This was extracted (@ 2024-12-18 22:10) from a list of minutes
which have been approved by the Board.
Please Note
The Board typically approves the minutes of the previous meeting at the
beginning of every Board meeting; therefore, the list below does not
normally contain details from the minutes of the most recent Board meeting.
WARNING: these pages may omit some original contents of the minutes.
Meeting times vary, the exact schedule is available to ASF Members and Officers, search for "calendar" in the Foundation's private index page (svn:foundation/private-index.html).
Report was filed, but display is awaiting the approval of the Board minutes.
## Description: The Apache Tomcat® software is an open source implementation of the Jakarta Servlet, Jakarta Pages, Jakarta Expression Language, Jakarta WebSocket, Jakarta Annotations and Jakarta Authentication specifications. These specifications are part of the Jakarta EE platform. ## Project Status: There are no issues requiring board attention at this time ## Membership Data: Apache Tomcat was founded 2005-05-18 (19 years ago) There are currently 50 committers and 29 PMC members in this project. The Committer-to-PMC ratio is roughly 7:4. Community changes, past quarter: - No new PMC members. Last addition was Han Li on 2023-03-06. - No new committers. Last addition was Dimitris Soumis on 2024-07-05. ## Project Activity: - Apache Tomcat 11.0.0 first table 25th Anniversary Edition released on 2024-10-09. - Apache Tomcat 10.1.31 was released on 2024-10-09. - Apache Tomcat 10.1.30 was released on 2024-09-17. - Apache Tomcat 10.1.29 was released on 2024-09-10. - Apache Tomcat 10.1.28 was released on 2024-08-06. - Apache Tomcat 10.1.26 was released on 2024-07-12. - Apache Tomcat 9.0.96 was released on 2024-10-08. - Apache Tomcat 9.0.95 was released on 2024-09-17. - Apache Tomcat 9.0.94 was released on 2024-09-10. - Apache Tomcat Connectors jk-1.2.50 was released on 2024-08-12. - Apache Tomcat 9.0.93 was released on 2024-08-06. ## Community Health: - Continued healthy activity across multiple components and responsiveness on both dev and user lists. - We had Half-day Track @ CoC Denver.
No report was submitted.
## Description: - A Java Servlet, JavaServer Pages, Java WebSocket and Java Unified Expression language specifications implementation and Jakarta EE equivalents. ## Project Status: - There are no issues requiring board attention at this time ## Membership Data: - Apache Tomcat was founded 2005-05-18 (18 years ago) - There are currently 48 committers and 29 PMC members in this project. - Han Li was added to the PMC on 2023-03-06. - No new committers. Last addition was Han Li on 2022-08-23. - The currently active committers are drawn from a diverse range of companies. ## Project Activity: - Apache Tomcat 11.0.0-M20 (alpha) was released on 2024-05-08. - Apache Tomcat 11.0.0-M19 (alpha) was released on 2024-04-16. - Apache Tomcat 11.0.0-M18 (alpha) was released on 2024-03-14. - Apache Tomcat 10.1.24 was released on 2024-05-13. - Apache Tomcat 10.1.20 was released on 2024-03-25. - Apache Tomcat 9.0.89 was released on 2024-05-07. - Apache Tomcat 9.0.88 was released on 2024-04-16. - Apache Tomcat 9.0.87 was released on 2024-03-14. - Apache Tomcat 8.5.100 was released on 2024-03-25. ## Community Health: - Continued healthy activity across multiple components and responsiveness on both dev and user lists. - Participated in the ApacheCon/Community Over Code in Bratislava in June 2024. - We have organized Security Day EU 2024 on June 6th. The event was by invitation only, and attended by 7 Apache Tomcat PMC members, and five additional guests. The purpose of the meeting was how to improve Apache Tomcat security. More info can be found at https://cwiki.apache.org/confluence/display/TOMCAT/Security+Day+EU+2024 This event used about 1/3 of the security funding Google provided so we intend to run similar events in the future supported with the remaining funding. - We are starting to see discussions on list to follow up on the various topics that were discussed on the Security Day EU 2024.
## Description: - A Java Servlet, JavaServer Pages, Java WebSocket and Java Unified Expression language specifications implementation and Jakarta EE equivalents. ## Project Status: - There are no issues requiring board attention at this time ## Membership Data: - Apache Tomcat was founded 2005-05-18 (18 years ago) - There are currently 48 committers and 29 PMC members in this project. - Han Li was added to the PMC on 2023-03-06. - No new committers. Last addition was Han Li on 2022-08-23. ## Project Activity: - Apache Tomcat 11.0.0-M17 (alpha) was released on 2024-02-19. - Apache Tomcat 10.1.19 was released on 2024-02-19. - Apache Tomcat 10.1.18 was released on 2024-01-09. - Apache Tomcat 9.0.86 was released on 2024-02-19. - Apache Tomcat 9.0.85 was released on 2024-01-09. - Apache Tomcat 8.5.99 was released on 2024-02-19 - Apache Tomcat 8.5.98 was released on 2024-01-09. - Apache Tomcat Native 2.0.7 was released on 2024-02-08. ## Community Health: - Continued healthy activity across multiple components and responsiveness on both dev and user lists. - Participated in the web-server/Tomcat track at ApacheCon/Community Over Code in Halifax in October 2023. - The Apache Tomcat will end support for Apache Tomcat 8.5.x on 31 March 2024. https://tomcat.apache.org/tomcat-85-eol.html ## Trademark: - No new trademark issues in the last 3 months and there are currently no outstanding trademark issues that the Apache Tomcat PMC is working on.
## Description: - A Java Servlet, JavaServer Pages, Java WebSocket and Java Unified Expression language specifications implementation and Jakarta EE equivalents. ## Project Status: - There are no issues requiring board attention at this time ## Membership Data: - Apache Tomcat was founded 2005-05-18 (18 years ago) - There are currently 48 committers and 29 PMC members in this project. - Han Li was added to the PMC on 2023-03-06. - No new committers. Last addition was Han Li on 2022-08-23. ## Project Activity: - Apache Tomcat 11.0.0-M15 was released on 2023-12-12. - Apache Tomcat 11.0.0-M14 was released on 2023-11-15. - Apache Tomcat 11.0.0-M13 was released on 2023-10-14. - Apache Tomcat 10.1.17 was released on 2023-12-12. - Apache Tomcat 10.1.14 was released on 2023-10-10. - Apache Tomcat 9.0.84 was released on 2023-12-12. - Apache Tomcat 9.0.82 was released on 2023-10-13. - Apache Tomcat 9.0.81 was released on 2023-10-10. - Apache Tomcat 8.5.97 was released on 2023-12-12. - Apache Tomcat 8.5.94 was released on 2023-10-10. ## Community Health: - Continued healthy activity across multiple components and responsiveness on both dev and user lists. - The Apache Tomcat will end support for Apache Tomcat 8.5.x on 31 March 2024. https://tomcat.apache.org/tomcat-85-eol.html ## Trademark: - No new trademark issues in the last 3 months and there are currently no outstanding trademark issues that the Apache Tomcat PMC is working on.
## Description: - A Java Servlet, JavaServer Pages, Java WebSocket and Java Unified Expression language specifications implementation and Jakarta EE equivalents. ## Project Status: - There are no issues requiring board attention at this time ## Membership Data: - Apache Tomcat was founded 2005-05-18 (18 years ago) - There are currently 48 committers and 29 PMC members in this project. - Han Li was added to the PMC on 2023-03-06. - No new committers. Last addition was Han Li on 2022-08-23. ## Project Activity: - Apache Tomcat 11.0.0-M11 was released on 2023-08-25. - Apache Tomcat 11.0.0-M10 was released on 2023-08-14. - Apache Tomcat 11.0.0-M9 was released on 2023-07-10. - Apache Tomcat 10.1.13 was released on 2023-08-25. - Apache Tomcat 10.1.12 was released on 2023-08-14. - Apache Tomcat 10.1.11 was released on 2023-07-10. - Apache Tomcat 9.0.80 was released on 2023-08-25. - Apache Tomcat 9.0.79 was released on 2023-08-15. - Apache Tomcat 9.0.78 was released on 2023-07-10. - Apache Tomcat 8.5.93 was released on 2023-08-15. - Apache Tomcat 8.5.92 was released on 2023-08-14. - Apache Tomcat 8.5.91 was released on 2023-07-10. - Apache Tomcat Native 2.0.5 was released on 2023-08-07. - Apache Tomcat Native 1.2.38 was released on 2023-08-07. ## Community Health: - Continued healthy activity across multiple components and responsiveness on both dev and user lists. - Participating in the web-server/Tomcat track at ApacheCon/Community Over Code(CON?) in Halifax in October - The Apache Tomcat will end support for Apache Tomcat 8.5.x on 31 March 2024. https://tomcat.apache.org/tomcat-85-eol.html ## Trademark: - No new trademark issues in the last 3 months and there are currently no outstanding trademark issues that the Apache Tomcat PMC is working on.
## Description: - A Java Servlet, JavaServer Pages, Java WebSocket and Java Unified Expression language specifications implementation and Jakarta EE equivalents. ## Project Status: - There are no issues requiring board attention at this time ## Membership Data: - Apache Tomcat was founded 2005-05-18 (18 years ago) - There are currently 48 committers and 29 PMC members in this project. - Han Li was added to the PMC on 2023-03-06. - No new committers. Last addition was Han Li on 2022-08-23. ## Project Activity: - Apache Tomcat 11.0.0-M7 was released on 2023-06-08. This release is a milestone release and is targeted at Jakarta EE 11. - Apache Tomcat 10.1.10 was released on 2023-06-12. - Apache Tomcat 10.1.9 was released on 2023-05-19. - Apache Tomcat 10.1.8 was released on 2023-04-19. - Apache Tomcat 9.0.76 was released on 2023-06-09. - Apache Tomcat 9.0.75 was released on 2023-05-10. - Apache Tomcat 9.0.74 was released on 2023-04-18. - Apache Tomcat 8.5.90 was released on 2023-06-12. - Apache Tomcat 8.5.89 was released on 2023-05-19. - Apache Tomcat 8.5.88 was released on 2023-04-18. - Apache Tomcat Native 2.0.4 was released on 2023-06-02. - Apache Tomcat Native 1.2.37 was released on 2023-06-02. ## Community Health: - Continued healthy activity across multiple components and responsiveness on both dev and user lists. - The Apache Tomcat will end support for Apache Tomcat 8.5.x on 31 March 2024. https://tomcat.apache.org/tomcat-85-eol.html ## Trademark: - No new trademark issues in the last 3 months and there are currently no outstanding trademark issues that the Apache Tomcat PMC is working on.
## Description: - A Java Servlet, JavaServer Pages, Java WebSocket and Java Unified Expression language specifications implementation and Jakarta EE equivalents. ## Issues: - There are no issues requiring board attention at this time ## Membership Data: - Apache Tomcat was founded 2005-05-18 (18 years ago) - There are currently 48 committers and 29 PMC members in this project. - Han Li was added to the PMC on 2023-03-06. - No new committers. Last addition was Han Li on 2022-08-23. ## Project Activity: - Apache Tomcat 11.0.0-M3 was released on 2023-02-23. This release is a milestone release and is targeted at Jakarta EE 11. - Apache Tomcat 10.1.6 was released on 2023-02-24. - Apache Tomcat 9.0.73 was released on 2023-03-03. - Apache Tomcat 9.0.72 was released on 2023-02-23. - Apache Tomcat 9.0.71 was released on 2023-01-13. - Apache Tomcat 8.5.87 was released on 2023-03-03. - Apache Tomcat 8.5.86 was released on 2023-02-24. - Apache Tomcat 8.5.85 was released on 2023-01-19. - Apache Tomcat Native 2.0.3 was released on 2023-02-13. - Apache Tomcat Native 1.2.36 was released on 2023-02-13. ## Community Health: - Continued healthy activity across multiple components and responsiveness on both dev and user lists. - The Apache Tomcat ended support for Apache Tomcat 8.5.x on 31 March 2024. https://tomcat.apache.org/tomcat-85-eol.html ## Trademark: - No new trademark issues in the last 4 months and there are currently no outstanding trademark issues that the Apache Tomcat PMC is working on.
No report was submitted.
## Description: - A Java Servlet, JavaServer Pages, Java WebSocket and Java Unified Expression language specifications implementation and Jakarta EE equivalents. ## Issues: - There are no issues requiring board attention at this time ## Membership Data: - Apache Tomcat was founded 2005-05-18 (18 years ago) - There are currently 48 committers and 28 PMC members in this project. - No new PMC members. Last addition was Igal Sapir on 2019-03-18. - No new committers. Last addition was Han Li on 2022-08-23. ## Project Activity: - Apache Tomcat 11.0.0-M1 was released on 2022-11-21 This release is a milestone release and is targeted at Jakarta EE 11. - Apache Tomcat 10.1.4 was released on 2022-12-09 - Apache Tomcat 10.0.27 was released om 2022-10-10 - Apache Tomcat 9.0.70 was released on 2022-12-05 - Apache Tomcat 8.5.84 was released on 2022-11-21 - Apache Tomcat Migration Tool for Jakarta EE 1.0.6 was released on 2022-12-05 - Apache Tomcat Native 2.0.2 was released on 2022-11-08 ## Community Health: - Continued healthy activity across multiple components and responsiveness on both dev and user lists. - The Apache Tomcat team announces that support for Apache Tomcat 8.5.x will end on 31 March 2024. https://tomcat.apache.org/tomcat-85-eol.html ## Trademark: - No new trademark issues in the last 3 months and there are currently no outstanding trademark issues that the Apache Tomcat PMC is working on.
## Description: - A Java Servlet, JavaServer Pages, Java WebSocket and Java Unified Expression language specifications implementation and Jakarta EE equivalents. ## Issues: - There are no issues requiring board attention at this time ## Membership Data: - Apache Tomcat was founded 2005-05-18 (17 years ago) - There are currently 48 committers and 28 PMC members in this project. - No new PMC members. Last addition was Igal Sapir on 2019-03-18. - Han Li was added as committer on 2022-08-23 ## Project Activity: - Apache Tomcat 10.1.0-M17 (beta) was released on 2022-07-20 - Apache Tomcat 10.1.0-M16 (beta) was released on 2022-06-09 - Apache Tomcat 10.0.23 was released on 2022-07-26 - Apache Tomcat 10.0.22 was released on 2022-06-09 - Apache Tomcat 9.0.65 was released on 2022-07-20 - Apache Tomcat 9.0.64 was released on 2022-06-17 - Apache Tomcat 8.5.82 was released on 2022-08-13 - Apache Tomcat 8.5.81 was released on 2022-06-11 - Apache Tomcat Native 2.0.1 was released on 2022-07-12 - Apache Tomcat Native 1.2.35 was released on 2022-07-12 - Apache Tomcat Native 1.2.34 was released on 2022-06-14 - Apache Tomcat Migration Tool for Jakarta EE 1.0.3 was released on 2022-09-12 - Apache Tomcat Migration Tool for Jakarta EE 1.0.1 was released on 2022-07-11 ## Community Health: - Continued healthy activity across multiple components and responsiveness on both dev and user lists. ## Trademark: - No new trademark issues in the last 3 months and there are currently no outstanding trademark issues that the Apache Tomcat PMC is working on.
## Description: - A Java Servlet, JavaServer Pages, Java WebSocket and Java Unified Expression language specifications implementation and Jakarta EE equivalents. ## Issues: - There are no issues requiring board attention at this time ## Membership Data: - There are currently 28 PMC members. Igal Sapir was added to the PMC on Mar 18 2019 - There are currently 47 committers. Raymond Augé was added as committer on 2020-07-02 ## Project Activity: - Apache Tomcat 10.1.0-M15 (alpha) was released on 2022-05-16 - Apache Tomcat 10.1.0-M14 (alpha) was released on 2022-04-01 - Apache Tomcat 10.1.0-M12 (alpha) was released on 2022-03-14 - Apache Tomcat 10.0.21 was released on 2022-05-16 - Apache Tomcat 10.0.20 was released on 2022-04-01 - Apache Tomcat 10.0.18 was released on 2022-03-14 - Apache Tomcat 9.0.63 was released on 2022-05-16 - Apache Tomcat 9.0.62 was released on 2022-04-01 - Apache Tomcat 9.0.60 was released on 2022-03-14 - Apache Tomcat 8.5.79 was released on 2022-05-23 - Apache Tomcat 8.5.78 was released on 2022-04-01 - Apache Tomcat 8.5.77 was released on 2022-03-17 - Apache Tomcat Native 1.2.33 was released on 2022-05-09 ## Community Health: - Continued healthy activity across multiple components and responsiveness on both dev and user lists. ## Trademark: - No new trademark issues in the last 3 months and there are currently no outstanding trademark issues that the Apache Tomcat PMC is working on. ## Private: - Detailed history is available at: https://svn.apache.org/repos/private/pmc/tomcat/trademark-status.txt
## Description: - A Java Servlet, JavaServer Pages, Java WebSocket and Java Unified Expression language specifications implementation and Jakarta EE equivalents. ## Issues: - There are no issues requiring board attention at this time ## Membership Data: - There are currently 28 PMC members. Igal Sapir was added to the PMC on Mar 18 2019 - There are currently 47 committers. Raymond Augé was added as committer on 2020-07-02 ## Project Activity: - Apache Tomcat 10.1.0-M11 (alpha) was released on 2022-02-28 - Apache Tomcat 10.1.0-M10 (alpha) was released on 2022-01-20 - Apache Tomcat 10.0.17 was released on 2022-02-28 - Apache Tomcat 10.0.16 was released on 2022-01-20 - Apache Tomcat 9.0.59 was released on 2022-02-28 - Apache Tomcat 9.0.58 was released on 2022-01-20 - Apache Tomcat 8.5.76 was released on 2022-02-28 - Apache Tomcat 8.5.75 was released on 2022-01-17 ## Community Health: - Continued healthy activity across multiple components and responsiveness on both dev and user lists. ## Trademark: - No new trademark issues in the last 3 months and there are currently no outstanding trademark issues that the Apache Tomcat PMC is working on.
## Description: - A Java Servlet, JavaServer Pages, Java WebSocket and Java Unified Expression language specifications implementation and Jakarta EE equivalents. ## Issues: - There are no issues requiring board attention at this time ## Membership Data: - There are currently 28 PMC members. Igal Sapir was added to the PMC on Mar 18 2019 - There are currently 47 committers. Raymond Augé was added as committer on 2020-07-02 ## Project Activity: Apache Tomcat 10.1.0-M7 is a milestone release and is targeted at Jakarta EE 10. - Apache Tomcat 10.1.0-M7 (alpha) was released on 2021-11-07 - Apache Tomcat 10.0.13 was released on 2021-11-15 - Apache Tomcat 10.0.12 was released on 2021-10-01 - Apache Tomcat 10.0.11 was released on 2021-09-10 - Apache Tomcat 9.0.55 was released on 2021-11-15 - Apache Tomcat 9.0.54 was released on 2021-10-01 - Apache Tomcat 9.0.53 was released on 2021-09-10 - Apache Tomcat 8.5.73 was released on 2021-11-17 - Apache Tomcat 8.5.72 was released on 2021-10-06 - Apache Tomcat 8.5.71 was released on 2021-09-13 ## Community Health: - Continued healthy activity across multiple components and responsiveness on both dev and user lists. - We had a one-full-day Tomcat track at ApacheCon @ Home 2021 and attendance was one of the highest of all the tracks that day (and for the whole conference). There were 7 presentations, 2 presented by non-Tomcat-committers. ## Security: - Detailed status: http://tomcat.apache.org/security.html ## Trademark: - No new trademark issues in the last 2 months and there are currently no outstanding trademark issues that the Apache Tomcat PMC is working on. - Detailed history is available at: https://svn.apache.org/repos/private/pmc/tomcat/trademark-status.txt
## Description: - A Java Servlet, JavaServer Pages, Java WebSocket and Java Unified Expression language specifications implementation and Jakarta EE equivalents. ## Issues: - There are no issues requiring board attention at this time ## Membership Data: - There are currently 28 PMC members. Igal Sapir was added to the PMC on Mar 18 2019 - There are currently 47 committers. Raymond Augé was added as committer on 2020-07-02 ## Project Activity: Apache Tomcat 10.1.0-M4 is a milestone release and is targeted at Jakarta EE 10. - Apache Tomcat 10.1.0-M4 (alpha) was released on 2021-08-06 - Apache Tomcat 10.0.10 was released on 2021-08-05 - Apache Tomcat 9.0.52 was released on 2021-08-06 - Apache Tomcat 8.5.70 was released on 2021-08-16 - Apache Tomcat Native 1.2.31 was released on 2021-09-01 ## Community Health: - Continued healthy activity across multiple components and responsiveness on both dev and user lists. ## Security: - Detailed status: http://tomcat.apache.org/security.html ## Trademark: - No new trademark issues in the last 2 months and there are currently no outstanding trademark issues that the Apache Tomcat PMC is working on.
## Description: - A Java Servlet, JavaServer Pages, Java WebSocket and Java Unified Expression language specifications implementation and Jakarta EE equivalents. ## Issues: - There are no issues requiring board attention at this time ## Membership Data: - There are currently 28 PMC members. Igal Sapir was added to the PMC on Mar 18 2019 - There are currently 47 committers. Raymond Augé was added as committer on 2020-07-02 ## Community Health: - Continued healthy activity across multiple components and responsiveness on both dev and user lists. ## Project Activity: Apache Tomcat 10.1.0-M2 is a milestone release and is targeted at Jakarta EE 10. - Apache Tomcat 10.1.0-M2 (alpha) was eleased on 2021-07-02 - Apache Tomcat 10.0.8 was released on 2021-07-02 - Apache Tomcat 10.0.7 was released on 2021-06-15 - Apache Tomcat 10.0.6 was released on 2021-05-12 - Apache Tomcat 10.0.5 was released on 2021-04-06 - Apache Tomcat 10.0.4 was released on 2021-03-10 - Apache Tomcat 9.0.50 was released on 2021-07-02 - Apache Tomcat 9.0.48 was released on 2021-06-28 - Apache Tomcat 9.0.46 was released on 2021-05-12 - Apache Tomcat 9.0.45 was released on 2021-04-06 - Apache Tomcat 9.0.44 was released on 2021-03-10 - Apache Tomcat 8.5.69 was released on 2021-07-05 - Apache Tomcat 8.5.68 was released on 2021-06-15 - Apache Tomcat 8.5.66 was released on 2021-05-12 - Apache Tomcat 8.5.65 was released on 2021-04-06 - Apache Tomcat 8.5.64 was released on 2021-03-10 - Apache Tomcat Native 1.2.30 was released on 2021-06-04 - Apache Tomcat Migration Tool for Jakarta EE 1.0.0 was released on 2021-05-07 ## Security: - Detailed status: http://tomcat.apache.org/security.html ## Trademark: - No new trademark issues in the last 3 months and there are currently no outstanding trademark issues that the Apache Tomcat PMC is working on.
No report was submitted.
## Description: - A Java Servlet, JavaServer Pages, Java WebSocket and Java Unified Expression language specifications implementation and Jakarta EE equivalents. ## Issues: - There are no issues requiring board attention at this time ## Membership Data: - There are currently 28 PMC members. Igal Sapir was added to the PMC on Mar 18 2019 - There are currently 47 committers. Raymond Augé was added as committer on 2020-07-02 ## Community Health: - Continued healthy activity across multiple components and responsiveness on both dev and user lists. ## Project Activity: Apache Tomcat 10.0.2 is the first stable 10.0.x release targeted for Jakarta EE 9. - Apache Tomcat 10.0.2 was released on 2021-02-02 - Apache Tomcat 10.0.0 was released on 2020-12-08 - Apache Tomcat 9.0.43 was released on 2020-02-02 - Apache Tomcat 9.0.41 was released on 2020-12-08 - Apache Tomcat 8.0.63 was released on 2020-02-02 - Apache Tomcat 8.5.61 was released on 2020-12-08 - Apache Tomcat 7.0.108 was released on 2020-02-05 ## Security: - Detailed status: http://tomcat.apache.org/security.html ## Trademark: - No new trademark issues in the last 3 months and there are currently no outstanding trademark issues that the Apache Tomcat PMC is working on.
## Description: - A Java Servlet, JavaServer Pages, Java WebSocket and Java Unified Expression language specifications implementation and Jakarta EE equivalents. ## Issues: - There are no issues requiring board attention at this time ## Membership Data: - There are currently 28 PMC members. Igal Sapir was added to the PMC on Mar 18 2019 - There are currently 47 committers. Raymond Augé was added as committer on 2020-07-02 ## Community Health: - Continued healthy activity across multiple components and responsiveness on both dev and user lists. ## Project Activity: - ApacheCon NA 2020 went very well. Kudos to the conference team. Generally higher attendance on-line than in-person. Having recordings of everything is what really expands the reach though. - Apache Tomcat 10.0.0-M10 was released on 2020-11-17. - Apache Tomcat 10.0.0-M8 was released on 2020-09-14. - Apache Tomcat 10.0.0-M9 was released on 2020-10-09. - Apache Tomcat 9.0.40 was released on 2020-11-17. - Apache Tomcat 9.0.39 was released on 2020-10-09. - Apache Tomcat 9.0.38 was released on 2020-09-15. - Apache Tomcat 8.5.60 was released on 2020-11-17. - Apache Tomcat 8.5.59 was released on 2020-10-09. - Apache Tomcat 8.5.58 was released on 2020-09-15. - Apache Tomcat 7.0.107 was released on 2020-11-23. - Apache Tomcat 7.0.106 was released on 2020-09-20. ## Security: - Detailed status: http://tomcat.apache.org/security.html - We are planning a project specific, security focussed event for Feb 2021 using Google provided funding. ## Trademark: - No new trademark issues in the last 3 months and there are currently no outstanding trademark issues that the Apache Tomcat PMC is working on. - Detailed history is available in svn.
## Description: - A Java Servlet, JavaServer Pages, Java WebSocket and Java Unified Expression language specifications implementation. ## Issues: - There are no issues requiring board attention at this time ## Membership Data: - There are currently 28 PMC members. Igal Sapir was added to the PMC on Mar 18 2019 - There are currently 47 committers. Raymond Augé was added as committer on 2020-07-02 ## Community Health: - Continued healthy activity across multiple components and responsiveness on both dev and user lists. ## Project Activity: - We have been working on preparing tracks for upcoming ApacheCon NA 2020. We have 13 presentations from 7 different presenters. - Apache Tomcat 10.x is the current focus of development. It builds on Tomcat 9.0.x and implements the Servlet 5.0, JSP 3.0, EL 4.0, WebSocket 2.0 and Authentication 2.04 specifications (the versions required by Jakarta EE 9 platform). - Apache Tomcat 10.0.0-M7 was released on 2020-07-05 - Apache Tomcat 9.0.37 was released on 2020-07-05 - Apache Tomcat 8.5.57 was released on 2020-07-05 - Apache Tomcat Native 1.2.25 was released on 2020-09-03 ## Security: - Detailed status: http://tomcat.apache.org/security.html ## Trademark: - No new trademark issues in the last 3 months and there are currently no outstanding trademark issues that the Apache Tomcat PMC is working on.
## Description: - A Java Servlet, JavaServer Pages, Java WebSocket and Java Unified Expression language specifications implementation. ## Issues: - There are no issues requiring board attention at this time ## Membership Data: - There are currently 28 PMC members. Igal Sapir was added to the PMC on Mar 18 2019 - There are currently 46 committers. Woonsan Ko was added as a committer on Dec 19 2018 ## Community Health: - Continued healthy activity across multiple components and responsiveness on both dev and user lists. ## Project Activity: - Apache Tomcat 10.x is the current focus of development. It builds on Tomcat 9.0.x and implements the Servlet 5.0, JSP 3.0, EL 4.0, WebSocket 2.0 and Authentication 2.04 specifications (the versions required by Jakarta EE 9 platform). - Apache Tomcat 10.0.0-M6 was released on 2020-06-07. - Apache Tomcat 10.0.0-M5 was released on 2020-05-11. - Apache Tomcat 10.0.0-M4 was released on 2020-04-08. - Apache Tomcat 10.0.0-M3 was released on 2020-03-16. - Apache Tomcat 9.0.36 was released on 2020-06-07. - Apache Tomcat 9.0.35 was released on 2020-05-11. - Apache Tomcat 9.0.34 was released on 2020-04-08. - Apache Tomcat 9.0.33 was released on 2020-03-16. - Apache Tomcat 8.5.56 was released on 2020-06-07. - Apache Tomcat 8.5.55 was released on 2020-05-11. - Apache Tomcat 8.5.54 was released on 2020-04-08. - Apache Tomcat 8.5.53 was released on 2020-03-16. - Apache Tomcat 7.0.104 was released on 2020-05-16. - Apache Tomcat 7.0.103 was released on 2020-03-19. - Apache Tomcat Native 1.2.24 was released on 2020-04-29 ## Security: - Detailed status: http://tomcat.apache.org/security.html ## Trademark: - No new trademark issues in the last 3 months and there are currently no outstanding trademark issues that the Apache Tomcat PMC is working on. - Detailed history is available at: https://svn.apache.org/repos/private/pmc/tomcat/trademark-status.txt
## Description: - A Java Servlet, JavaServer Pages, Java WebSocket and Java Unified Expression language specifications implementation. ## Issues: - There are no issues requiring board attention at this time ## Membership Data: - There are currently 28 PMC members. Igal Sapir was added to the PMC on Mar 18 2019 - There are currently 46 committers. Woonsan Ko was added as a committer on Dec 19 2018 ## Community Health: - Continued healthy activity across multiple components and responsiveness on both dev and user lists. ## Project Activity: - The Tomcat project has been awarded a Patch Reward from Google of $5,000 which we are working with fundraising and accounting to accept. The intention is to use it to subsidise a security focused committer meetup/ hackathon / BarCamp once the risks associated with COVID-19 subside. - Apache Tomcat 10.x is the current focus of development. It builds on Tomcat 9.0.x and implements the Servlet 5.0, JSP 3.0, EL 4.0, WebSocket 2.0 and Authentication 2.04 specifications (the versions required by Jakarta EE 9 platform). - Apache Tomcat 10.0.0-M1 was released on 2020-02-20 - Apache Tomcat 9.0.31 was released on 2020-02-11 - Apache Tomcat 9.0.30 was released on 2019-12-12 - Apache Tomcat 8.5.51 was released on 2020-02-11 - Apache Tomcat 8.5.50 was released on 2019-12-12 - Apache Tomcat 7.0.100 was released on 2020-02-14. - Apache Tomcat Connectors 1.2.48 wa released on 2020-03-06 ## Security: - Detailed status: http://tomcat.apache.org/security.html ## Trademark: - No new trademark issues in the last 3 months and there are currently no outstanding trademark issues that the Apache Tomcat PMC is working on. - Detailed history is available at: https://svn.apache.org/repos/private/pmc/tomcat/trademark-status.txt
## Description:
- A Java Servlet, JavaServer Pages, Java WebSocket and Java
Unified Expression language specifications implementation.
## Issues:
There are no issues requiring board attention at this time
## Membership Data:
- Apache Tomcat was founded 2005-05-18 (15 years ago)
- There are currently 46 committers and 28 PMC members in this project.
- The Committer-to-PMC ratio is roughly 3:2.
- Community changes, past quarter:
- No new PMC members. Last addition was Igal Sapir on 2019-03-18.
- No new committers. Last addition was Woonsan Ko on 2018-12-19.
## Project Activity:
- Apache Tomcat 9.0.29 was released on 2019-11-21
- Apache Tomcat 9.0.27 was released on 2019-10-11
- Apache Tomcat 9.0.26 was released on 2019-09-19
- Apache Tomcat 8.5.49 was released on 2019-11-21
- Apache Tomcat 8.5.47 was released on 2019-10-11
- Apache Tomcat 8.5.46 was released on 2019-09-19
## Community Health:
- Continued healthy activity across multiple components and
responsiveness on both dev and user lists.
## Trademark:
- No new trademark issues in the last 3 months
and there are currently no outstanding trademark issues that the
Apache Tomcat PMC is working on.
- Detailed history is available at:
https://svn.apache.org/repos/private/pmc/tomcat/trademark-status.txt
## Security:
- Detailed status:
http://tomcat.apache.org/security.html
# Description: - A Java Servlet, JavaServer Pages, Java WebSocket and Java Unified Expression language specifications implementation. ## Issues: - There are no issues requiring board attention at this time ## Activity: - Continued healthy activity across multiple components and responsiveness on both dev and user lists. - Currently 6 PMC members are attending ApacheCon NA 2019 ## PMC changes: - Currently 28 PMC members. - Igal Sapir was added to the PMC on Mar 18 2019 ## Committer base changes: - Currently 46 committers. - Woonsan Ko was added as a committer on Dec 19 2018 ## Releases: - Apache Tomcat 9.0.24 was released on 2019-08-17 - Apache Tomcat 9.0.22 was released on 2019-07-09 - Apache Tomcat 8.5.45 was released on 2019-08-21 - Apache Tomcat 8.5.43 was released on 2019-07-09 - Apache Tomcat 7.0.96 was released on 2019-07-29 ## Trademark: - No new trademark issues in the last 3 months and there are currently no outstanding trademark issues that the Apache Tomcat PMC is working on. - Detailed history is available at: https://svn.apache.org/repos/private/pmc/tomcat/trademark-status.txt ## Security: - Detailed status: http://tomcat.apache.org/security.html
## Description: - A Java Servlet, JavaServer Pages, Java WebSocket and Java Unified Expression language specifications implementation. ## Issues: - There are no issues requiring board attention at this time ## Activity: - Continued healthy activity across multiple components and responsiveness on both dev and user lists. - The EU FOSSA 2 was held in Brussels on 4th/5th May 2019 and 5 core developers were present. The hackathon was a success and we received many positive feedback's from European Commission. More info can be found at: https://github.com/eufossa/apache-hackathon-2019 - There is ongoing discussion to advertise Tomcat 9 as Long Term Support at least until 31 Dec 2030. ## PMC changes: - Currently 28 PMC members. - Igal Sapir was added to the PMC on Mar 18 2019 ## Committer base changes: - Currently 46 committers. - Woonsan Ko was added as a committer on Dec 19 2018 ## Releases: - Apache Tomcat 9.0.20 was released on May 13 2019 - Apache Tomcat 8.5.41 was released on May 13 2019 - Apache Tomcat 7.0.95 was released on Apr 12 2019 ## Trademark: - No new trademark issues in the last 3 months and there are currently no outstanding trademark issues that the Apache Tomcat PMC is working on. - Detailed history is available at: https://svn.apache.org/repos/private/pmc/tomcat/trademark-status.txt ## Security: - Detailed status: http://tomcat.apache.org/security.html
## Description: - A Java Servlet, JavaServer Pages, Java WebSocket and Java Unified Expression language specifications implementation. ## Issues: - There are no issues requiring board attention at this time ## Activity: - Continued healthy activity across multiple components and responsiveness on both dev and user lists. - The EU FOSSA program has offered the project a 2 day hackathon on 4th/5th May 2019 and the project has accepted. The EU is starting the necessary organisation and we expect to hear from them shortly regarding the next steps. - We have made transition from svn to git. ## PMC changes: - Currently 27 PMC members. - Last addition May 2018 ## Committer base changes: - Currently 46 committers. - Woonsan Ko was added as a committer on Wed Dec 19 2018 ## Releases: - Apache Tomcat 7.0.93 was released on Thu Feb 21 2019 - Apache Tomcat 8.5.37 was released on Tue Dec 18 2018 - Apache Tomcat 8.5.38 was released on Fri Feb 08 2019 - Apache Tomcat 9.0.16 was released on Fri Feb 08 2019 ## Trademark: - No new trademark issues in the last 3 months and there are currently no outstanding trademark issues that the Apache Tomcat PMC is working on. - Detailed history is available at: https://svn.apache.org/repos/private/pmc/tomcat/trademark-status.txt ## Security: - Detailed status: http://tomcat.apache.org/security.html
## Description: - A Java Servlet, JavaServer Pages, Java WebSocket and Java Unified Expression language specifications implementation. ## Issues: - There are no issues requiring board attention at this time ## Activity: - Continued healthy activity across multiple components and responsiveness on both dev and user lists. - We recently started a community effort to expand our localisation support by adding additional languages and expanding the coverage of the existing languages, using web-based collaboration tool (poeditor.com) - We also had a constructive debate as to whether the translations were valuable to our users or not. ## PMC changes: - Currently 27 PMC members. - Last addition May 2018 ## Committer base changes: - Currently 45 committers. - Last addition May 2018 ## Releases: - Apache Tomcat 7.0.91 was released on Wed Sep 19 2018 - Apache Tomcat 7.0.92 was released on Thu Nov 15 2018 - Apache Tomcat 8.5.35 was released on Wed Nov 07 2018 - Apache Tomcat 9.0.13 was released on Wed Nov 07 2018 - Apache Tomcat JK Connector jk-1.2.46 was released on Sat Oct 13 2018 - Apache Tomcat Native 1.2.18 was released on Sun Oct 21 2018 - Apache Tomcat Native 1.2.19 was released on Thu Dec 06 2018 ## Trademark: - No new trademark issues in the last 3 months and there are currently no outstanding trademark issues that the Apache Tomcat PMC is working on. - Detailed history is available at: https://svn.apache.org/repos/private/pmc/tomcat/trademark-status.txt ## Security: - Detailed status: http://tomcat.apache.org/security.html - Moderate: Open Redirect CVE-2018-11784 Version Affected Apache Tomcat 9.0.0.M1 to 9.0.11 Apache Tomcat 8.5.0 to 8.5.33 Apache Tomcat 7.0.23 to 7.0.90 - Important: Information disclosure CVE-2018-11759 Version Affected Apache Tomcat JK Connector jk-1.2.0 to jk-1.2.44
## Description: - A Java Servlet, JavaServer Pages, Java WebSocket and Java Unified Expression language specifications implementation. ## Issues: - There are no issues requiring board attention at this time ## Activity: - Continued healthy activity across multiple components and responsiveness on both dev and user lists. - Tomcat 8.0.x reached end of life. - Two days of sessions and a BoF planned for ApacheCon NA. - Continue to monitor progress of the Jakarta EE projects at Eclipse on which Tomcat depends. Haven't seen anything to cause concern. Waiting to see the proposed timeline for the releases where the specs are updated to include new features. - The community has been discussing a migration from svn to git. Most of the issues / concerns have been addressed. The migration is expected to proceed once final issues have been resolved. ## PMC changes: - Currently 27 PMC members. - Last addition May 2018 ## Committer base changes: - Currently 45 committers. - Last addition May 2018 ## Releases: - Apache Tomcat 7.0.90 was released on Fri Jul 06 2018 - Apache Tomcat 8.0.53 was released on Thu Jul 05 2018 - Apache Tomcat 8.5.32 was released on Mon Jun 25 2018 - Apache Tomcat 8.5.33 was released on Fri Aug 17 2018 - Apache Tomcat 9.0.10 was released on Mon Jun 25 2018 - Apache Tomcat 9.0.11 was released on Fri Aug 17 2018 - Apache Tomcat JK Connector jk-1.2.44 was released on Sat Sep 01 2018 ## Trademark: - No new trademark issues in the last 3 months and there are currently no outstanding trademark issues that the Apache Tomcat PMC is working on. - Detailed history is available at: https://svn.apache.org/repos/private/pmc/tomcat/trademark-status.txt ## Security: - Detailed status: http://tomcat.apache.org/security.html - Important: Information disclosure CVE-2018-1323 Versions Affected: Apache Tomcat JK Connector jk-1.2.0 to jk-1.2.40 - Important: Information Disclosure in Apache Tomcat's servlet async processing CVE-2018-8037 Versions Affected: Apache Tomcat 9.0.0.M9 to 9.0.9 Apache Tomcat 8.5.0 to 8.5.31 Apache Tomcat 8.0.0.RC1 to 8.0.52 - Important: A bug in the UTF-8 decoder can lead to DoS CVE-2018-1336 Versions Affected: Apache Tomcat 8.5.0 to 8.5.31 Apache Tomcat 8.0.0.RC1 to 8.0.52 Apache Tomcat 7.0.28 to 7.0.88 - Low: Host name verification missing in WebSocket client CVE-2018-8034 Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.9 Apache Tomcat 8.5.0 to 8.5.31 Apache Tomcat 8.5.0 to 8.5.31 Apache Tomcat 7.0.25 to 7.0.88
## Description: - A Java Servlet, JavaServer Pages, Java WebSocket and Java Unified Expression language specifications implementation. ## Issues: - There are no issues requiring board attention at this time ## Activity: - Continued healthy activity across multiple components and responsiveness on both dev and user lists. - We have put together a day long Tomcat track at the ApacheCon EU Roadshow. ## PMC changes: - Currently 27 PMC members. - Emmanuel Bourg was added to the PMC on Tue May 08 2018 ## Committer base changes: - Currently 45 committers. - Igal Sapir was added as a committer on Sat May 19 2018 ## Releases: - Apache Tomcat 7.0.86 was released on Fri Apr 13 2018 - Apache Tomcat 7.0.88 was released on Fri May 11 2018 - Apache Tomcat 8.0.51 was released on Fri Apr 13 2018 - Apache Tomcat 8.0.52 was released on Tue May 08 2018 - Apache Tomcat 8.5.30 was released on Sat Apr 07 2018 - Apache Tomcat 8.5.31 was released on Thu May 03 2018 - Apache Tomcat 9.0.7 was released on Sat Apr 07 2018 - Apache Tomcat 9.0.8 was released on Thu May 03 2018 - Apache Tomcat Native 1.2.17 was released on Wed Jul 13 2018 ## Trademark: - No new trademark issues in the last 3 months and there are currently no outstanding trademark issues that the Apache Tomcat PMC is working on. - Detailed history is available at: https://svn.apache.org/repos/private/pmc/tomcat/trademark-status.txt ## Security: - Detailed status: http://tomcat.apache.org/security.html
## Description: - A Java Servlet, JavaServer Pages, Java WebSocket and Java Unified Expression language specifications implementation. ## Issues: - There are no issues requiring board attention at this time ## Activity: - Continued healthy activity across multiple components and responsiveness on both dev and user lists. - Given the timing of the EU roadshow, we decided not to run a Tomcat specific event in Frankfurt this Spring. Instead, we are running a training course in Manchester UK. The event is currently predicted to make a small (<$100) loss but there are still two weeks to go and one more ticket sale will mean the event generates a surplus. In any event, the current losses are more than offset by the surplus generated from the previous event. - In support of the training course we have started to produce ALv2 licensed training material. The long term aim is to create a large number of modules that may then be combined into courses as required. - We have put together a day long Tomcat track for the ApacheCon EU Roadshow. We anticipate at least as much content, if not more, for ApacheCon NA. - Tomcat 9.0.4, the first stable release of the 9.0.x branch implementing Servlet 4.0 was released this period. - We continue to explore migrating from svn to git. The open issue / question list is reducing as we explore each issue and reach consensus on the way forward. Discussions continue on dev@. ## PMC changes: - Currently 26 PMC members. - The last addition was Huxing Zhang on 2017-05-18. ## Committer base changes: - Currently 44 committers. - The last addition was Michael Osipov on 2017-05-08. - We voted to add a new committer this period but after the offer was extended, the contributor went silent. ## Releases: - We continue on our roughly monthly release cadence for 9.0.x and 8.5.x with the older versions releases once every 1-2 months. - Apache Tomcat 7.0.84 was released on 2018-01-24 - Apache Tomcat 7.0.85 was released on 2018-02-13 - Apache Tomcat 8.0.49 was released on 2018-01-24 - Apache Tomcat 8.0.50 was released on 2018-02-13 - Apache Tomcat 8.5.27 was released on 2018-01-22 - Apache Tomcat 8.5.28 was released on 2018-02-11 - Apache Tomcat 8.5.29 was released on 2018-03-08 - Apache Tomcat 9.0.4 was released on 2018-01-22 - Apache Tomcat 9.0.5 was released on 2018-02-11 - Apache Tomcat 9.0.6 was released on 2018-03-08 ## Trademark: - No new trademark issues in the last 3 months and there are currently no outstanding trademark issues that the Apache Tomcat PMC is working on. - Detailed history is available at: https://svn.apache.org/repos/private/pmc/tomcat/trademark-status.txt ## Security: - Detailed status: http://tomcat.apache.org/security.html - CVE-2017-12615 Remote Code Execution via JSP Upload - CVE-2017-12616 Information Disclosure - CVE-2017-12617 Remote Code Execution via JSP Upload - CVE-2017-15698 Native Connector - OCSP check omitted - CVE-2017-15706 Incorrectly documented CGI search algorithm - CVE-2018-1304 Security constraints mapped to context root are ignored - CVE-2018-1305 Security constraint annotations applied too late - CVE-2018-1323 JK ISAPI Connector path traversal
## Description: - A Java Servlet, JavaServer Pages, Java WebSocket and Java Unified Expression language specifications implementation. ## Issues: - There are no issues requiring board attention at this time ## Activity: - Continued healthy activity across multiple components and responsiveness on both dev and user lists. - The Tomcat event in London went very well and funds were set aside for future similar events. The event logs were made available on the http://tomcat.apache.org/presentations.html page on the website. - Similar to the TomcatCon one day event in London, another community conference event is pencilled in for Spring, probably in Frankfurt. - Tomcat 9 milestone cycle ended following the release of the new Servlet 4.0 specification, and a beta release cycle has started. - The community is exploring switching from svn to git. We have identified a number of questions / issues and are working through those on the dev@ list prior to the actual migration. - The community is starting to look at building out some ALv2 licensed training material which could then be used in some future events. ## PMC changes: - Currently 26 PMC members. ## Committer base changes: - Currently 44 committers. ## Releases: - Apache Tomcat 7.0.82 was released on Oct 3 2017 - Apache Tomcat 8.0.47 was released on Oct 3 2017 - Apache Tomcat 8.0.48 was released on Dec 12 2017 - Apache Tomcat 8.5.21 was released on Sep 19 2017 - Apache Tomcat 8.5.23 was released on Oct 3 2017 - Apache Tomcat 8.5.24 was released on Dec 1 2017 - Apache Tomcat 9.0.0.M27 was released on Sep 19 2017 - Apache Tomcat 9.0.1 Beta was released on Oct 3 2017 - Apache Tomcat 9.0.2 Beta was released on Dec 1 2017 ## Trademark: - No new trademark issues in the last 3 months and there are currently no outstanding trademark issues that the Apache Tomcat PMC is working on. - Detailed history is available at: https://svn.apache.org/repos/private/pmc/tomcat/trademark-status.txt ## Security: - Detailed status: http://tomcat.apache.org/security.html - Important: Security Constraint Bypass CVE-2017-7675 Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.0 Apache Tomcat 8.5.0 to 8.5.22 Apache Tomcat 8.0.0.RC1 to 8.0.46 Apache Tomcat 7.0.0 to 7.0.81 When running with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default servlet to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.
No report was submitted.
## Description:
- A Java Servlet, JavaServer Pages, Java WebSocket and Java
Unified Expression language specifications implementation.
## Issues:
- There are no issues requiring board attention at this time
## Activity:
- Continued healthy activity across multiple components and
responsiveness on both dev and user lists.
- The Tomcat PMC is organising a small 1 day conference to be held
in London later this month. At the time of writing just under two
thirds of the twenty available places have been sold and we have
contingency plans in place to double capacity should a last minute
rush take us over twenty.
Thanks to the combination of generous sponsorship and ticket sales
we are on track to have a sufficient surplus of funds after this
event to provide seed money (e.g. to book venues, subsidize
speaker travel) for the next event. The aim is to be able to hold a
handful of small events a year - based nearish committers to reduce
speaker travel costs - that are self-financing so they can survive
without ongoing sponsorship or subsidy / financial guarantees from
either the ASF or individual PMC members. If we are fortunate enough
to obtain sponsorship then that will open up the possibility of
bringing in more speakers and/or more frequent events.
We intend to publish 'accounts' after each event so the community
has visibility of how the events are being financed.
If, for any reason, we decide to discontinue these events, any
remaining funds will be transferred to the ASF.
## PMC changes:
- Currently 26 PMC members.
- New PMC members:
- Coty Sutherland was added to the PMC on Thu May 18 2017
- Huxing Zhang was added to the PMC on Thu May 18 2017
## Committer base changes:
- Currently 44 committers.
- Michael Osipov was added as a committer on Mon May 08 2017
## Releases:
- Apache Tomcat 7.0.79 was released on Sat Jul 01 2017
- Apache Tomcat 7.0.81 was released on Wed Aug 16 2017
- Apache Tomcat 8.0.45 was released on Sat Jul 01 2017
- Apache Tomcat 8.0.46 was released on Fri Aug 18 2017
- Apache Tomcat 8.5.16 was released on Mon Jun 26 2017
- Apache Tomcat 8.5.20 was released on Tue Aug 08 2017
- Apache Tomcat 9.0.0.M22 was released on Mon Jun 26 2017
- Apache Tomcat 9.0.0.M26 was released on Tue Aug 08 2017
## Trademark:
- No new trademark issues in the last 3 months
and there are currently no outstanding trademark issues that the
Apache Tomcat PMC is working on.
- Detailed history is available at:
https://svn.apache.org/repos/private/pmc/tomcat/trademark-status.txt
## Security:
- Detailed status:
http://tomcat.apache.org/security.html
- Important: Security Constraint Bypass CVE-2017-7675
The HTTP/2 implementation bypassed a number of security checks that
prevented directory traversal attacks. It was therefore possible to
bypass security constraints using an specially crafted URL.
Affects: 9.0.0.M1 to 9.0.0.M21, 8.5.0 to 8.5.15
- Moderate: Cache Poisoning CVE-2017-7674
The CORS Filter did not add an HTTP Vary header indicating that the
response varies depending on Origin. This permitted client and server
side cache poisoning in some circumstances.
Affects: 9.0.0.M1 to 9.0.0.M21, 8.5.0 to 8.5.15, 7.0.0 to 7.0.77
## Description:
- A Java Servlet, JavaServer Pages, Java WebSocket and Java
Unified Expression language specifications implementation.
## Issues:
- There are no issues requiring board attention at this time
## Activity:
- Continued healthy activity across multiple components and
responsiveness on both dev and user lists.
## PMC changes:
- Currently 26 PMC members.
- New PMC members:
- Coty Sutherland was added to the PMC on Thu May 18 2017
- Huxing Zhang was added to the PMC on Thu May 18 2017
## Committer base changes:
- Currently 44 committers.
- Michael Osipov was added as a committer on Mon May 08 2017
## Releases:
- Apache Tomcat 6.0.51 was released on Thu Mar 16 2017
- Apache Tomcat 6.0.53 was released on Fri Apr 07 2017
- Apache Tomcat 7.0.76 was released on Thu Mar 16 2017
- Apache Tomcat 7.0.77 was released on Sun Apr 02 2017
- Apache Tomcat 7.0.78 was released on Tue May 16 2017
- Apache Tomcat 8.0.42 was released on Tue Mar 14 2017
- Apache Tomcat 8.0.43 was released on Sun Apr 02 2017
- Apache Tomcat 8.0.44 was released on Tue May 16 2017
- Apache Tomcat 8.5.13 was released on Thu Mar 30 2017
- Apache Tomcat 8.5.14 was released on Tue Apr 18 2017
- Apache Tomcat 8.5.15 was released on Wed May 10 2017
- Apache Tomcat 9.0.0.M19 was released on Thu Mar 30 2017
- Apache Tomcat 9.0.0.M20 was released on Tue Apr 18 2017
- Apache Tomcat 9.0.0.M21 was released on Wed May 10 2017
## Trademark:
- No new trademark issues in the last 3 months
and there are currently no outstanding trademark issues that the
Apache Tomcat PMC is working on.
- Detailed history is available at:
https://svn.apache.org/repos/private/pmc/tomcat/trademark-status.txt
## Security:
- Detailed status:
http://tomcat.apache.org/security.html
- Important: Security Constraint Bypass CVE-2017-5664
The error page mechanism of the Java Servlet Specification requires
that, when an error occurs and an error page is configured for the
error that occurred, the original request and response are forwarded
to the error page. This means that the request is presented to the
error page with the original HTTP method.
Affects: 9.0.0.M1 to 9.0.0.M20, 8.0.0.RC1 to 8.0.43,
8.5.0 to 8.5.14, 7.0.0 to 7.0.77
- Important: Information Disclosure CVE-2017-5651
The refactoring of the HTTP connectors for 8.5.x onwards, introduced
a regression in the send file processing. If the send file
processing completed quickly, it was possible for the Processor to
be added to the processor cache twice. This could result in the same
Processor being used for multiple requests which in turn could lead
to unexpected errors and/or response mix-up.
Affects: 9.0.0.M1 to 9.0.0.M18, 8.5.0 to 8.5.12
- Important: Denial of Service CVE-2017-5650
The handling of an HTTP/2 GOAWAY frame for a connection did not
close streams associated with that connection that were currently
waiting for a WINDOW_UPDATE before allowing the application to write
more data. These waiting streams each consumed a thread. A malicious
client could therefore construct a series of HTTP/2 requests that
would consume all available processing threads.
Affects: 9.0.0.M1 to 9.0.0.M18
- Important: Information Disclosure CVE-2017-5647
A bug in the handling of the pipelined requests when send file was
used resulted in the pipelined request being lost when send file
processing of the previous request completed. This could result in
responses appearing to be sent for the wrong request. For example,
a user agent that sent requests A, B and C could see the correct
response for request A, the response for request C for request B and
no response for request C.
Affects: 9.0.0.M1 to 9.0.0.M18, 8.0.0.RC1 to 8.0.42,
8.5.0 to 8.5.12, 7.0.0 to 7.0.76
- Low: Information Disclosure CVE-2017-5648
While investigating bug 60718, it was noticed that some calls to
application listeners did not use the appropriate facade object.
When running an untrusted application under a SecurityManager, it
was therefore possible for that untrusted application to retain a
reference to the request or response object and thereby access
and/or modify information associated with another web application.
Affects: 9.0.0.M1 to 9.0.0.M17, 8.0.0.RC1 to 8.0.41,
8.5.0 to 8.5.11, 7.0.0 to 7.0.75
## Description: - A Java Servlet, JavaServer Pages, Java WebSocket and Java Unified Expression language specifications implementation. ## Issues: - There are no issues requiring board attention at this time ## Activity: - Continued healthy activity across multiple components and responsiveness on both dev and user lists. - TomcatCon has been organised to run along side ApacheCon with 3 days of content in a single track dedicated to Apache Tomcat. The content has just been agreed. Next step marketing. ## PMC changes: - Currently 24 PMC members. - No new PMC members added in the last 3 months - Last PMC addition was Felix Schumacher on Mon Oct 26 2015 ## Committer base changes: - Currently 43 committers. - Emmanuel Bourg was added as a committer on Fri Jan 20 2017 ## Releases: - Apache Tomcat 7.0.75 was released on Tue Jan 24 2017 - Apache Tomcat 8.0.41 was released on Tue Jan 24 2017 - Apache Tomcat 8.5.11 was released on Mon Jan 16 2017 - Apache Tomcat 9.0.0.M17 was released on Mon Jan 16 2017 ## Trademark: - No new trademark issues in the last 3 months and there are currently no outstanding trademark issues that the Apache Tomcat PMC is working on. - Detailed history is available at: https://svn.apache.org/repos/private/pmc/tomcat/trademark-status.txt ## Security: - Detailed status: http://tomcat.apache.org/security.html - Important: Information Disclosure CVE-2016-8745 A bug in the error handling of the send file code for the NIO HTTP connector resulted in the current Processor object being added to the Processor cache multiple times. Affects: Apache Tomcat 7.0.0 to 7.0.73 and 8.0.0.RC1 to 8.0.39
## Description:
A Java Servlet, JavaServer Pages, Java WebSocket and Java
Unified Expression language specifications implementation.
## Issues:
- There are no issues requiring board attention at this time
## Activity:
- Continued healthy activity across multiple components and
responsiveness on both dev and user lists.
## PMC changes:
- Currently 24 PMC members.
- No new PMC members added in the last 3 months
- Last PMC addition was Felix Schumacher on Mon Oct 26 2015
## Committer base changes:
- Currently 42 committers.
- New commmitters:
- Coty Sutherland was added as a committer on Fri Aug 26 2016
- Huxing Zhang was added as a committer on Fri Aug 26 2016
## Releases:
- Apache Tomcat 6.0.47 was released on Oct 16 2016
- Apache Tomcat 6.0.48 was released on Nov 15 2016
- Apache Tomcat 7.0.72 was released on Sep 19 2016
- Apache Tomcat 7.0.73 was released on Nov 14 2016
- Apache Tomcat 8.0.38 was released on Oct 10 2016
- Apache Tomcat 8.0.39 was released on Nov 14 2016
- Apache Tomcat 8.5.6 was released on Oct 10 2016
- Apache Tomcat 8.5.8 was released on Nov 11 2016
- Apache Tomcat 8.5.9 was released on Dec 08 2016
- Apache Tomcat 9.0.0.M11 was released on Oct 10 2016
- Apache Tomcat 9.0.0.M13 was released on Nov 11 2016
- Apache Tomcat 9.0.0.M15 was released on Dec 08 2016
- Apache Tomcat Native 1.2.10 was released on Oct 05 2016
- Apache Tomcat Connectors 1.2.42 was released on Oct 05 2016
## Trademark:
Since our last report the Tomcat PMC dealt with the following trademark
issues:
- A minor issue with a github project that was renamed at our request
from "Tomcat XXX" to "XXX for Tomcat".
- Some historical documentation for a product previously renamed from
"Tomcat XXX" to "XXX for Tomcat" appeared in our regular search using
the old name. The historical documentation was updated to use the
correct form.
In both cases speedy resolution was aided by the fact that Tomcat PMC
members were involved in - or had close ties to - the projects
concerned.
The Tomcat PMC has decided not to pursue further a trademark issue outstanding
since 2008 since the project has been dormant for many years.
There are currently no outstanding trademark issues that the Tomcat PMC is
working on.
