Content

Other news

2015-12-15 Tomcat Native 1.2.3 Released

The Apache Tomcat Project is proud to announce the release of version 1.2.3 of Tomcat Native. The notable changes since 1.2.2 include:

  • Java keystore support.
  • Various fixes to align the Java and native APIs
  • Various fixes if building without OpenSSL

Note that, unless a regression is discovered in 1.2.x, users should now be using 1.2.x in preference to 1.1.x.

Download | ChangeLog for 1.2.3

2015-12-15 Tomcat Native 1.1.34 Released

The Apache Tomcat Project is proud to announce the release of version 1.1.34 of Tomcat Native. The notable changes since 1.1.33 include:

  • Unconditionally disable export Ciphers
  • Improve ephemeral key handling for DH and ECDH
  • Various fixes to build with newer OpenSSL versions

Note that, unless a regression is discovered in 1.2.x, users should now be using 1.2.x in preference to 1.1.x.

Download | ChangeLog for 1.1.34

2015-12-10 Tomcat 7.0.67 Released

The Apache Tomcat Project is proud to announce the release of version 7.0.67 of Apache Tomcat. This release contains a number of bug fixes and improvements compared to version 7.0.65. The notable changes since 7.0.65 include:

  • Allow file based configuration resources (e.g. key stores) to be configured using URLs.
  • Add an option to control (per context) quoting of EL expressions in JSP attributes. Restore the default behavior in Jasper to align with 7.0.64 and earlier as well as other JSP implementations.
  • Add a new RestCsrfPreventionFilter that provides basic CSRF protection for REST APIs.
  • Use instance manager for WebSocket server endpoint instances.
  • Location headers for redirects now use relative URIs. This can be controlled per Context with the useRelativeRedirects attribute.

Full details of these changes, and all the other changes, are available in the Tomcat 7 changelog.

Download | ChangeLog for 7.0.67

2015-12-06 Tomcat 8.0.30 Released

The Apache Tomcat Project is proud to announce the release of version 8.0.30 of Apache Tomcat. Apache Tomcat 8.0.30 includes fixes for issues identified in 8.0.29 as well as other enhancements and changes. The notable changes since 8.0.29 include:

  • Location headers for redirects now use relative URIs. This can be controlled per Context with the useRelativeRedirects attribute.
  • Correct a regression in 8.0.29 that broke redirects for context roots.
  • Restore the default setting of quoteAttributeEL in Jasper to true to align with 8.0.26/7.0.64 and earlier as well as other JSP implementations.

Full details of these changes, and all the other changes, are available in the Tomcat 8 changelog.

Download

2015-11-24 Tomcat 8.0.29 Released

The Apache Tomcat Project is proud to announce the release of version 8.0.29 of Apache Tomcat. Apache Tomcat 8.0.29 includes fixes for issues identified in 8.0.28 as well as other enhancements and changes. The notable changes since 8.0.28 include:

  • Add an option to control (per context) quoting of EL expressions in JSP attributes.
  • Correct a regression in the fix for 56777 that added support for URIs in config file locations.
  • Add a new RestCsrfPreventionFilter that provides basic CSRF protection for REST APIs.
  • Use instance manager for WebSocket server endpoint instances.

Note: Due to issues with the code signing service, the Windows Installer has not been signed for this release.

Full details of these changes, and all the other changes, are available in the Tomcat 8 changelog.

Download

2015-11-19 Tomcat 9.0.0.M1 (alpha) Released

The Apache Tomcat Project is proud to announce the release of version 9.0.0.M1 (alpha) of Apache Tomcat. The is the first milestone release of the 9.0.x branch and has been made to provide users with early access to the new features in Apache Tomcat 9.0.x so that they may provide feedback.The notable changes compared to 8.0.x include:

  • Adding support for HTTP/2, and TLS virtual hosting
  • An implementation of the current draft of the Servlet 4.0 specification
  • The BIO connectors, support for Windows Itanium and support for Comet have been removed

Full details of these changes, and all the other changes, are available in the Tomcat 9 changelog.

