From nobody@FreeBSD.org  Sun May 25 21:46:51 2014
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
	(using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by hub.freebsd.org (Postfix) with ESMTPS id 2E943305
	for <freebsd-gnats-submit@FreeBSD.org>; Sun, 25 May 2014 21:46:51 +0000 (UTC)
Received: from cgiserv.freebsd.org (cgiserv.freebsd.org [IPv6:2001:1900:2254:206a::50:4])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(Client did not present a certificate)
	by mx1.freebsd.org (Postfix) with ESMTPS id 0F4E024EB
	for <freebsd-gnats-submit@FreeBSD.org>; Sun, 25 May 2014 21:46:51 +0000 (UTC)
Received: from cgiserv.freebsd.org ([127.0.1.6])
	by cgiserv.freebsd.org (8.14.8/8.14.8) with ESMTP id s4PLko9J017246
	for <freebsd-gnats-submit@FreeBSD.org>; Sun, 25 May 2014 21:46:50 GMT
	(envelope-from nobody@cgiserv.freebsd.org)
Received: (from nobody@localhost)
	by cgiserv.freebsd.org (8.14.8/8.14.8/Submit) id s4PLkocs017245;
	Sun, 25 May 2014 21:46:50 GMT
	(envelope-from nobody)
Message-Id: <201405252146.s4PLkocs017245@cgiserv.freebsd.org>
Date: Sun, 25 May 2014 21:46:50 GMT
From: Patrick Abeya <wombat@marsupial.org>
To: freebsd-gnats-submit@FreeBSD.org
Subject: [PATCH] Apache 7.0.54
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         190228
>Category:       ports
>Synopsis:       [PATCH] www/tomcat7: fix UTF-8 decoder
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    ale
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Sun May 25 21:50:00 UTC 2014
>Closed-Date:    
>Last-Modified:  Fri May 30 17:20:02 UTC 2014
>Originator:     Patrick Abeya
>Release:        10.0-RELEASE-p3
>Organization:
>Environment:
FreeBSD wallaby 10.0-RELEASE-p3 FreeBSD 10.0-RELEASE-p3 #0: Tue May 13 18:31:10 UTC 2014     root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC  amd64
>Description:
Catalina

fix	 Fix custom UTF-8 decoder so that a byte of value 0xC1 is always rejected immediately as it is never valid in a UTF-8 byte sequence. Update UTF-8 decoder tests to account for UTF-8 decoding improvements in Java 8. The custom UTF-8 decoder is still required due to bugs in the UTF-8 decoder provided by Java. Java 8's decoder is better than Java 7's but it is still buggy. (markt)
fix	56027: Add more options for managing FIPS mode in the AprLifecycleListener. (schultz/kkolinko)
fix	56321: When a WAR is modified, undeploy the web application before deleting any expanded directory as the undeploy process may refer to classes that need to be loaded from the expanded directory. If the expanded directory is deleted first, any attempt to load a new class during undeploy will fail. (markt)
fix	56339: Avoid an infinite loop if an application calls session.invalidate() from the session destroyed event for that session. (markt)
update	56365: Simplify file name pattern matching code in StandardJarScanner. Ignore leading and trailing whitespace and empty strings when configuring patterns. Improve documentation. (kkolinko)
fix	56369: Ensure that removing an MBean notification listener reverts all the operations performed when adding an MBean notification listener. (markt)
add	56382: Information about finished deployment and its execution time is added to the log files. Patch is provided by Danila Galimov. (violetagg)
add	56383: Properties for disabling server information and error report are added to the org.apache.catalina.valves.ErrorReportValve. Based on the patch provided by Nick Bunn. (violetagg/kkolinko)
fix	 Only create XML parsing objects if required and fix associated potential memory leak in the default Servlet. (markt)
fix	 Modify generic exception handling so that StackOverflowError is not treated as a fatal error and can handled and/or logged as required. (markt)
fix	56409: Avoid StackOverflowError on non-Windows systems if a file named \ is encountered when scanning for TLDs. (markt)
add	56430: Extend checks for suspicious URL patterns to include patterns of the form *.a.b which are not valid patterns for extension mappings. (markt)
add	 Extend XML factory, parser etc. memory leak protection to cover some additional locations where, theoretically, a memory leak could occur. (markt)
fix	 Ensure that a TLD parser obtained from the cache has the correct value of blockExternal. (markt)
fix	56441: Raise the visibility of exceptions thrown when a problem is encountered calling a getter or setter on a component attribute. The logging level is raised from debug to warning. (markt)
fix	56451: Make resources accessed via a context alias accessible via JNDI in the same way standard resources are available. (markt)
add	56463: Property for disabling server information is added to the DefaultServlet. Server information is presented in the response sent to the client when directory listings is enabled. (violetagg)
add	 Add the org.apache.naming package to the packages requiring code to have the defineClassInPackage permission when running under a security manager. (markt)
add	 Add the org.apache.naming.resources package to the packages requiring code to have the accessClassInPackage permission when running under a security manager. (markt)
fix	 Make the naming context tokens for containers more robust. Require RuntimePermission when introducing a new token. (markt/kkolinko)
fix	56472: Allow NamingContextListener to clean up on stop if its start failed. (kkolinko)
add	56492: Avoid eclipse debugger pausing on uncaught exceptions when tomcat renews its threads. (slaurent)
fix	 Minor fixes to ThreadLocalLeakPreventionListener. Do not trigger threads renewal for failed contexts. Do not ignore threadRenewalDelay setting. Improve documentation. (kkolinko)
fix	 Correct regression introduced in r797162 that broke authentication of users when using the JAASMemoryLoginModule. (markt)
fix	56501: HttpServletRequest.getContextPath() should return the undecoded context path used by the user agent. (markt)
fix	56523: When using SPNEGO authentication, log the exceptions associated with failed user logins at debug level rather than error level. (markt)
fix	56536: Ensure that HttpSessionBindingListener.valueUnbound() uses the correct class loader when the SingleSignOn valve is used. (markt)