Detailed history is available at:
https://svn.apache.org/repos/private/pmc/tomcat/trademark-status.txt
## Security:
- Detailed status:
http://tomcat.apache.org/security.html
There were some low impact vulnerabilities reported and fixed in Tomcat
(6.0.47, 7.0.72):
- Low: Timing Attack CVE-2016-0762 The Realm Implementations used different
amount of time for authentication requests with or without a password
- Low: Security Manager Bypass CVE-2016-5018 The SecurityManager could be
bypassed
- Low: System Property Disclosure CVE-2016-6794 System Properties could be
read, that should have been protected by a SecurityManager
- Low: Security Manager Bypass CVE-2016-6796 A configured SecurityManager
could be bypassed
- Low: Unrestricted Access to Global Resources CVE-2016-6797 Webapps could
access global JNDI ressources even when they were not explicitly
configured for the Webapp
There were some important vulnerabilities reported and fixed in Tomcat
(6.0.48, 7.0.73, 8.0.39, 8.5.8, 8.5.9, 9.0.0.M13):
- Important: Information Disclosure CVE-2016-6816 HTTP request line was not
parsed correctly
- Important: Denial of Service CVE-2016-6817 The HTTP/2 header parser could
be tricked into an infinite loop
- Important: Remote Code Execution CVE-2016-8735 The
JmxRemoteLifecycleListener was vulnerable to a remote execution attack
- Important: Information Disclosure CVE-2016-8745 When using NIO and
sendfile requests could be shared between to concurrent threads, which led
to possible information leakage
## Description: Apache Tomcat is a Java Servlet, JavaServer Pages, Java WebSocket, Java Unified Expression language and Java Authentication Service Provider Interface for Containers specifications implementation. ## Issues: There are no issues requiring board attention at this time ## Activity: Continued healthy activity across multiple components and responsiveness on both dev and user lists. ## PMC changes: - Currently 24 PMC members. - No new PMC members added in the last 3 months - Last PMC addition was Felix Schumacher on Mon Oct 26 2015 ## Committer base changes: - Currently 42 committers. - New commmitters: - Coty Sutherland was added as a committer on Fri Aug 26 2016 - Huxing Zhang was added as a committer on Fri Aug 26 2016 ## Releases: - Apache Tomcat 7.0.70 was released on Jun 19 2016 - Apache Tomcat 8.0.37 was released on Sep 05 2016 - Apache Tomcat 8.5.5 was released on Sep 05 2016 - Apache Tomcat 9.0.0.M10 was released on Sep 05 2016 ## Trademark: - Detailed status: https://svn.apache.org/repos/private/pmc/tomcat/trademark-status.txt ## Security: - Detailed status: http://tomcat.apache.org/security.html
Apache Tomcat is a Java Servlet, JavaServer Pages, Java WebSocket, Java
Unified Expression language and Java Authentication Service Provider
Interface for Containers specifications implementation.
Issues:
There are no issues requiring board attention at this time
Activity:
- Continued healthy activity across multiple components and responsiveness
on both dev and user lists.
- Three presentations on Tomcat were given at ApacheCon NA and a meetup one
evening was held with about ten participants.
- A spate of Bugzilla spam was succcessfully blocked by the infra team.
- Currently five branches are actively maintained. This will be reduced to
three sometime later this year as 8.0.x reaches EOL (replaced by 8.5.x)
and 6.0.x will be reach EOL at the end of this year.
- A roughly monthly release cycle is held up for 9.0.x, 8.5.x, 8.0.x and
7.0.x and a roughly six monthly release cycle for 6.0.x.
- Open bugs (excluding enhancement requests and those where furthe
information is required from the OP) are fixed before each release.
- There are three components where there is less activity.
taglibs is dormant and it needs to be discussed whether it should be
placed into Tomcat's attic.
The Tomcat Maven Plugin needs committers. Currently it is only compatible
with 7.0.x and lower, only.
The connectors component is fairly mature will still sees bugs reports and
needs committers in order to address them.
- Discussion about inviting a new committer has started with no conclusion
yet.
Tomcat 9 has a dependency on the Servlet 4 specification which is part
of Java EE 8. There has been much public discussion about the (lack of)
progress [1] of Java EE 8. We do not intend to let this slow down Tomcat
development. We continue to review the situation and take action as
necessary. For example, Tomcat 8.5.x was introduced to make HTTP/2 (and
other new features) available in a production quality release so users
weren't waiting for Tomcat 9.
PMC changes:
- Currently 24 PMC members.
- Last PMC addition was Felix Schumacher on Mon Oct 26 2015
Committer base changes:
- Currently 40 committers.
- Last committer addition was Martin Tzvetanov Grigorov at Tue Oct 27 2015
Releases:
- Apache Tomcat 6.0.45 was released on Feb 10 2016
- Apache Tomcat 7.0.69 was released on Apr 15 2016
- Apache Tomcat 8.0.33 was released on Mar 24 2016
- Apache Tomcat 8.0.35 was released on May 16 2016
- Apache Tomcat 8.0.36 was released on Jun 13 2016
- Apache Tomcat 8.5.0 (beta) was released on Mar 24 2016
- Apache Tomcat 8.5.2 (beta) was released on May 16 2016
- Apache Tomcat 8.5.3 was released on Jun 13 2016
- Apache Tomcat 9.0.0.M4 was released on Mar 16 2016
- Apache Tomcat 9.0.0.M6 was released on May 16 2016
- Apache Tomcat 9.0.0.M8 was released on Jun 13 2016
- Apache Tomcat Native 1.2.6 was released on Apr 26 2016
- Apache Tomcat Native 1.2.7 was released on May 8 2016
Trademark:
- Detailed status:
https://svn.apache.org/repos/private/pmc/tomcat/trademark-status.txt
Security:
- Detailed status:
http://tomcat.apache.org/security.html
## Description:
A Java Servlet, JavaServer Pages, Java WebSocket and Java
Unified Expression language specifications implementation.
## Issues:
- There are no issues requiring board attention at this time
## Activity:
- Continued healthy activity across multiple components and
responsiveness on both dev and user lists.
## PMC changes:
- Currently 24 PMC members.
- No new PMC members added in the last 3 months
- Last PMC addition was Felix Schumacher on Mon Oct 26 2015
## Committer base changes:
- Currently 40 committers.
- No new committers added in the last 3 months
- Last committer addition was Martin Tzvetanov Grigorov at Tue Oct 27 2015
## Releases:
- Apache Tomcat 6.0.45 was released on Feb 10 2016
- Apache Tomcat 7.0.67 was released on Dec 09 2015
- Apache Tomcat 7.0.68 was released on Feb 15 2016
- Apache Tomcat 8.0.32 was released on Feb 08 2016
- Apache Tomcat 9.0.0.M3 was released on Feb 05 2016
## Mailing list activity:
- TODO Please explain what the following statistics mean
for the project. If there is nothing significant in the figures, omit this
section.
- users@tomcat.apache.org:
- 3027 subscribers (up 6 in the last 3 months):
- 1190 emails sent to list (1034 in previous quarter)
- dev@tomcat.apache.org:
- 855 subscribers (up 11 in the last 3 months):
- 3126 emails sent to list (3585 in previous quarter)
- announce@tomcat.apache.org:
- 4033 subscribers (up 70 in the last 3 months):
- 16 emails sent to list (6 in previous quarter)
- taglibs-user@tomcat.apache.org:
- 357 subscribers (down -2 in the last 3 months):
- 2 emails sent to list (1 in previous quarter)
## Bugzilla Statistics:
- 73 Bugzilla tickets created in the last 3 months
- 89 Bugzilla tickets resolved in the last 3 months
## Trademark:
- Detailed status:
https://svn.apache.org/repos/private/pmc/tomcat/trademark-status.txt
## Security:
- Detailed status:
http://tomcat.apache.org/security.html
## Description:
A Java Servlet, JavaServer Pages, Java WebSocket and Java
Unified Expression language specifications implementation.
## Issues:
- There are no issues requiring board attention at this time
## Activity:
- Continued healthy activity across multiple components and
responsiveness on both dev and user lists.
- We have released a first milestone release of the current
development branch (Tomcat 9.0.x).
- We have started a regular Webinar series - one every two weeks.
We do each Webinar twice (to try and cover as much as the world
as possible) and make a recording available on YouTube.
https://www.youtube.com/channel/UCpqpJ0-G1lYfUBQ6_36Au_g
Is is early days and we are still experimenting with various
technical and organisational options to figure out what works best.
- We have also started to gather known recordings of Tomcat related
presentations on the project website.
http://tomcat.apache.org/presentations.html
- We are keeping a closer eye on our Twitter account and making sure
we announce releases, Webinars etc via Twitter as well as the
usual mailing lists.
- Apache Tomcat Native project (a connector implementation for
Tomcat based on APR/OpenSSL) development focus has switched to
version 1.2.x, with the first 1.2.0 release in October 2015,
up to 1.2.4 several days ago.
## Health report:
- TODO - Please use this paragraph to elaborate on why
the current project activity (mails, commits, bugs etc) is at its current
level.
## PMC changes:
- Currently 24 PMC members.
- New PMC members:
- Felix Schumacher was added to the PMC on Mon Oct 26 2015
- Martin Grigorov was added to the PMC on Mon Oct 26 2015
## Committer base changes:
- Currently 40 committers.
- New commmitters:
- Ognjen Blagojević was added as a committer on Fri Oct 23 2015
- Martin Tzvetanov Grigorov was added as a committer on Tue Oct 27 2015
## Releases:
- Apache Tomcat 9.0.0.M1 (alpha) was released on Thu Nov 19 2015
- Apache Tomcat 8.0.30 was released on Sat Dec 05 2015
- Apache Tomcat 8.0.29 was released on Tue Nov 24 2015
- Apache Tomcat 8.0.28 was released on Mon Oct 12 2015
- Apache Tomcat 8.0.27 was released on Thur Oct 01 2015
- Apache Tomcat 7.0.67 was released on Wed Dec 09 2015
- Apache Tomcat 7.0.65 was released on Sun Oct 18 2015
- Apache Tomcat Native 1.2.4 was released on Mon Jan 11 2016
- Apache Tomcat Native 1.2.3 was released on Tue Dec 15 2015
- Apache Tomcat Native 1.2.2 was released on Mon Nov 09 2015
- Apache Tomcat Native 1.2.0 was released on Wed Oct 28 2015
- Apache Tomcat Native 1.1.34 was released on Tue Dec 15 2015
## Mailing list activity:
- users@tomcat.apache.org:
- 3023 subscribers (up 15 in the last 3 months):
- 902 emails sent to list (1002 in previous quarter)
- dev@tomcat.apache.org:
- 850 subscribers (up 10 in the last 3 months):
- 3472 emails sent to list (2399 in previous quarter)
- taglibs-user@tomcat.apache.org:
- 353 subscribers (down -1 in the last 3 months):
- 1 emails sent to list (0 in previous quarter)
- announce@tomcat.apache.org:
- 3977 subscribers (up 72 in the last 3 months):
- 9 emails sent to list (4 in previous quarter)
## Trademark:
- Detailed status:
https://svn.apache.org/repos/private/pmc/tomcat/trademark-status.txt
No report was submitted.