Download

2015-11-09 Tomcat Native 1.2.2 Released

The Apache Tomcat Project is proud to announce the release of version 1.2.2 of Tomcat Native. The notable changes since 1.2.0 include:

  • Enable Tomcat Native 1.2.x to work with Tomcat releases that do not have the necessary Java code to support SNI.
  • Align OpenSSL I/O code with that in 1.1.x to ensure all fixes have been applied,

Download | ChangeLog for 1.2.2

2015-10-28 Tomcat Native 1.2.0 Released

The Apache Tomcat Project is proud to announce the release of version 1.2.0 of Tomcat Native. The notable changes since 1.1.33 include:

  • Windows binaries built with APR 1.5.1 and OpenSSL 1.0.2d
  • Itanium binaries no longer provided for Windows
  • ALPN support
  • SNI support
  • Add access methods for OpenSSL BIO

Download | ChangeLog for 1.2.0

2015-10-19 Tomcat 7.0.65 Released

The Apache Tomcat Project is proud to announce the release of version 7.0.65 of Apache Tomcat. This release contains a number of bug fixes and improvements compared to version 7.0.64. The notable changes since 7.0.64 include:

  • Add a web application class loader implementation that supports the parallel loading of web application classes. Use of this feature requires a Java 7 or later JRE

Full details of these changes, and all the other changes, are available in the Tomcat 7 changelog.

Download | ChangeLog for 7.0.65

2015-10-12 Tomcat 8.0.28 Released

The Apache Tomcat Project is proud to announce the release of version 8.0.28 of Apache Tomcat. Apache Tomcat 8.0.28 includes fixes for issues identified in 8.0.27 as well as other enhancements and changes. The notable changes since 8.0.27 include:

  • Allow file based configuration resources (e.g. key stores) to be configured using URLs.
  • Restore code signing to the Windows installer and uninstaller.

Full details of these changes, and all the other changes, are available in the Tomcat 8 changelog.

Download

2015-10-01 Tomcat 8.0.27 Released

The Apache Tomcat Project is proud to announce the release of version 8.0.27 of Apache Tomcat. Apache Tomcat 8.0.27 includes a numerous fixes for issues identified in 8.0.26 as well as a number of other enhancements and changes. The notable changes since 8.0.26 include:

  • Correctly handle \${ vs \$ escaping in JSP and EL
  • Fix for issues with NIO + SSL + sendfile
  • Various TLD parsing fixes
  • Fix multiple (mostly rare and/or zero impact) concurrency issues

Full details of these changes, and all the other changes, are available in the Tomcat 8 changelog.

Download

2015-08-25 Tomcat 7.0.64 Released

The Apache Tomcat Project is proud to announce the release of version 7.0.64 of Apache Tomcat. This release contains a number of bug fixes and improvements compared to version 7.0.63. The notable changes since 7.0.63 include:

  • Avoid an NPE when adding POJO WebSocket endpoints programmatically
  • Improved handling of async timeouts
  • Facilitate weaving by allowing ClassFileTransformer to be added to WebappClassLoader

Full details of these changes, and all the other changes, are available in the Tomcat 7 changelog.

Download | ChangeLog for 7.0.64

2015-08-21 Tomcat 8.0.26 Released

The Apache Tomcat Project is proud to announce the release of version 8.0.26 of Apache Tomcat. Apache Tomcat 8.0.26 includes a numerous fixes for issues identified in 8.0.24 as well as a number of other enhancements and changes. The notable changes since 8.0.24 include:

  • Fix EOF handling in the AJP APR/native connector to avoid the tight loop that caused high CPU load
  • Avoid an NPE when adding POJO WebSocket endpoints programmatically
  • Improved handling of async timeouts

Full details of these changes, and all the other changes, are available in the Tomcat 8 changelog.

Download

2015-08-11 Tomcat Connectors 1.2.41 Released

The Apache Tomcat Project is proud to announce the release of version 1.2.41 of Apache Tomcat Connectors. This version fixes one security issue (CVE-2014-8111) and a number of bugs found in previous releases.

Download | ChangeLog for 1.2.41

2015-07-06 Tomcat 7.0.63 Released

The Apache Tomcat Project is proud to announce the release of version 7.0.63 of Apache Tomcat. This release contains a number of bug fixes and improvements compared to version 7.0.62. The notable changes since 7.0.62 include:

  • Added a workaround for SPNEGO authentication and a JRE regression in Java 8 update 40 onwards
  • Added the new HttpHeaderSecurityFilter
  • Extended support for the Web Socket permessage-deflate extension to the client implementation

Full details of these changes, and all the other changes, are available in the Tomcat 7 changelog.