Coyote
add	56399: Assert that both Coyote and Catalina request objects have been properly recycled. (kkolinko)
fix	56416: Correct documentation for default value of socket linger for the AJP and HTTP connectors. (markt)

>How-To-Repeat:

>Fix:


Patch attached with submission follows:

Index: Makefile
===================================================================
--- Makefile	(revision 355266)
+++ Makefile	(working copy)
@@ -2,7 +2,7 @@
 # $FreeBSD$
 
 PORTNAME=	tomcat
-PORTVERSION=	7.0.53
+PORTVERSION=	7.0.54
 CATEGORIES=	www java
 MASTER_SITES=	APACHE
 MASTER_SITE_SUBDIR=	tomcat/tomcat-7/v${PORTVERSION}/bin
Index: distinfo
===================================================================
--- distinfo	(revision 355266)
+++ distinfo	(working copy)
@@ -1,2 +1,2 @@
-SHA256 (apache-tomcat-7.0.53.tar.gz) = f5e79d70ca7962d11abfc753e47b68a11fdfb4a409e76e2b7bd0a945f80f87c9
-SIZE (apache-tomcat-7.0.53.tar.gz) = 8780629
+SHA256 (apache-tomcat-7.0.54.tar.gz) = f0316c128881c4df384771dc0da8f8e80d861385798e57d22fd4068f48ab8724
+SIZE (apache-tomcat-7.0.54.tar.gz) = 8886891


>Release-Note:
>Audit-Trail:

From: Patrick Abeya <wombat@marsupial.org>
To: bug-followup@FreeBSD.org,
 Patrick Abeya <wombat@marsupial.org>
Cc:  
Subject: Re: ports/190228: [PATCH] Apache 7.0.54
Date: Sun, 25 May 2014 17:51:30 -0400

 Woops, I meant Tomcat in the title! Not sure if anybody could fix this.
Responsible-Changed-From-To: freebsd-ports-bugs->ale 
Responsible-Changed-By: edwin 
Responsible-Changed-When: Thu May 29 04:15:33 UTC 2014 
Responsible-Changed-Why:  
Over to maintainer (via the GNATS Auto Assign Tool) 

http://www.freebsd.org/cgi/query-pr.cgi?pr=190228 

From: Patrick Abeya <wombat@marsupial.org>
To: bug-followup@FreeBSD.org,
 Patrick Abeya <wombat@marsupial.org>
Cc:  
Subject: Re: ports/190228: [PATCH] www/tomcat7: fix UTF-8 decoder
Date: Fri, 30 May 2014 13:15:28 -0400

 Also contains a fix for the following reported security vulnerabilities: =
 CVE-2014-0096, and CVE-2014-0099 and CVE-2014-0075. Please increase =
 priority.=
>Unformatted:
