support NIO2. The
        <code>org.apache.catalina.Executor</code> interface now extends
        <code>ExecutorService</code>. (remm)
      </fix>
      <fix>
        <bug>68495</bug>: When restoring a saved POST request after a successful
        FORM authentication, ensure that neither the URI, the query string nor
        the protocol are corrupted when restoring the request body. (markt)
      </fix>
      <fix>
        After forwarding a request, attempt to unwrap the response in order to
        suspend it, instead of simply closing it if it was wrapped. Add a new
        <code>suspendWrappedResponseAfterForward</code> boolean attribute on
        <code>Context</code> to control the bahavior, defaulting to
        <code>true</code>. (remm)
      </fix>
      <fix>
        <bug>68721</bug>: Workaround a possible cause of duplicate class
        definitions when using <code>ClassFileTransformer</code>s and the
        transformation of a class also triggers the loading of the same class.
        (markt)
      </fix>
      <fix>
        The rewrite valve should not do a rewrite if the output is identical
        to the input. (remm)
      </fix>
      <update>
        Add a new <code>valveSkip</code> (or <code>VS</code>) rule flag to the
        rewrite valve to allow skipping over the next valve in the Catalina
        pipeline. (remm)
      </update>
    </changelog>
  </subsection>
  <subsection name="Coyote">
    <changelog>
      <fix>
        Fix bad symbol lookup use in the OpenSSL FFM code. (remm)
      </fix>
      <fix>
        Improve the HTTP/2 stream prioritisation process. If a stream uses all
        of the connection windows and still has content to write, it will now be
        added to the backlog immediately rather than waiting until the write
        attempt for the remaining content. (markt)
      </fix>
    </changelog>
  </subsection>
  <subsection name="Jasper">
    <changelog>
      <add>
        Add method invocation support for <code>java.util.Optional</code> via
        the <code>jakarta.el.OptionalELResolver</code>  to Tomcat's
        implementation of the Jakarta EL API to align with the latest proposals
        for the Jakarta EL 6.0 API. The property support has also been refined
        for greater consistency. (markt)
      </add>
      <update>
        The defaults for <code>compilerSourceVM</code> and
        <code>compilerTargetVM</code> have been updated to 17 to align with Java
        17 being the minimum Java version required for Tomcat 11. (markt)
      </update>
    </changelog>
  </subsection>
  <subsection name="Cluster">
    <changelog>
      <fix>
        Avoid updating request count stats on async. (remm)
      </fix>
    </changelog>
  </subsection>
  <subsection name="Other">
    <changelog>
      <add>
        Improvements to French translations. (remm)
      </add>
      <add>
        Improvements to Japanese translations by tak7iji. (markt)
      </add>
      <fix>
        <bug>57130</bug>: Allow digest.(sh|bat) to accept password from a file
        or stdin. (csutherl/schultz)
      </fix>
    </changelog>
  </subsection>
</section>
<section name="Tomcat 11.0.0-M17 (markt)" rtext="2024-02-19">
  <subsection name="Catalina">
    <changelog>
      <add>
        Implement <code>HttpSession.getAccessor()</code> which provides a
        mechanism for applications to interact with an <code>HttpSession</code>
        outside the standard Servlet processing of an HTTP request. This is
        expected to be especially useful with applications using the Jakarta
        WebSocket API. (markt)
      </add>
      <fix>
        Correct JPMS and OSGi meta-data for <code>tomcat-embed-core.jar</code>
        by removing reference to <code>org.apache.catalina.ssi</code> package
        that is no longer included in the JAR. Based on pull request
        <pr>684</pr> by Jendrik Johannes. (markt)
      </fix>
      <fix>
        Fix ServiceBindingPropertySource so that trailing <code>\r\n</code>
        sequences are correctly removed from files containing property values
        when configured to do so. Bug identified by Coverity Scan. (markt)
      </fix>
      <add>
        Add improvements to the CSRF prevention filter including the ability
        to skip adding nonces for resource name and subtree URL patterns. (schultz)
      </add>
      <fix>
        Review usage of debug logging and downgrade trace or data dumping
        operations from debug level to trace. (remm)
      </fix>
      <fix>
        <bug>68089</bug>: Further improve the performance of request attribute
        access for <code>ApplicationHttpRequest</code> and
        <code>ApplicationRequest</code>. (markt)
      </fix>
      <fix>
        <bug>68559</bug>: Allow asynchronous error handling to write to the
        response after an error during asynchronous processing. (markt)
      </fix>
    </changelog>
  </subsection>
  <subsection name="Coyote">
    <changelog>
      <fix>
        Setting a <code>null</code> value for a cookie attribute should remove
        the attribute. (markt)
      </fix>
      <fix>
        Optimize state handling for OpenSSL context callbacks with the FFM API.
        (remm)
      </fix>
      <fix>
        Make asynchronous error handling more robust. Ensure that once a
        connection is marked to be closed, further asynchronous processing
        cannot change that. (markt)
      </fix>
      <fix>
        Make asynchronous error handling more robust. Ensure that once the call
        to <code>AsyncListener.onError()</code> has returned to the container,
        only container threads can access the <code>AsyncContext</code>. This
        protects against various race conditions that woudl otherwise occur if
        application threads continued to access the <code>AsyncContext</code>.
      </fix>
      <fix>
        Review usage of debug logging and downgrade trace or data dumping
        operations from debug level to trace. In particular, most of the
        HTTP/2 debug logging has been changed to trace level. (remm)
      </fix>
      <fix>
        Add support for user provided <code>SSLContext</code> instances
        configured on <code>SSLHostConfigCertificate</code> instances. Based on
        pull request <pr>673</pr> provided by Hakan Altındağ. (markt)
      </fix>
      <fix>
        Partial fix for <bug>68558</bug>: Cache the result of converting to
        <code>String</code> for request URI, HTTP header names and the request
        <code>Content-Type</code> value to improve performance by reducing
        repeated <code>byte[]</code> to <code>String</code> conversions. (markt)
      </fix>
      <fix>
        Improve error reporting to HTTP/2 clients for header processing errors
        by reporting problems at the end of the frame where the error was
        detected rather than at the end of the headers. (markt)
      </fix>
      <fix>
       Remove the remaining reference to a stream once the stream has been
       recycled. This makes the stream eligible for garbage collection earlier
       and thereby improves scalability. (markt)
      </fix>
    </changelog>
  </subsection>
  <subsection name="Jasper">
    <changelog>
      <fix>
        Additional fixes to correctly support <code>length</code> as a read-only
        property of an array via the <code>ArrayELResolver</code>. (markt)
      </fix>
      <fix>
        <bug>68546</bug>: Generate optimal size and types for JSP imports maps,
        as suggested by John Engebretson. (remm)
      </fix>
      <fix>
        Review usage of debug logging and downgrade trace or data dumping
        operations from debug level to trace. (remm)
      </fix>
    </changelog>
  </subsection>
  <subsection name="WebSocket">
    <changelog>
      <fix>
        Correct a regression in the fix for <bug>66508</bug> that could cause an
        <code>UpgradeProcessor</code> leak in some circumstances. (markt)
      </fix>
      <fix>
        Review usage of debug logging and downgrade trace or data dumping
        operations from debug level to trace. (remm)
      </fix>
      <fix>
        Ensure that WebSocket connection closure completes if the connection is
        closed when the server side has used the proprietary suspend/resume
        feature to suspend the connection. (markt)
      </fix>
    </changelog>
  </subsection>
  <subsection name="Web applications">
    <changelog>
      <add>
        Add support for responses in JSON format from the examples application
        RequestHeaderExample. (schultz)
      </add>
    </changelog>
  </subsection>
  <subsection name="Other">
    <changelog>
      <fix>
        Correct the remaining OSGi contract references in the manifest files to
        refer to the Jakarta EE contract names rather than the Java EE contract
        names. Based on pull request <pr>685</pr> provided by Paul A. Nicolucci.