Download | ChangeLog for 7.0.63

2015-07-06 Tomcat 8.0.24 Released

The Apache Tomcat Project is proud to announce the release of version 8.0.24 of Apache Tomcat. Apache Tomcat 8.0.24 includes a numerous fixes for issues identified in 8.0.23 as well as a number of other enhancements and changes. The notable changes since 8.0.23 include:

  • Provide path parameters to POJO based WebSocket endpoints to the per session javax.websocket.server.ServerEndpointConfig instance as the path parameters will vary between sessions.
  • Various fixes to the SlowQueryReport in jdbc-pool.
  • Various improvements to how Tomcat implements the requirements of SRV.10.7.2 (not loading Java SE and implemented specification classes from web applications).

Full details of these changes, and all the other changes, are available in the Tomcat 8 changelog.

Download

2015-06-03 End of life for Apache Tomcat 6.0.x

End of life date for Apache Tomcat 6.0.x is announced. Read more...

2015-05-22 Tomcat 8.0.23 Released

The Apache Tomcat Project is proud to announce the release of version 8.0.23 of Apache Tomcat. Apache Tomcat 8.0.23 includes a numerous fixes for issues identified in 8.0.22 as well as a number of other enhancements and changes. The notable changes since 8.0.22 include:

  • Fixed corruption issues with NIO2 and TLS
  • Added a workaround for SPNEGO authentication and a JRE regression in Java 8 update 40 onwards
  • Added the new HttpHeaderSecurityFilter

Full details of these changes, and all the other changes, are available in the Tomcat 8 changelog.

Download

2015-05-14 Tomcat 7.0.62 Released

The Apache Tomcat Project is proud to announce the release of version 7.0.62 of Apache Tomcat. This release contains a number of bug fixes and improvements compared to version 7.0.61.

Full details of these changes, and all the other changes, are available in the Tomcat 7 changelog.

Download | ChangeLog for 7.0.62

2015-05-12 Tomcat 6.0.44 Released

The Apache Tomcat Project is proud to announce the release of version 6.0.44 of Apache Tomcat. This release includes a number of security and bug fixes over Apache Tomcat 6.0.43. The notable changes include:

  • Update to Tomcat Native Library version 1.1.33 to pick up the Windows binaries that are based on OpenSSL 1.0.1m.

Note: End of life date for Apache Tomcat 6.0.x is announced. Read more...

Download | ChangeLog for 6.0.44

2015-05-05 Tomcat 8.0.22 Released

The Apache Tomcat Project is proud to announce the release of version 8.0.22 of Apache Tomcat. Apache Tomcat 8.0.22 includes a numerous fixes for issues identified in 8.0.21 as well as a number of other enhancements and changes. The notable changes since 8.0.21 include:

  • Change the format of the Tomcat specific URLs for resources inside JARs that are in turn packed in a WAR. The ^/ sequence has been replaced by */ so that the resulting URLs are compliant with RFC 2396 and do not trigger exceptions when converted to URIs. The old format will continue to be accepted.
  • Allow logging of the remote port in the access log using the format pattern %{remote}p.
  • When checking last modified times as part of the automatic deployment process, account for the fact that File.lastModified() has a resolution of one second to ensure that if a file has been modified within the last second, the latest version of the file is always used. Note that a side-effect of this change is that files with modification times in the future are treated as if they are unmodified.
  • Align redeploy resource modification checking with reload modification checking so that now, in both cases, a change in modification time rather than an increase in modification time is used to determine if the resource has changed.

Note: There is a known issue with NIO2 and SSL/TLS in this and previous releases that can result in dropped connections. It is not recommended that NIO2 is used in production with SSL/TLS until this issue is resolved (the fix is expected in 8.0.23).

Full details of these changes, and all the other changes, are available in the Tomcat 8 changelog.

Download

2015-04-07 Tomcat 7.0.61 Released

The Apache Tomcat Project is proud to announce the release of version 7.0.61 of Apache Tomcat. This release contains a number of bug fixes and improvements compared to version 7.0.59. The notable changes since 7.0.59 include:

  • Add support for Java 8 JSSE server-preferred TLS cipher suite ordering. This feature requires Java 8.
  • Update to Tomcat Native Library version 1.1.33 to pick up the Windows binaries that are based on OpenSSL 1.0.1m and APR 1.5.1.
  • Implement a new feature for AJP connectors - Tomcat Authorization. If enabled Tomcat, will take an authenticated user name from the AJP protocol and use the appropriate Realm for the request to authorize (i.e. add roles) to that user.
  • Update the Eclipse JDT compiler to version 4.4.2.

Full details of these changes, and all the other changes, are available in the Tomcat 7 changelog.