        (markt)
      </fix>
      <update>
        Update Checkstyle to 10.13.0. (markt)
      </update>
      <update>
        Update JSign to 6.0. (markt)
      </update>
      <update>
        Update the packaged version of the Tomcat Migration Tool for Jakarta EE
        to 1.0.7. (markt)
      </update>
      <update>
        Update Tomcat Native to 2.0.7. (markt)
      </update>
      <update>
        Add strings for debug level messages. (remm)
      </update>
      <add>
        Improvements to French translations. (remm)
      </add>
      <add>
        Improvements to Japanese translations by tak7iji. (markt)
      </add>
    </changelog>
  </subsection>
</section>
<section name="Tomcat 11.0.0-M16 (markt)" rtext="2024-01-09">
  <subsection name="Catalina">
    <changelog>
      <add>
        Allow alternate redirect status code for directory redirects issued by
        the default servlet via the init param
        <code>directoryRedirectStatusCode</code>. (funkman/markt)
      </add>
      <update>
        <bug>68378</bug>: Align extension to MIME type mappings in the global
        web.xml with those in httpd by adding
        <code>application/vnd.geogebra.slides</code> for <code>ggs</code>,
        <code>text/javascript</code> for <code>mjs</code> and
        <code>audio/ogg</code> for opus. (markt)
      </update>
    </changelog>
  </subsection>
  <subsection name="Coyote">
    <changelog>
      <fix>
        Refactor the <code>VirtualThreadExecutor</code> so that it can be used
        by the NIO2 connector which was using platform threads even when
        configured to use virtual threads. (markt)
      </fix>
      <fix>
        Correct a regression in the fix for <bug>67675</bug> that broke TLS key
        file parsing for PKCS#8 format keys that do not specify an explicit
        pseudo-random function and rely on the default. This typically affects
        keys generated by OpenSSL 1.0.2. (markt)
      </fix>
      <fix>
        Allow multiple operations with the same name on introspected mbeans,
        fixing a regression caused by the introduction of a second
        <code>addSslHostConfig</code> method. (remm)
      </fix>
      <fix>
        Relax the check that the HTTP Host header is consistent with the host
        used in the request line, if any, to make the check case insensitive
        since host names are case insensitive. (markt)
      </fix>
      <add>
        <bug>68348</bug>: Add support for the partitioned attribute for cookies
        including session cookies. (markt)
      </add>
    </changelog>
  </subsection>
  <subsection name="Jasper">
    <changelog>
      <update>
        The defaults for <code>compilerSourceVM</code> and
        <code>compilerTargetVM</code> have been updated to 21 to align with Java
        21 being the minimum Java version required for Tomcat 11. (markt)
      </update>
    </changelog>
  </subsection>
  <subsection name="Web Applications">
    <changelog>
      <fix>
        <bug>68035</bug>: Additional fix to the Manager application to enable
        the deployment of a web application located in a Host's
        <code>appBase</code> where the web application is specified by a bare
        (no path) WAR or directory name as shown in the documentation. (markt)
      </fix>
    </changelog>
  </subsection>
  <subsection name="Other">
    <changelog>
      <update>
        Update to the Eclipse JDT compiler 4.30. (markt)
      </update>
      <update>
        Update Checkstyle to 10.12.7. (markt)
      </update>
      <update>
        Update SpotBugs to 4.8.3. (markt)
      </update>
      <add>
        Improvements to French translations. (remm)
      </add>
      <add>
        Improvements to Japanese translations by tak7iji. (markt)
      </add>
    </changelog>
  </subsection>
</section>
<section name="Tomcat 11.0.0-M15 (markt)" rtext="2023-12-12">
  <subsection name="Catalina">
    <changelog>
      <fix>
        Background processes should not be run concurrently with lifecycle
        operations of a container. (remm)
      </fix>
      <add>
        Add support for the <code>jakarta.servlet.request.secure_protocol</code>
        request attribute that has been added in Jakarta Servlet 6.1. This
        replaces the now deprecated Tomcat specific request attribute
        <code>org.apache.tomcat.util.net.secure_protocol_version</code>. (markt)
      </add>
      <add>
        Align behaviour with the latest addition to the Servlet 6.1
        specification that requires that all HTTP error dispatches use the GET
        method. (markt)
      </add>
      <fix>
        Correct unintended escaping of XML in some WebDAV responses. The XML
        list of support locks when provided in response to a PROPFIND request
        was incorrectly XML escaped. (markt)
      </fix>
      <fix>
        <bug>68227</bug>: Ensure that <code>AsyncListener.onComplete()</code> is
        called if <code>AsyncListener.onError()</code> calls
        <code>AsyncContext.dispatch()</code>. (markt)
      </fix>
      <fix>
        <bug>68228</bug>: Use a 408 status code if a read timeout occurs during
        HTTP request processing. Includes a test case based on code provided by
        adwsingh. (markt)
      </fix>
    </changelog>
  </subsection>
  <subsection name="Coyote">
    <changelog>
      <fix>
        Use Java code to load certificate chain when using OpenSSL through
        the FFM API. (remm)
      </fix>
    </changelog>
  </subsection>
  <subsection name="Jasper">
    <changelog>
      <scode>
        <bug>68119</bug>: Refactor the <code>CompositeELResolver</code> to
        improve performance during type conversion operations. (markt)
      </scode>
    </changelog>
  </subsection>
  <subsection name="Web Applications">
    <changelog>
      <fix>
        Examples. Improve the error handling so snakes associated with a user
        that drops from the network are removed from the game. (markt)
      </fix>
    </changelog>
  </subsection>
  <subsection name="Other">
    <changelog>
      <update>
        Update the OWB module to Apache OpenWebBeans 4.0.1. (remm)
      </update>
      <fix>
        <bug>68124</bug>: Migrate sample.war from javax to jakarta. (lihan)
      </fix>
      <update>
        Update UnboundID to 6.0.11. (markt)
      </update>
      <update>
        Update Checkstyle to 10.12.5. (markt)
      </update>
      <update>
        Update SpotBugs to 4.8.2. (markt)
      </update>
      <update>
        Update Derby to 10.17.1. (markt)
      </update>
      <add>
        Improvements to French translations. (remm)
      </add>
      <add>
        Improvements to Japanese translations by tak7iji. (markt)
      </add>
      <add>
        Improvements to Brazilian Portuguese translations by John William
        Vicente. (markt)
      </add>
      <add>
        Improvements to Russian translations by usmazat and remm. (markt)
      </add>
    </changelog>
  </subsection>
</section>
<section name="Tomcat 11.0.0-M14 (markt)" rtext="2023-11-15">
  <subsection name="Catalina">
    <changelog>
      <fix>
        <bug>67667</bug>: <code>TLSCertificateReloadListener</code> prints
        unreadable rendering of <code>X509Certificate#getNotAfter()</code>.
        (michaelo)
      </fix>
      <update>
        The status servlet included in the manager webapp can now output
        statistics as JSON, using the <code>JSON=true</code> URL parameter.
        (remm)
      </update>
      <update>
        Optionally allow ServiceBindingPropertySource to trim a trailing newline
        from a file containing a property-value. (schultz)
      </update>
      <update>
        Use Files.move instead of File.renameTo in the FarmWebDeployer to
        support a broader range of environments, and to give better information
        in the event of a failure. (schultz)
      </update>
      <fix>
        <bug>67793</bug>: Ensure the original session timeout is restored after
        FORM authentication if the user refreshes a page during the FORM
        authentication process. Based on a suggestion by Mircea Butmalai.
        (markt)
      </fix>
      <update>
        <bug>67926</bug>: <code>PEMFile</code> prints unidentifiable string
        representation of ASN.1 OIDs. (michaelo)
      </update>
      <fix>
        <bug>66875</bug>: Ensure that setting the request attribute
        <code>jakarta.servlet.error.exception</code> is not sufficient to
        trigger error handling for the current request and response. (markt)
      </fix>
      <fix>
        <bug>68054</bug>: Avoid some file canonicalization calls introduced
        by the fix for <bug>65433</bug>. (remm)
      </fix>
      <fix>
        <bug>68089</bug>: Improve performance of request attribute access for
        <code>ApplicationHttpRequest</code> and <code>ApplicationRequest</code>.
        (markt)
      </fix>
      <fix>
        Use a 400 status code to report an error due to a bad request (e.g. an
        invalid trailer header) rather than a 500 status code. (markt)
      </fix>
      <fix>
        Ensure that an <code>IOException</code> during the reading of the
        request triggers always error handling, regardless of whether the
        application swallows the exception. (markt)
      </fix>
    </changelog>
  </subsection>
  <subsection name="Coyote">
    <changelog>
      <add>
        <bug>66670</bug>: Add <code>SSLHostConfig#certificateKeyPasswordFile</code> and
        <code>SSLHostConfig#certificateKeystorePasswordFile</code>. (michaelo)
      </add>
      <add>
        When calling
        <code>SSLHostConfigCertificate.setCertificateKeystore(ks)</code>,
        automatically call
        <code>setCertificateKeystoreType(ks.getType())</code>. (markt)
      </add>
      <add>
        Add OpenSSL integration using the FFM API rather than Tomcat Native.
        OpenSSL support may be enabled by adding the
        <code>org.apache.catalina.core.OpenSSLLifecycleListener</code>
        listener on the <code>Server</code> element when using Java 22
        (starting with preview build 20) or later. (remm)
      </add>
      <fix>
        <bug>67628</bug>: Clarify how the <code>ciphers</code> attribute of the
        <code>SSLHostConfig</code> is used. (markt)
      </fix>
      <fix>
        <bug>67666</bug>: Ensure TLS connectors using PEM files either work with
        the <code>TLSCertificateReloadListener</code> or, in the rare case that
        they do not, log a warning on Connector start. (markt)
      </fix>
      <fix>
        <bug>67675</bug>: Support a wider range of KDF and ciphers for PEM files
        than the combinations supported by the JVM by default. Specifically,
        support the OpenSSL default of HmacSHA256 and DES-EDE3-CBC. (markt)
      </fix>
      <fix>
        <bug>67927</bug>: Reloading TLS configuration can cause the Connector to
        refuse new connections or the JVM to crash. (markt)
      </fix>
      <fix>
        <bug>67938</bug>: Correct handling of large TLS client hello messages
        that were causing the TLS handshake to fail. (markt)
      </fix>
      <fix>
        <bug>68026</bug>: Convert selected <code>MessageByte</code> values to
        String when first accessed to speed up subsequent accesses and reduce
        garbage collection. (markt)
      </fix>
    </changelog>
  </subsection>
  <subsection name="Jasper">
    <changelog>
      <add>
        Add support for Records to expression language. (markt)
      </add>
      <fix>
        <bug>68068</bug>: Performance improvement for EL. Based on a suggestion
        by John Engebretson. (markt)
      </fix>
    </changelog>
  </subsection>
  <subsection name="WebSocket">
    <changelog>
      <fix>
        Correct missing metadata in the MANIFEST of the for WebSocket client API
        JAR file. (markt)
      </fix>
    </changelog>
  </subsection>
  <subsection name="Web applications">
    <changelog>
      <fix>
        <bug>68035</bug>: Correct a regression in the fix for <bug>56248</bug>
        that prevented deployment via the Manager of a WAR or directory that was
        already present in the <code>appBase</code> or a context file that was
        already present in the <code>xmlBase</code>. (markt)
      </fix>
    </changelog>
  </subsection>
  <subsection name="Other">
    <changelog>
      <add>
        <bug>67538</bug>: Make use of Ant's <code>&lt;javaversion /&gt;</code> task
        to enfore the mininum Java build version. (michaelo)
      </add>
      <update>
        Update Checkstyle to 10.12.4. (markt)
      </update>
      <update>
        Update JaCoCo to 0.8.11. (markt)
      </update>
      <update>
        Update SpotBugs to 4.8.0. (markt)
      </update>
      <update>
        Update BND to 7.0.0. (markt)
      </update>
    </changelog>
  </subsection>
</section>
<section name="Tomcat 11.0.0-M13 (markt)" rtext="2023-10-14">
  <subsection name="Coyote">
    <changelog>
      <fix>
        <bug>67670</bug>: Fix regression with HTTP compression after code
        refactoring. (remm)
      </fix>
    </changelog>
  </subsection>
  <subsection name="jdbc-pool">
    <changelog>
      <fix>
        <bug>67664</bug>: Correct a regression in the clean-up of unnecessary
        use of fully qualified class names in 11.0.0-M12 that broke the
        jdbc-pool. (markt)
      </fix>
    </changelog>
  </subsection>
</section>
<section name="Tomcat 11.0.0-M12 (markt)" rtext="2023-10-10">
  <subsection name="Catalina">
    <changelog>
      <add>
        <bug>65770</bug>: Provide a lifecycle listener that will automatically
        reload TLS configurations a set time before the certificate is due to
        expire. This is intended to be used with third-party tools that
        regularly renew TLS certificates. (markt)
      </add>
      <fix>
        Fix handling of an error reading a context descriptor on deployment.
        (remm)
      </fix>
      <fix>
        Fix rewrite rule qsd (query string discard) being ignored if qsa was
        also use, while it should instead take precedence. (remm)
      </fix>
      <fix>
        <bug>67472</bug>: Send fewer CORS-related headers when CORS is not
        actually being engaged. (schultz)
      </fix>
      <add>
        Improve handling of failures within <code>recycle()</code> methods.
        (markt)
      </add>
    </changelog>
  </subsection>
  <subsection name="Coyote">
    <changelog>
      <fix>
        <bug>67198</bug>: Ensure that the AJP connector attribute
        <code>tomcatAuthorization</code> takes precedence over the
        <code>tomcatAuthentication</code> attribute when processing an
        <code>auth_type</code> attribute received from a proxy server. (markt)
      </fix>
      <fix>
        <bug>67235</bug>: Fix a <code>NullPointerException</code> when an
        <code>AsyncListener</code> handles an error with a dispatch rather than
        a complete. (markt)
      </fix>
      <fix>
        When an error occurs during asynchronous processing, ensure that the
        error handling process is only triggered once per asynchronous cycle.
        (markt)
      </fix>
      <fix>
        Fix logic issue trying to match no argument method in IntropectionUtil.
        (remm)
      </fix>
      <fix>
        Improve thread safety around readNotify and writeNotify in the NIO2
        endpoint. (remm)
      </fix>
      <fix>
        Avoid rare thread safety issue accessing message digest map. (remm)
      </fix>
      <fix>
        Improve statistics collection for upgraded connections under load.
        (remm)
      </fix>
      <update>
        <code>PushBuilder</code> has been deprecated in line with the changes
        for the Servlet 6.1 specification. It will be replaced in a future
        Tomcat 11 milestone with support for 103 early hints. (markt)
      </update>
      <update>
        Remove support for HTTP/2 server push. Calls to
        <code>newPushBuilder()</code> will always return <code>null</code>.
        (markt)
      </update>
      <fix>
        Align validation of HTTP trailer fields with standard fields. (markt)
      </fix>
      <fix>
        Improvements to HTTP/2 overhead protection. (markt)
      </fix>
    </changelog>
  </subsection>
  <subsection name="Jasper">
    <changelog>
      <fix>
        <bug>67080</bug>: Improve performance of EL expressions in JSPs that use
        implicit objects. Based on suggestions by John Engebretson, Anurag Dubey
        and Christopher Schultz. (markt)
      </fix>
    </changelog>
  </subsection>
  <subsection name="Other">
    <changelog>
      <update>
        Update the internal fork of Apache Commons FileUpload to 7a8c324
        (2023-09-16, 1.x-SNAPSHOT). Due to significant refactoring in the 2.x
        branch requiring additional Commons IO dependencies, Tomcat has switched
        to tracking the 1.x branch. (markt)
      </update>
      <add>
        Add the <code>Bundle-License</code> header to the JAR manifest for all
        Tomcat JARs. (markt)
      </add>
      <update>
        Update to the Eclipse JDT compiler 4.29. (markt)
      </update>
      <update>
        Update UnboundID to 6.0.10. (markt)
      </update>
      <update>
        Update Checkstyle to 10.12.3. (markt)
      </update>
      <update>
        Update Tomcat Native to 2.0.6. (markt)
      </update>
      <update>
        Update Commons Pool to 2.12.0. (markt)
      </update>
      <fix>
        <bug>67611</bug>: Correct the download link in BUILDING.txt. (lihan)
      </fix>
      <add>
        Improvements to French translations. (remm)
      </add>
      <add>
        Improvements to Japanese translations by tak7iji. (markt)
      </add>
      <add>
        Improvements to Russian translations by usmazat. (markt)
      </add>
    </changelog>
  </subsection>
</section>
<section name="Tomcat 11.0.0-M11 (markt)" rtext="2023-08-25">
  <subsection name="Catalina">
    <changelog>
      <fix>
        If an application or library sets both a non-500 error code and the
        <code>jakarta.servlet.error.exception</code> request attribute, use the
        provided error code during error page processing rather than assuming an
        error code of 500. (markt)
      </fix>
      <fix>
        Update code comments and Tomcat output to use MiB for 1024 * 1024 bytes
        and KiB for 1024 bytes rather than MB and kB. (martk)
      </fix>
      <add>
        Update the HTTP parameter handling to align with the changes in the
        Jakarta Servlet 6.1 API Javadoc for the <code>ServletRequest</code>
        methods used to obtain request parameters. Invalid parameters and/or
        exceeding parameter size and/or quantity limits now trigger
        exceptions. As a consequence, the <code>FailedRequestFilter</code> has
        been removed. (markt)
      </add>
      <fix>
        Avoid protocol relative redirects in FORM authentication. (markt)
      </fix>
    </changelog>
  </subsection>
  <subsection name="Web applications">
    <changelog>
      <fix>
        Documentation. Update documentation to use MiB for 1024 * 1024 bytes and
        KiB for 1024 bytes rather than MB and kB. (martk)
      </fix>
    </changelog>
  </subsection>
  <subsection name="Other">
    <changelog>
      <add>
        Improvements to Chinese translations. (lihan)
      </add>
      <add>
        Improvements to French translations. (remm)
      </add>
      <add>
        Improvements to Japanese translations by tak7iji. (markt)
      </add>
    </changelog>
  </subsection>
</section>
<section name="Tomcat 11.0.0-M10 (markt)" rtext="2023-08-14">
  <subsection name="Catalina">
    <changelog>
      <fix>
        Fix potential database connection leaks in
        <code>DataSourceUserDatabase</code> identified by Coverity Scan. (markt)
      </fix>
      <fix>
        Make parsing of <code>ExtendedAccessLogValve</code> patterns more
        robust. (markt)
      </fix>
      <fix>
        Fix failure trying to persist configuration for an internal credential
        handler. (remm)
      </fix>
      <fix>
        <bug>66680</bug>: When serializing a session during the session
        presistence process, do not log a warning that null Principals are not
        serializable. Pull request <pr>638</pr> provided by tsryo. (markt)
      </fix>
      <fix>
        <bug>66822</bug>: Use the same naming format in log messages for
        Connector instances as the associated ProtocolHandler instance. (markt)
      </fix>
      <fix>
        The parts count should also lower the actual
        <code>maxParameterCount</code> used for parsing parameters if parts are
        parsed first. (remm)
      </fix>
    </changelog>
  </subsection>
  <subsection name="Coyote">
    <changelog>
      <fix>
        Refactor blocking reads and writes for the NIO connector to remove
        code paths that could allow a notification from the Poller to be missed
        resuting in a timeout rather than the expected read or write. (markt)
      </fix>
      <fix>
        Refactor waiting for an HTTP/2 stream or connection window update to
        handle spurious wake-ups during the wait. (markt)
      </fix>
      <update>
        Improve extensibility of endpoints for socket channel creation and TLS.