Download | ChangeLog for 7.0.61

2015-03-26 Tomcat 8.0.21 Released

The Apache Tomcat Project is proud to announce the release of version 8.0.21 of Apache Tomcat. Apache Tomcat 8.0.21 includes a numerous fixes for issues identified in 8.0.20 as well as a number of other enhancements and changes. The notable changes since 8.0.20 include:

  • Enable Tomcat to detect when a WAR file has been changed while Tomcat is not running.
  • Add support for Java 8 JSSE server-preferred TLS cipher suite ordering. This feature requires Java 8.
  • Update to Tomcat Native Library version 1.1.33 to pick up the Windows binaries that are based on OpenSSL 1.0.1m and APR 1.5.1
  • Implement a new feature for AJP connectors - Tomcat Authorization. If enabled Tomcat, will take an authenticated user name from the AJP protocol and use the appropriate Realm for the request to authorize (i.e. add roles) to that user.

Full details of these changes, and all the other changes, are available in the Tomcat 8 changelog.

Download

2015-03-23 Tomcat Native 1.1.33 Released

The Apache Tomcat Project is proud to announce the release of version 1.1.33 of Tomcat Native. The notable changes since 1.1.32 include:

  • Fixed a crash when the poller returned multiple events for the same socket.
  • Windows binaries are linked with OpenSSL 1.0.1m and APR 1.5.1.

Download | ChangeLog for 1.1.33

2015-02-20 Tomcat 8.0.20 Released

The Apache Tomcat Project is proud to announce the release of version 8.0.20 of Apache Tomcat. Apache Tomcat 8.0.20 includes a numerous fixes for issues identified in 8.0.18 as well as a number of other enhancements and changes. The notable changes since 8.0.18 include:

  • Fix a performance regression in the new resources implementation when signed JARs are used in a web application.
  • Fix several bugs that could cause multiple registrations for write events for a single socket when using Servlet 3.0 async. Typically, the side effects of these multiple registrations would be exceptions appearing in the logs.
  • Enhance the bean factory used for JNDI resources. The new attribute forceString allows to support non-standard string argument property setters.

Full details of these changes, and all the other changes, are available in the Tomcat 8 changelog.

Download

2015-02-20 Apache Standard Taglib 1.2.3 Released

The Apache Tomcat Project is proud to announce the release of version 1.2.3 of the Standard Taglib. This tag library provides Apache's implementation of the JSTL 1.2 specification.

Version 1.2.3 is a security and bug fix release. It fixes a few bugs found in Standard Taglib 1.2.1 and provides protection against CVE-2015-0254 vulnerability (XXE and RCE via XSL extension in JSTL XML tags).

Please see the Taglibs section for more details.

Download | Changes

2015-02-04 Tomcat 7.0.59 Released

The Apache Tomcat Project is proud to announce the release of version 7.0.59 of Apache Tomcat. This release contains a number of bug fixes and improvements compared to version 7.0.57. The notable changes since 7.0.57 include:

  • Session ID Generator is now extensible.

Full details of these changes, and all the other changes, are available in the Tomcat 7 changelog.

Download | ChangeLog for 7.0.59

2015-01-26 Tomcat 8.0.18 Released

The Apache Tomcat Project is proud to announce the release of version 8.0.18 of Apache Tomcat. Apache Tomcat 8.0.18 includes a numerous fixes for issues identified in 8.0.17 as well as a number of other enhancements and changes. The notable changes since 8.0.17 include:

  • A regression that caused response truncation when using forwarding (57475) has been fixed.
  • Various improvements to ReplicatedMap in Tribes.

Full details of these changes, and all the other changes, are available in the Tomcat 8 changelog.

Download

2015-01-15 Tomcat 8.0.17 Released

The Apache Tomcat Project is proud to announce the release of version 8.0.17 of Apache Tomcat. Apache Tomcat 8.0.17 includes numerous fixes for issues identified in 8.0.15 as well as a number of other enhancements and changes. The notable changes since 8.0.15 include:

  • Fixing a regression in annotation scanning introduced in 8.0.15
  • The RemoteAddrValve and RemoteHostValve can now optionally include the port when filtering along with a new option to trigger authentication rather than denying access
  • Various edge cases fixes in WebSocket

Warning: The following notable bug was found in 8.0.17: 57476: some HTTP responses may be truncated. The team works on preparing the next release (8.0.18) to address this issue.

Full details of these changes, and all the other changes, are available in the Tomcat 8 changelog.

Download