        Pull request <pr>639</pr> provided by Marco Fargetta. (remm)
      </update>
      <fix>
        Correct a regression introduced in 11.0.0-M9 and use the correct
        constant when constructing the default value for the
        <code>certificateKeystoreFile</code> attribute of an
        <code>SSLHostConfigCertificate</code> instance. (markt)
      </fix>
      <scode>
        Refactor HTTP/2 implementation to reduce pinning when using virtual
        threads. (markt)
      </scode>
      <fix>
        Pass through ciphers referring to an OpenSSL profile, such as
        <code>PROFILE=SYSTEM</code> instead of producing an error trying to
        parse it. (remm)
      </fix>
      <fix>
        <bug>66841</bug>: Ensure that <code>AsyncListener.onError()</code> is
        called after an error during asynchronous processing with HTTP/2.
        (markt)
      </fix>
      <fix>
        <bug>66842</bug>: When using asynchronous I/O (the default), include
        DATA frames when calculating the HTTP/2 overhead count to ensure that
        connections are not prematurely terminated. (markt)
      </fix>
      <fix>
        Correct a race condition that could cause spurious RST messages to be
        sent after the response had been written to an HTTP/2 stream. (markt)
      </fix>
    </changelog>
  </subsection>
  <subsection name="WebSocket">
    <changelog>
      <fix>
        <bug>66681</bug>: Fix a <code>NullPointerException</code> when flushing
        batched messages with compression enabled using
        <code>permessage-deflate</code>. (markt)
      </fix>
    </changelog>
  </subsection>
  <subsection name="jdbc-pool">
    <changelog>
      <fix>
        Fix the <code>releaseIdleCounter</code> does not increment when testAllIdle
        releases them. Pull request <pr>241</pr> provided by Arun Chaitanya Miriappalli
        (lihan)
      </fix>
      <fix>
        Fix the <code>ConnectionState</code> state will be inconsistent with actual
        state on the connection when an exception occurs while writing. Pull request
        <pr>643</pr> provided by Wenjun Xiao. (lihan)
      </fix>
    </changelog>
  </subsection>
  <subsection name="Other">
    <changelog>
      <update>
        Update NSIS to 3.09. (markt)
      </update>
      <update>
        Update Checkstyle to 10.12.2. (markt)
      </update>
      <add>
        Improvements to French translations. (remm)
      </add>
      <add>
        Improvements to Japanese translations. Contributed by tak7iji and
        Shirayuking. (markt)
      </add>
      <fix>
        <bug>66829</bug>: Fix quoting so users can use the <code>_RUNJAVA</code>
        environment variable as intended on Windows when the path to the Java
        executable contains spaces. (markt)
      </fix>
      <fix>
        <bug>66834</bug>: Correct the OSGi contract references in the manifest
        files to refer to the Jakarta EE contract names rather than the Java EE
        contract names. (markt)
      </fix>
      <update>
        Update Tomcat Native to 2.0.5. (markt)
      </update>
    </changelog>
  </subsection>
</section>
<section name="Tomcat 11.0.0-M9 (markt)" rtext="2023-07-10">
  <subsection name="Other">
    <changelog>
      <fix>
        Correct properties for JSign dependency. (rjung)
      </fix>
    </changelog>
  </subsection>
</section>
<section name="Tomcat 11.0.0-M8 (markt)" rtext="not released">
  <subsection name="Catalina">
    <changelog>
      <add>
        <bug>59232</bug>: Add
        <code>org.apache.catalina.core.ContextNamingInfoListener</code>,
        a listener which creates context naming information environment entries.
        (michaelo)
      </add>
      <add>
        <bug>66665</bug>: Add
        <code>org.apache.catalina.core.PropertiesRoleMappingListener</code>,
        a listener which populates the context's role mapping from a properties
        file. (michaelo)
      </add>
      <fix>
        Fix an edge case where intra-web application symlinks would be followed
        if the web applications were deliberately crafted to allow it even when
        <code>allowLinking</code> was set to <code>false</code>. (markt)
      </fix>
      <update>
        Add utlity config file resource lookup on <code>Context</code> to allow
        looking up resources from the webapp (prefixed with
        <code>webapp:</code>) and make the resource lookup API more visible.
        (remm)
      </update>
    </changelog>
  </subsection>
  <subsection name="Coyote">
    <changelog>
      <fix>
        <bug>66627</bug>: Restore the documented behaviour of
        <code>MessageBytes.getType()</code> that it returns the type of the
        original content rather than reflecting the most recent conversion.
        (markt)
      </fix>
      <fix>
        <bug>66635</bug>: Correct certificate logging on start-up so it
        differentiates between keystore based keys/certificates and PEM file
        based keys/certificates and logs the relevant information for each.
        (markt)
      </fix>
    </changelog>
  </subsection>
  <subsection name="Jasper">
    <changelog>
      <add>
        Add <code>java.util.Optional</code> support via the
        <code>jakarta.el.OptionalELResolver</code>  to Tomcat's implementation
        of the Jakarta EL API to align with the latest proposals for the Jakarta
        EL 6.0 API. (markt)
      </add>
      <add>
        Add support for specifying Java 22 (with the value <code>22</code>) as
        the compiler source and/or compiler target for JSP compilation. If used
        with an Eclipse JDT compiler version that does not support these values,
        a warning will be logged and the default will used.
        (markt)
      </add>
    </changelog>
  </subsection>
  <subsection name="WebSocket">
    <changelog>
      <fix>
        Improve handling of error conditions for the WebSocket server,
        particularly during Tomcat shutdown. (markt)
      </fix>
      <fix>
        Correct a regression in the fix for <bug>66574</bug> that meant the
        WebSocket session could return false for <code>onOpen()</code> before
        the <code>onClose()</code> event had been completed. (markt)
      </fix>
      <add>
        Update the WebSocket API provided by Tomcat to align with the latest
        proposals from the Jakarta WebSocket project and make the WebSocket
        <code>Session</code> instance available via <code>SendResult</code>.
        (markt)
      </add>
    </changelog>
  </subsection>
  <subsection name="Web applications">
    <changelog>
      <add>
        Documentation. Expand the security guidance to cover the embedded use
        case and add notes on the uses made of the <code>java.io.tmpdir</code>
        system property. (markt)
      </add>
      <fix>
        <bug>66662</bug>: Documentation. Fix a typo in the name of the
        <strong>algorithms</strong> attribute in the configuration section for
        the Digest authentication valve. Pull request <pr>629</pr> provided by
        gohilmca. (markt)
      </fix>
    </changelog>
  </subsection>
  <subsection name="Other">
    <changelog>
      <add>
        Improvements to French translations. (remm)
      </add>
      <add>
        Include the Windows specific binary distributions in the files uploaded
        to Maven Central. (markt)
      </add>
      <update>
        Remove support for running Tomcat on 32-bit Windows operating systems as
        Java 21 is not available for that platform. (markt)
      </update>
      <add>
        Improvements to Japanese translations. Contributed by tak7iji. (markt)
      </add>
      <update>
        Update to the Eclipse JDT compiler 4.28. (markt)
      </update>
      <update>
        Update UnboundID to 6.0.9. (markt)
      </update>
      <update>
        Update Checkstyle to 10.12.1. (markt)
      </update>
      <update>
        Update BND to 6.4.1. (markt)
      </update>
      <update>
        Update JSign to 5.0. (markt)
      </update>
    </changelog>
  </subsection>
</section>
<section name="Tomcat 11.0.0-M7 (markt)" rtext="2023-06-08">
  <subsection name="General">
    <changelog>
      <update>
        Increase the minimum supported Java version to Java 21. (markt)
      </update>
    </changelog>
  </subsection>
  <subsection name="Catalina">
    <changelog>
      <scode>
        Move the management of the utility executor from the
        <code>init()</code>/<code>destroy()</code> methods of components to the
        <code>start()</code>/<code>stop()</code> methods. (markt)
      </scode>
      <add>
        Add RateLimitFilter which can be used to mitigate DoS and Brute Force
        attacks. (isapir)
      </add>
      <scode>
        Remove support for using the <code>^</code> character to separate the
        WAR file and WAR contents in Tomcat's custom WAR URL handler. The
        current default separator character of <code>*</code> remains unchanged.
        (markt)
      </scode>
      <add>
        Add <code>org.apache.catalina.core.StandardVirtualThreadExecutor</code>,
        a virtual thread based executor that may be used with one or more
        Connectors to process requests received by those Connectors using
        virtual threads. (markt)
      </add>
      <fix>
        <bug>66513</bug>: Add a per session Semaphore to the
        <code>PersistentValve</code> that ensures that, within a single Tomcat
        instance, there is no more than one concurrent request per session. Also
        expand the debug logging to include whether a request bypasses the Valve
        and the reason if a request fails to obtain the per session Semaphore.
        (markt)
      </fix>
      <fix>
        <bug>66609</bug>: Ensure that the default servlet correctly escapes
        file names in directory listings when using XML output. Based on pull
        request <pr>621</pr> by Alex Kachanov. (markt)
      </fix>
      <add>
       <bug>66618</bug>: Add a numeric last modified field to the XML directory
       listings produced by the default servlet to enable sorting in the XSLT.
       Pull request <pr>622</pr> by Alex Kachanov. (markt)
      </add>
      <fix>
        <bug>66621</bug>: Attempts to lock a collection with WebDAV may
        incorrectly fail if a child collection has an expired lock. (markt)
      </fix>
      <fix>
        <bug>66622</bug>: Remove the <code>xssProtectionEnabled</code> setting
        from the <code>HttpHeaderSecurityFilter</code> as support for the
        associated HTTP header has been removed from all major browsers. (markt)
      </fix>
    </changelog>
  </subsection>
  <subsection name="Coyote">
    <changelog>
      <fix>
        <bug>66602</bug>: not sending WINDOW_UPDATE when dataLength is ZERO
        on call SwallowedDataFramePayload. Pull request #619 by
        ledefe. (lihan)
      </fix>
    </changelog>
  </subsection>
  <subsection name="Other">
    <changelog>
      <update>
        Update to Commons Daemon 1.3.4. (markt)
      </update>
      <add>
        Improvements to French translations. (remm)
      </add>
      <update>
        Update Checkstyle to 10.12.0. (markt)
      </update>
      <update>
        Update the packaged version of the Apache Tomcat Native Library to 2.0.4
        to pick up the Windows binaries built with with OpenSSL 3.0.9. (markt)
      </update>
    </changelog>
  </subsection>
</section>
<section name="Tomcat 11.0.0-M6 (markt)" rtext="2023-05-09">
  <subsection name="Catalina">
    <changelog>
      <fix>
        <bug>66567</bug>: Fix missing <code>IllegalArgumentException</code>
        after the Tomcat code was converted to using URI instead of URL. (remm)
      </fix>
      <fix>
        Escape timestamp output in <code>AccessLogValve</code> if a
        <code>SimpleDateFormat</code> is used which contains verbatim
        characters that need escaping. (rjung)
      </fix>
      <update>
        Change output of vertical tab in <code>AccessLogValve</code> from
        <code>\v</code> to <code>\u000b</code>. (rjung)
      </update>
      <update>
        Improve performance of escaping in <code>AccessLogValve</code>
        roughly by a factor of two. (rjung)
      </update>
      <update>
        Improve <code>JsonAccessLogValve</code>: support more patterns
        like for headers and attributes. Those will be logged as sub objects.
        (rjung)
      </update>
      <fix>
        <pr>613</pr>: Fix possible partial corrupted file copies when using
        file locking protection or the manager servlet. Submitted
        by Jack Shirazi. (remm)
      </fix>
    </changelog>
  </subsection>
  <subsection name="Coyote">
    <changelog>
      <add>
        Add support for a new character set, <code>gb18030-2022</code> -
        introduced in Java 21, to the character set caching mechanism. (markt)
      </add>
      <fix>
        Fix an edge case in HTTP header parsing and ensure that HTTP headers
        without names are treated as invalid. (markt)
      </fix>
      <update>
        Remove support for the HTTP Connector settings
        <code>rejectIllegalHeader</code> and
        <code>allowHostHeaderMismatch</code>. These are now hard-coded to the
        previous defaults. (markt)
      </update>
      <fix>
        <bug>66591</bug>: Fix a regression introduced in the fix for
        <bug>66512</bug> that meant that an AJP Send Headers was not sent for
        responses where no HTTP headers were set. (markt)
      </fix>
    </changelog>
  </subsection>
  <subsection name="Jasper">
    <changelog>
      <fix>
        <bug>66582</bug>: Account for EL having stricter requirements for static
        imports than JSPs when adding JSP static imports to the EL context.
        (markt)
      </fix>
    </changelog>
  </subsection>
  <subsection name="WebSocket">
    <changelog>
      <fix>
        <bug>66574</bug>: Refactor WebSocket session close to remove the lock on
        the <code>SocketWrapper</code> which was a potential cause of deadlocks
        if the application code used simulated blocking. (markt)
      </fix>
      <fix>
        <bug>66575</bug>: Avoid unchecked use of the backing array of a
        buffer provided by the user in the compression transformation. (remm)
      </fix>
      <fix>
        Improve exception handling when flushing batched messages during
        WebSocket session close. (markt)
      </fix>
      <fix>
        <bug>66581</bug>: Update <code>AsyncChannelGroupUtil</code> to align it
        with the current defaults for AsynchronousChannelGroup. Pull request
        <pr>612</pr> by Matthew Painter. (markt)
      </fix>
    </changelog>
  </subsection>
  <subsection name="Other">
    <changelog>
      <add>
        Improvements to French translations. (remm)
      </add>
      <add>
        Improvements to Chinese translations. (lihan)
      </add>
      <update>
        Update Checkstyle to 10.10.0. (markt)
      </update>
      <update>
        Update Jacoco to 0.8.10. (markt)
      </update>
      <update>
        Update the packaged version of the Tomcat Migration Tool for Jakarta EE
        to 1.0.7. (markt)
      </update>
    </changelog>
  </subsection>
</section>
<section name="Tomcat 11.0.0-M5 (markt)" rtext="2023-04-19">
  <subsection name="Catalina">
    <changelog>
      <add>
        Add a <code>doPatch</code> method to <code>HttpServlet</code> to provide
        support for the HTTP <code>PATCH</code> method as defined in RFC 5789.
        This is one of the changes in the Servlet 6.1 API. (markt)
      </add>
      <fix>
        <bug>65995</bug>: Implement RFC 9239 and use
        <code>text/javascript</code> as the media type for JavaScript rather
        than <code>application/javascript</code>. (markt)
      </fix>
      <scode>
        Tomcat no longer sets the <code>java.protocol.handler.pkgs</code> system
        property when starting. Users are now free to configure this property if
        they wish. (markt)
      </scode>
      <add>
        Add an access log valve that uses a json format. Based on pull request
        <pr>539</pr> provided by Thomas Meyer. (remm)
      </add>
      <add>
        Harden the FORM authentication process against DoS attacks by using a
        reduced session timeout if the FORM authentication process creates a
        session. The duration of this timeout is configured by the
        <code>authenticationSessionTimeout</code> attribute of the FORM
        authenticator. (markt)
      </add>
      <add>
        Implement the new Servlet API methods that provide additional control
        when sending a redirect to the client. (markt)
      </add>
      <add>
        Update Digest authentication support to align with RFC 7616. This adds a
        new configuration attribute, <code>algorithms</code>, to the
        <code>DigestAuthenticator</code> with a default of
        <code>SHA-256,MD5</code>. (markt)
      </add>
      <update>
        Reduce the default value of <code>maxParameterCount</code> from 10,000
        to 1,000. (markt)
      </update>
      <fix>
        <bug>66527</bug>: Correct the Javadoc for the
        <code>Tomcat.addWebapp()</code> methods that incorrectly stated that the
        <code>docBase</code> parameter could be a relative path. (markt)
      </fix>
      <fix>
        <bug>66524</bug> Correct eviction ordering in WebResource cache to
        be LRU as intended. (schultz)
      </fix>
      <update>
        Add support code for custom user attributes in <code>RealmBase</code>.
        Based on code from <pr>473</pr> by Carsten Klein. (remm)
      </update>
      <fix>
        Expand the set of HTTP request headers considered sensitive that should
        be skipped when generating a response to a <code>TRACE</code> request.
        This aligns with the current draft of the Servlet 6.1 specification.
        (markt)
      </fix>
      <fix>
        <bug>66541</bug>: Improve handling for cached resources for resources
        that use custom URL schemes. The scheme specific <code>equals()</code>
        and <code>hashCode()</code> algorithms, if present, will now be used for
        URLs for these resources. This addresses a potential performance issue
        with some OSGi custom URL schemes that can trigger potentially slow DNS
        lookups in some configurations. Based on a patch provided by Tom
        Whitmore. (markt)
      </fix>
      <fix>
        When using a custom session manager deployed as part of the web
        application, avoid <code>ClassNotFoundException</code>s when validating
        session IDs extracted from requests. (markt)
      </fix>
      <fix>
        <bug>66543</bug>: Give <code>StandardContext#fireRequestDestroyEvent</code>
         its own log message. (fschumacher)
      </fix>
      <fix>
        <bug>66554</bug>: Initialize Random during server initialization to
        avoid possible JVM thread creation in the webapp context on some
        platforms. (remm)
      </fix>
      <update>
        Make the server utility executor available to webapps using a Servlet
        context attribute named
        <code>org.apache.tomcat.util.threads.ScheduledThreadPoolExecutor</code>. (remm)
      </update>
    </changelog>
  </subsection>
  <subsection name="Coyote">
    <changelog>
      <fix>
        JSON filter should support specific escaping for common special
        characters as defined in RFC 8259. Based on code submitted by
        Thomas Meyer. (remm)
      </fix>
      <fix>
        <bug>66511</bug>: Fix <code>GzipOutputFilter</code> (used for compressed
        HTTP responses) when used with direct buffers. Patch suggested by Arjen
        Poutsma. (markt)
      </fix>
      <fix>
        <bug>66512</bug>: Align AJP handling of invalid HTTP response headers
        (they are now removed from the response) with HTTP. (markt)
      </fix>
      <fix>
        <bug>66530</bug>: Correct a regression in the fix for bug
        <bug>66442</bug> that meant that streams without a response body did not
        decrement the active stream count when completing leading to
        <code>ERR_HTTP2_SERVER_REFUSED_STREAM</code> for some connections.
        (markt)
      </fix>
      <fix>
        Remove use of deprecated classes in the <code>javax.security.cert</code>
        package. Pull request <pr>608</pr> provided by Eirik Bjorsnos. (markt)
      </fix>
    </changelog>
  </subsection>
  <subsection name="Jasper">
    <changelog>
      <fix>
        Fix bug that meant some instances of coercing a
        <code>LambdaExpression</code> to a functional interface invocation
        failed. (markt)
      </fix>
      <fix>
        <bug>66536</bug>: Fix parsing of tag files that meant that tag
        directives could be ignored for some tag files. (markt)
      </fix>
      <add>
        Align the EL implementation with the latest changes to the Jakarta EL
        specification and add support for the length attribute to the
        <code>ArrayELResolver</code>. (markt)
      </add>
    </changelog>
  </subsection>
  <subsection name="Cluster">
    <changelog>
      <fix>
        <bug>66535</bug>: Redefine the <code>maxValidTime</code> attribute of
        <code>FarmWarDeployer</code> to be the maximum time allowed between
        receiving parts of a transferred file before the transfer is cancelled
        and the associated resources cleaned-up. A new warning message will be
        logged if the file transfer is cancelled. (markt)
      </fix>
    </changelog>
  </subsection>
  <subsection name="WebSocket">
    <changelog>
      <fix>
        <bug>66508</bug>: When using WebSocket with NIO2, avoid waiting for
        a timeout before sending the close frame if an I/O error occurs during a
        write. (markt)
      </fix>
      <fix>
        <bug>66548</bug>: Expand the validation of the value of the
        <code>Sec-Websocket-Key</code> header in the HTTP upgrade request that
        initiates a WebSocket connection. The value is not decoded but it is
        checked for the correct length and that only valid characters from the
        base64 alphabet are used. (markt)
      </fix>
    </changelog>
  </subsection>
  <subsection name="Web applications">
    <changelog>
      <fix>
        <bug>66542</bug>: Documentation. Update the JNDI documentation to
        replace references to JavaMail with references to Jakarta Mail. (markt)
      </fix>
    </changelog>
  </subsection>
  <subsection name="Other">
    <changelog>
      <add>
        Improvements to French translations. (remm)
      </add>
      <add>
        Improvements to Japanese translations. Contributed by Shirayuking and
        tak7iji. (markt)
      </add>
      <add>
        Improvements to Chinese translations. Contributed by totoo. (markt)
      </add>
      <scode>
        Refactor code using <code>MD5Encoder</code> to use
        <code>HexUtils.toHexString()</code>. (markt)
      </scode>
      <fix>
        <bug>66507</bug>: Fix a bug that <code>$JAVA_OPTS</code> is not passed
        to the jvm in <code>catalina.sh</code> when calling <code>version</code>.
        Patch suggested by Eric Hamilton. (lihan)
      </fix>
      <update>
        Update the internal fork of Commons DBCP to f131286 (2023-03-08,
        2.10.0-SNAPSHOT). This corrects a regression introduced in 11.0.0-M2.
        (markt)
      </update>
      <fix>
        Improve the error messages if <code>JRE_HOME</code> or
        <code>JAVA_HOME</code> are not set correctly. On windows, align the
        handling of <code>JRE_HOME</code> and <code>JAVA_HOME</code> for the
        start-up scripts and the service install script. (markt)
      </fix>
      <update>
        Update to the Eclipse JDT compiler 4.27. (markt)
      </update>
      <update>
        Update UnboundID to 6.0.8. (markt)
      </update>
      <update>
        Update Checkstyle to 10.9.3. (markt)
      </update>
      <update>
        Update Jacoco to 0.8.9. (markt)
      </update>
      <fix>
        Enhance PEMFile to load from an InputStream. Patch provided by
        Romain Manni-Bucau. (schultz)
      </fix>
    </changelog>
  </subsection>
</section>
<section name="Tomcat 11.0.0-M4 (markt)" rtext="2023-03-06">
  <subsection name="General">
    <changelog>
      <fix>
        Fix a bug that memory allocation is larger than limit in
        <code>SynchronizedStack</code> to reduce memory footprint. (lihan)
      </fix>
    </changelog>
  </subsection>
  <subsection name="Catalina">
    <changelog>
      <add>
        Add support for <code>txt:</code> and <code>rnd:</code> rewrite map
        types from mod_rewrite. Based on a pull request <pr>591</pr>
        provided by Dimitrios Soumis. (remm)
      </add>
      <update>
        Provide a more appropriate response (501 rather than 400) when rejecting
        an HTTP request using the CONNECT method. (markt)
      </update>
      <fix>
        <bug>66491</bug>: Revert the switch to using the ServiceLoader mechanism
        to load the custom URL protocol handlers that Tomcat uses. The original
        system property based approach has been restored. (markt)
      </fix>
    </changelog>
  </subsection>
  <subsection name="Coyote">
    <changelog>
      <add>
        Add a check for the validity of the scheme pseudo-header in HTTP/2.
        (markt)
      </add>
      <fix>
        <bug>66482</bug>: Restore inline state after async operation in NIO2,
        to account the fact that unexpected exceptions are sometimes thrown
        by the implementation. Patch submitted by zhougang. (remm)
      </fix>
    </changelog>
  </subsection>
  <subsection name="Jasper">
    <changelog>
      <add>
        Provide an implementation of the sub-set of JavaBeans support that does
        not depend on the <code>java.beans</code> package. This for use by
        Expression Language when the <code>java.desktop</code> module (which is
        where the <code>java.beans</code> package resides) is not available.
        (markt)
      </add>
    </changelog>
  </subsection>
</section>
<section name="Tomcat 11.0.0-M3 (markt)" rtext="2023-02-23">
  <subsection name="General">
    <changelog>
      <update>
        Increase the minimum supported Java version to Java 17. Note that
        Jakarta EE 11 permits a minimum Java version of 21. The minimum Java
        version for Tomcat 11 may be increased to Java 21 before the first
        stable release. (markt)
      </update>
    </changelog>
  </subsection>
  <subsection name="Catalina">
    <changelog>
      <fix>
        Allow a Valve to access cookies from a request that cannot be mapped to
        a Context. (markt)
      </fix>
      <add>
        Implement the new Servlet API methods for setting character encodings
        that accept <code>Charset</code> objects. (markt)
      </add>
      <update>
        The default HEAD response no longer includes some HTTP header fields
        where the value is determined only while generating the content as per
        section 9.3.2 of RFC 9110. (markt)
      </update>
      <fix>
        <bug>66438</bug>: Correct names of Jakarta modules in JPMS metadata.
        (markt)
      </fix>
      <update>
        Switch to using the ServiceLoader mechanism to load the custom URL
        protocol handlers that Tomcat uses. (markt)
      </update>
      <fix>
        Switch to using <code>LongAdder</code> rather than
        <code>AtomicInteger</code> to track request count and error count for
        servlets. (markt)
      </fix>
      <fix>
        Implement the clarification from the Jakarta Servlet project that
        Servlets mapped to the context root should be mapped for requests to the
        context root with or without the trailing <code>/</code>. (markt)
      </fix>
      <fix>
        Implement the clarification from the Jakarta Servlet project that
        calling <code>ServletOutputStream.close()</code> on a stream in
        non-blocking mode returns immediately with the stream effectively closed
        and any data remaining to be written is written in the background by the
        container. (markt)
      </fix>
      <fix>
        Avoid possible ISE when scanning from bad JAR URLs, to restore the
        previous behavior following the removal of Java 9+ reflection code which
        caught the ISE. (remm)
      </fix>
      <fix>
        Refactor uses of <code>String.replaceAll()</code> to use
        <code>String.replace()</code> where regular expressions where not being
        used. Pull request <pr>581</pr> provided by Andrei Briukhov. (markt)
      </fix>
      <add>
        Add error report valve that allows redirecting to of proxying from an
        external web server. Based on code and ideas from pull request
        <pr>506</pr> provided by Max Fortun. (remm)
      </add>
      <add>
        <bug>66470</bug>: Add the Shared Address Space defined by RFC 6598
        (100.64.0.0/10) to the regular expression used to identify internal
        proxies for the <code>RemoteIpFilter</code> and
        <code>RemoteIpValve</code>. (markt)
      </add>
      <fix>
        <bug>66471</bug>: Fix JSessionId secure attribute missing When
        <code>RemoteIpFilter</code> determines that this request was submitted
        via a secure channel. (lihan)
      </fix>
      <add>
        Add the additional HTTP status code constants to
        <code>HttpServletResponse</code> defined by the Jakarta Servlet project
        for the Servlet 6.1 API. (markt)
      </add>
      <fix>
        Implement the clarification from the Jakarta Servlet project that
        calling one of the <code>HttpServletResponse</code> methods for setting
        HTTP header values with <code>null</code> as the new header value
        removes any existing header of that name. (markt)
      </fix>
    </changelog>
  </subsection>
  <subsection name="Coyote">
    <changelog>
      <add>
        Log basic information for each configured TLS certificate when Tomcat
        starts. (markt)
      </add>
      <fix>
        <bug>66442</bug>: When an HTTP/2 response must not include a body,
        ensure that the end of stream flag is set on the headers frame and that
        no data frame is sent. (markt)
      </fix>
      <fix>
        Fix a bug that prevented HTTP/2 connections from timing out when using
        a Connector configured with <code>useAsyncIO=true</code> (the default).
        (markt)
      </fix>
      <add>
        Provided dedicated loggers
        (<code>org.apache.tomcat.util.net.NioEndpoint.certificate</code> /
        <code>org.apache.tomcat.util.net.Nio2Endpoint.certificate</code>) for
        logging of configured TLS certificates. (markt)
      </add>
    </changelog>
  </subsection>
  <subsection name="Jasper">
    <changelog>
      <fix>
        <bug>66419</bug>: Fix calls from expression language to a method that
        accepts varargs when only one argument was passed. (markt)
      </fix>
      <fix>
        <bug>66441</bug>: Make imports of static fields in JSPs visible to any
        EL expressions used on the page. (markt)
      </fix>
    </changelog>
  </subsection>
  <subsection name="Web applications">
    <changelog>
      <fix>
        <bug>66429</bug>: Documentation. Limit access to the documentation web
        application to localhost by default. (markt)
      </fix>
      <fix>
        <bug>66429</bug>: Examples. Limit access to the examples web application
        to localhost by default. (markt)
      </fix>
    </changelog>
  </subsection>
  <subsection name="Other">
    <changelog>
      <update>
        Update BND to 6.4.0. (markt)
      </update>
      <update>
        Remove support for starting Tomcat under a SecurityManager. (markt)
      </update>
      <add>
        Improvements to Chinese translations. (lihan)
      </add>
      <add>
        Improvements to French translations. (remm)
      </add>
      <add>
        Improvements to Japanese translations. Contributed by tak7iji. (markt)
      </add>
      <add>
        Improvements to Korean translations. (woonsan)
      </add>
      <update>
        Update the packaged version of the Apache Tomcat Native Library to 2.0.3
        to pick up the Windows binaries built with with OpenSSL 3.0.8. (markt)
      </update>
    </changelog>
  </subsection>
</section>
<section name="Tomcat 11.0.0-M2 (markt)" rtext="not released">
  <subsection name="Catalina">
    <changelog>
      <add>
        Update the <code>ServletInputStream</code> and
        <code>ServletOuputStream</code> classes in the Servlet API to align with
        the recent updates in the Jakarta Servlet specification to support
        reading and writing with <code>ByteBuffer</code>s. The changes also
        clarified various aspects of the Servlet non-blocking API. (markt)
      </add>
      <fix>
        <bug>66388</bug>: Correct a regression in the refactoring that replaced
        the use of the <code>URL</code> constructors. The regression broke
        lookups for resources that contained one or more characters in their
        name that required escaping when used in a URI path. (markt)
      </fix>
      <fix>
        <bug>66392</bug>: Change the default value of <code>AccessLogValve</code>'s
        file encoding to UTF-8 and update documentation. (lihan)
      </fix>
      <fix>
        <bug>66393</bug>: Align <code>ExtendedAccessLogValve</code>'s x-P(XXX) with the
        documentation. (lihan)
      </fix>
      <fix>
        Remove JAX-RPC support which was removed from the Jakarta EE platform
        for Jakarta EE 9. (markt)
      </fix>
    </changelog>
  </subsection>
  <subsection name="Coyote">
    <changelog>
      <fix>
        Update Cookie parsing and handling to treat the quotes in a quoted
        cookie value as part of the value as required by RFC 6265 and explicitly
        clarified in RFC 6265bis. (markt)
      </fix>
      <add>
        Add an RFC 8941 structured field parser. (markt)
      </add>
      <add>
        Add a parser for the <code>priority</code> HTTP header field defined in
        RFC 9218. (markt)
      </add>
      <fix>
        When resetting an HTTP/2 stream because the final response has been
        generated before the request has been fully read, use the HTTP/2 error
        code <code>NO_ERROR</code> so that client does not discard the response.
        Based on a suggestion by Lorenzo Dalla Vecchia. (markt)
      </fix>
      <fix>
        <bug>66385</bug>: Correct a bug in HTTP/2 where a non-blocking read for
        a new frame with the NIO2 connector was incorrectly made using the read
        timeout leading to unexpected stream closure. (markt)
      </fix>
    </changelog>
  </subsection>
  <subsection name="Jasper">
    <changelog>
      <fix>
        <bug>66370</bug>: Change the default of the
        <code>org.apache.el.GET_CLASSLOADER_USE_PRIVILEGED</code> system
        property to <code>true</code> unless the EL library is running on Tomcat
        in which case the default remains <code>false</code> as the EL library
        is already called from within a privileged block and skipping the
        unnecessary privileged block improves performance. (markt)
      </fix>
      <add>
        Add support for specifying Java 21 (with the value <code>21</code>) as
        the compiler source and/or compiler target for JSP compilation. If used
        with an Eclipse JDT compiler version that does not support these values,
        a warning will be logged and the default will used.
        (markt)
      </add>
    </changelog>
  </subsection>
  <subsection name="Other">
    <changelog>
      <update>
        Update the packaged version of the Apache Tomcat Migration Tool for
        Jakarta EE to 1.0.6. (markt)
      </update>
      <update>
        Update the internal fork of Apache Commons BCEL to 2ee2bff (2023-01-03,
        6.7.1-SNAPSHOT). (markt)
      </update>
      <update>
        Update the internal fork of Apache Commons Codec to 3eafd6c (2023-01-03,
        1.16-SNAPSHOT). (markt)
      </update>
      <update>
        Update the internal fork of Apache Commons FileUpload to 34eb241
        (2023-01-03, 2.0-SNAPSHOT). (markt)
      </update>
      <update>
        Update the internal fork of Apache Commons DBCP to f131286 (2023-01-03,
        2.10.0-SNAPSHOT). (markt)
      </update>
      <add>
        Improvements to Japanese translations. Contributed by Shirayuking.
        (markt)
      </add>
      <add>
        Improvements to Portuguese translations. Contributed by Guilherme
        Custódio. (markt)
      </add>
      <update>
        Update to the Eclipse JDT compiler 4.26. (markt)
      </update>
      <update>
        Update Checkstyle to 10.6.0. (markt)
      </update>
      <update>
        Update Unboundid to 6.0.7. (markt)
      </update>
      <update>
        Update SpotBugs to 4.7.3. (markt)
      </update>
    </changelog>
  </subsection>
</section>
<section name="Tomcat 11.0.0-M1 (markt)" rtext="2022-12-05">
  <subsection name="General">
    <changelog>
      <scode>
        This release contains all of the changes up to and including those in
        Apache Tomcat 10.1.1 plus the additional changes listed below. (markt)
      </scode>
    </changelog>
  </subsection>
  <subsection name="Catalina">
    <changelog>
      <fix>
        <bug>66175</bug>: Change the default character set used by the
        <code>BasicAuthenticator</code> from ISO-8859-1 to UTF-8. (markt)
      </fix>
      <add>
        <bug>66209</bug>: Add a configuration option to allow bloom filters used
        to index JAR files to be retained for the lifetime of the web
        application. Prior to this addition, the indexes were always flushed by
        the periodic calls to <code>WebResourceRoot.gc()</code>. As part of this
        addition, configuration of archive indexing moves from
        <code>Context</code> to <code>WebResourceRoot</code>. Based on a patch
        provided by Rahul Jaisimha. (markt)
      </add>
      <fix>
        <bug>66330</bug>: Correct a regression introduced when fixing
        <bug>62897</bug> that meant any value configured for
        <code>skipMemoryLeakChecksOnJvmShutdown</code> on the
        <code>Context</code> was ignored and the default was always used.
        (markt)
      </fix>
      <fix>
        <bug>66331</bug>: Fix a regression in refactoring for <code>Stack</code>
        on the <code>SystemLogHandler</code> which caught incorrect exception.
        (lihan)
      </fix>
      <fix>
        <bug>66338</bug>: Fix a regression that caused a nuance in refactoring
        for <code>ErrorReportValve</code>. (lihan)
      </fix>
      <fix>
        Escape values used to construct output for the
        <code>JsonErrorReportValve</code> to ensure that it always outputs valid
        JSON. (markt)
      </fix>
      <fix>
        Correct the default implementation of
        <code>HttpServletRequest.isTrailerFieldsReady()</code> to return
        <code>true</code> so it is consistent with the default implementation of
        <code>HttpServletRequest.getTrailerFields()</code> and with the Servlet
        API provided by the Jakarta EE project. (markt)
      </fix>
      <fix>
        Refactor <code>WebappLoader</code> so it only has a runtime dependency
        on the migration tool for Jakarta EE if configured to use the converter
        as classes are loaded. (markt)
      </fix>
      <fix>
        Improve the behavior of the credential handler attribute that is set in
        the Servlet context so that it actually reflects what is used during
        authentication. (remm)
      </fix>
      <fix>
        <bug>66359</bug>: Update javadoc for RemoteIpValve and RemoteIpFilter with
        correct <code>protocolHeader</code> default value of "X-Forwarded-Proto".
        (lihan)
      </fix>
      <add>
        Add support for the new attribute for error dispatches
        <code>jakarta.servlet.error.query_string</code>. (markt)
      </add>
      <update>
        Update <code>ignoreAnnotation</code> attribute on <code>Context</code>
        to dissociate it from <code>metadata-complete</code>. (remm)
      </update>
    </changelog>
  </subsection>
  <subsection name="Coyote">
    <changelog>
      <fix>
        Correct the date format used with the expires attribute of HTTP cookies.
        A single space rather than a single dash should be used to separate the
        day, month and year components to be compliant with RFC 6265. (markt)
      </fix>
      <add>
        Include the name of the current stream state in the error message when a
        stream is cancelled due to an attempt to write to the stream when it is
        in a state that does not permit writes. (markt)
      </add>
      <scode>
        NIO writes never return -1 so refactor <code>CLOSED_NIO_CHANNEL</code>
        not to do so and remove checks for this return value. Based on
        <pr>562</pr> by tianshuang. (markt)
      </scode>
      <scode>
        Remove unnecessary code that exposed the <code>asyncTimeout</code> to
        components that never used it. (markt)
      </scode>
      <fix>
        Ensure that all <code>MessageBytes</code> conversions to byte arrays are
        valid for the configured character set and throw an exception if not.
        (markt)
      </fix>
      <fix>
        When an HTTP/2 stream was reset, the current active stream count was not
        reduced. If enough resets occurred on a connection, the current active
        stream count limit was reached and no new streams could be created on
        that connection. (markt)
      </fix>
    </changelog>
  </subsection>
  <subsection name="Jasper">
    <changelog>
      <fix>
        <bug>66294</bug>: Make the use of a privileged block to obtain the
        thread context class loader added to address <bug>62080</bug> optional
        and disabled by default. This is now controlled by the
        <code>org.apache.el.GET_CLASSLOADER_USE_PRIVILEGED</code> system
        property. (markt)
      </fix>
      <fix>
        <bug>66317</bug>: Fix for Lambda coercion security manager missing
        privileges. Based on pull request #557 by Isaac Rivera Rivas (lihan)
      </fix>
      <fix>
        <bug>66325</bug>: Fix concurrency issue in evaluation of expression
        language containing lambda expressions. (markt)
      </fix>
      <add>
        Update the <code>ErrorData</code> class in the JSP API to align with the
        recent changes in the Jakarta Pages specification to support the new
        error dispatch attribute
        <code>jakarta.servlet.error.query_string</code>.
      </add>
    </changelog>
  </subsection>
  <subsection name="Web applications">
    <changelog>
      <fix>
        <bug>66348</bug>: Update the JARs listed in the class loader
        documentation and note which ones are optional. (markt)
      </fix>
      <fix>
        Documentation. Replace references in the application developer's guide
        to CVS with more general references to a source code control system.
        (markt)
      </fix>
    </changelog>
  </subsection>
  <subsection name="jdbc-pool">
    <changelog>
      <fix>
        <bug>66346</bug>: Ensure all JDBC pool JARs are reproducible. Pull
        request <pr>566</pr> provided by John Neffenger. (markt)
      </fix>
    </changelog>
  </subsection>
  <subsection name="Other">
    <changelog>
      <update>
        Update to Commons Daemon 1.3.3. (markt)
      </update>
      <fix>
        <bug>66323</bug>: Move module start up parameters from
        <code>JDK_JAVA_OPTIONS</code> to <code>JAVA_OPTS</code> now that the
        minimum Java version is 11 and these options are always required.
        (markt)
      </fix>
      <add>
        Improvements to Chinese translations. Contributed by DigitalCat and
        lihan. (markt)
      </add>
      <add>
        Improvements to French translations. Contributed by Mathieu Bouchard.
        (markt)
      </add>
      <add>
        Improvements to Japanese translations. Contributed by Shirayuking and
        tak7iji. (markt)
      </add>
      <add>
        Improvements to Korean translations. (markt)
      </add>
      <add>
        Improvements to Spanish translations. (markt)
      </add>
      <fix>
        Correct a regression in the removal of the APR connector that broke
        Graal native image support. Pull request <pr>564</pr> provided by
        Sébastien Deleuze. (markt)
      </fix>
      <update>
        Update the packaged version of the Apache Tomcat Native Library to 2.0.2
        to pick up the Windows binaries built with with OpenSSL 3.0.7. (markt)
      </update>
      <update>
        Update the packaged version of the Apache Tomcat Migration Tool for
        Jakarta EE to 1.0.5. (markt)
      </update>
      <scode>
        Refactor code base to replace use of URL constructors. While they are
        deprecated in Java 20 onwards, the reasons for deprecation are valid for
        all versions so move away from them now. (markt)
      </scode>
      <scode>
        Refine the Tomcat native image metadata to avoid including unintended
        non-Tomcat resources. Pull request <pr>569</pr> provided by Sébastien
        Deleuze. (markt)
      </scode>
      <update>
        Update the internal fork of Apache Commons BCEL to b015e90 (2022-11-28,
        6.7.0-RC1). (markt)
      </update>
      <update>
        Update the internal fork of Apache Commons Codec to ae32a3f (2022-11-29,
        1.16-SNAPSHOT). (markt)
      </update>
      <update>
        Update the internal fork of Apache Commons FileUpload to aa8eff6
        (2022-11-29, 2.0-SNAPSHOT). (markt)
      </update>
    </changelog>
  </subsection>
</section>
</body>
</document>