This report from the Apache Tomcat PMC is being made at the recommendation of V.P. Brand to support the Tomcat project's request for additional funding to register our trademarks in the EU, India and China. This is in addition to our registration in the US that is already in progress. The funding required to meet this request is a one-off cost of $2,465. The driver for this request is the desire of the Tomcat PMC to reduce the ongoing impact of trademark infringements and to reduce the risk to the Tomcat community of a future significant dispute over the project's marks. The regions in this request for registration have been selected based on where we see the greatest concentrations of the Tomcat community. The board may think that since Tomcat has been in existence since 1999 that the marks are well known and that there is no need to register the marks. The Tomcat PMC strongly disagrees with this view. The longevity of the Tomcat project means that a large eco-system of products has built up around Tomcat and the size of that ecosystem increases, rather than decreases, the likelihood of infringement. The Tomcat PMC already has experience of handling multiple infringements of the project's marks. We continue to concerned about any infringement due to the potential harm it could cause to the community. The risks to the community include: - Potential users of Tomcat put off by their poor experience or the poor experience of others with a low quality product intended to be used with Tomcat that, due to the infringing name, is assumed to be a product of the ASF and therefore indicative of the quality of ASF products. - Potential users of Tomcat drawn to other products because those products provide similar functionality to Tomcat and use an infringing name which (deliberately or not) confuses users into thinking they are using Tomcat when they are not. - Resolving infringements requires significant volunteer energy which is then not available to support the community. This reduces the quality of community support and thereby makes Tomcat less attractive. - Specifically for China, that operates a first to register rather than first to use system, there is a significant risk that another organisation registers Tomcat. That would cause us all sorts of problems that would require large amounts volunteer energy to resolve as well as placing additional demands on infrastructure. All of these risks boil down to reducing the size of the Tomcat community and diverting that community from developing, using and supporting Tomcat. The smaller the community, the smaller the pool of contributors, the fewer of those who will advance to committer and hopefully on to PMC member and ASF member. The fewer committers and PMC members the community has, the greater the risk to the long term survivability of the project. To be clear, we are not saying that the Tomcat community is struggling to survive under a flood of trademark infringements. We are saying the trademark infringements have had, and continue to have, a negative impact on the project and that registering our marks would reduce the ongoing impact and reduce the risk of a future, more significant, trademark dispute. It is also worth pointing out (with the notable exception of China) that registration is not required in order to successfully resolve a trademark dispute. However, as we explain later, registration does reduce the likelihood of infringement and simplifies the process of resolution. Where the infringer contests the issue, registration significantly reduces the time and cost of resolution. To date, the Tomcat PMC has resolved disputes using one of the following paths: 1) A polite request to the product owners to change the name with which they happily complied. 2) As 1) but the product owner had gone AWOL. In such cases the company hosting the product (e.g. Apple, Google etc.) had to be approached to request that the product is taken down. 3) A polite request to the product owners which is met with a "That trademark isn't registered. I can do what I like." response. The PMC then has to take the time to educate them that this is not that case and, eventually, the product name is changed. 4) A large(ish) corporation has a commercial product based on Tomcat and the sales/marketing team are keen to emphasis this to sell their product based on Tomcat's reputation. This normally results in multiple small to medium infringements over a long period of time. It has been resolved by an ongoing engagement by the PMC with the infringing company to educate as to what is allowed and to encourage the company to put processes in place to reduce / eliminate future infringing. Depending on the frequency and serious of the infringements, support from V.P. Brand / ASF lawyers may be requested to get the message across to more senior figures. 1) Is easy to fix and not a great drain on the project since it only takes a few minutes to send a polite e-mail. 2) Depends a lot on the hosting company. Some are easier to work with than others. Resolving these usually takes a couple of hours. 3) We have had several of these and they can take up a fair amount of volunteer time (days) to resolve. 4) We have only had one of these but it took weeks of volunteer time and support from V.P. Brand to resolve. It also requires ongoing monitoring to ensure that the issue remains resolved. The benefits to the Tomcat PMC of registering our marks are as follows: - less volunteer energy required to resolve 'simple' infringements since a registered mark negates the whole "But that mark isn't registered" counter-argument; - less volunteer energy required to resolve 'simple' infringements since a registered mark simplifies the trademark infringement reporting process for most large 'hosting' providers (e.g. Google, Apple, etc.) - less corporate infringements (and hence less volunteer energy required to resolve them) since a registered mark will appear in the searches performed when selecting product names and corporations tend to give registered marks a wider berth than unregistered ones; - significantly reduces the potential for us to lose the right to use the project mark's in China; - should an infringer refuse to stop their infringement (we haven't had this happen yet but it feels like only a matter of time) a registered mark greatly simplifies the resolution process (and makes it a lot less expensive). On that last point, there have been a couple of occasions where it felt like it was 50/50 whether the infringing party was going to stop the infringement. Fortunately, so far, continued dialogue has resulted in the right outcome. However, it does feel like only matter of time before an infringer refuses to stop their infringement. Having the marks registered before that happens will save us both time and money in that case. The Apache Tomcat PMC
# Description:
A Java Servlet, JavaServer Pages, Java WebSocket and Java
Unified Expression language specifications implementation.
## Activity:
- Continued healthy activity across multiple components and
responsiveness on both dev and user lists.
- We hope to have a milestone release of the current development
branch (Tomcat 9.0.x) later in the autumn once HTTP/2 support
has progressed.
## Issues:
- There are no issues requiring board attention at this time
## PMC/Committership changes:
- Currently 38 committers and 22 LDAP committee group members.
- No new LDAP committee group members added in the last 3 months
- Last LDAP committee group addition was Jeremy Boynes at Fri Mar 06 2015
- No new committers added in the last 3 months
- Last committer addition was André Warnier at Fri Jan 02 2015
## Releases:
- Apache Tomcat 8.0.24 was released on Mon Jul 06 2015
- Apache Tomcat 8.0.26 was released on Fri Aug 21 2015
- Apache Tomcat 7.0.64 was released on Mon Aug 24 2015
- Apache Tomcat 7.0.63 was released on Sun Jul 05 2015
- Apache Tomcat Connectors 1.2.41 was released on Tue Aug 11 2015
## Mailing list activity:
- users@tomcat.apache.org:
- 3009 subscribers (up 1 in the last 3 months):
- 1063 emails sent to list (1452 in previous quarter)
- dev@tomcat.apache.org:
- 833 subscribers (down -10 in the last 3 months):
- 3099 emails sent to list (4361 in previous quarter)
- taglibs-user@tomcat.apache.org:
- 353 subscribers (up 1 in the last 3 months):
- 0 emails sent to list (1 in previous quarter)
- announce@tomcat.apache.org:
- 3861 subscribers (up 110 in the last 3 months):
- 5 emails sent to list (11 in previous quarter)
## Trademark:
- Detailed status:
https://svn.apache.org/repos/private/pmc/tomcat/trademark-status.txt
- We have started the process to register Tomcat as a trademark in the US,
EU, India and China. We have also requested the registration of "Tomcat"
as a service in the US.
## Description:
A Java Servlet, JavaServer Pages, Java WebSocket and Java
Unified Expression language specifications implementation.
## Activity:
- Continued healthy activity across multiple components and
responsiveness on both dev and user lists.
- We announced that End-Of-Life for the Apache Tomcat 6.0.x
series will be 31 December 2016.
- We hope to have a milestone release of the current development
branch (Tomcat 9.0.x) later in the summer once HTTP/2 support
has progressed.
## Issues:
- There are no issues requiring board attention at this time
## PMC/Committership changes:
- Currently 38 committers and 22 PMC members in the project.
- No new PMC members added in the last 3 months
- Last PMC addition was Jeremy Boynes at Fri Mar 06 2015
- No new committers added in the last 3 months
- Last committer addition was André Warnier at Fri Jan 02 2015
## Releases:
- Apache Tomcat 8.0.23 was released on Fri May 22 2015
- Apache Tomcat 8.0.22 was released on Tue May 05 2015
- Apache Tomcat 7.0.62 was released on Wed May 13 2015
- Apache Tomcat 7.0.61 was released on Mon Apr 06 2015
- Apache Tomcat 6.0.44 was released on Tue May 12 2015
- Apache Tomcat Native 1.1.33 was released on Mon Mar 23 2015
## Mailing list activity:
- users@tomcat.apache.org:
- 3006 subscribers (up 31 in the last 3 months):
- 1441 emails sent to list (1377 in previous quarter)
- dev@tomcat.apache.org:
- 839 subscribers (down -13 in the last 3 months):
- 4165 emails sent to list (5043 in previous quarter)
- taglibs-user@tomcat.apache.org:
- 352 subscribers (up 2 in the last 3 months):
- 1 emails sent to list (5 in previous quarter)
- announce@tomcat.apache.org:
- 3755 subscribers (up 117 in the last 3 months):
- 11 emails sent to list (7 in previous quarter)
## Trademark:
- Detailed status:
https://svn.apache.org/repos/private/pmc/tomcat/trademark-status.txt
- We have started the process to register Tomcat as a trademark in the US,
EU, India and China. We have also requested the registration of "Tomcat"
as a service in the US.
## Description:
A Java Servlet and JavaServer Pages specifications implementation.
## Activity:
- Continued healthy activity across multiple components and
responsiveness on both dev and user lists.
- There was lots of development activity on Apache Tomcat 7
and Apache Tomcat 8.
- Preparation work for Tomcat 9 in under way.
- Continuing maintenance work on Apache Standard Taglib
(an implementation of JavaServer Pages Standard Tag Library (JSTL) 1.2).
A security and bug fix release was performed.
## Issues:
- There are no issues requiring board attention at this time
## PMC/Committership changes:
- Currently 38 committers and 22 PMC members in the project.
- Yoav Shapira requested to step down from his PMC membership
and went emeritus
- Jeremy Boynes was added to the PMC on Fri Mar 06 2015
- André Warnier was added as a committer on Fri Jan 02 2015
## Releases:
- Apache Tomcat 8.0.20 - 2015-02-20
- Apache Tomcat 8.0.19 (not released)
- Apache Tomcat 8.0.18 - 2015-01-26
- Apache Tomcat 8.0.17 - 2015-01-16
- Apache Tomcat 8.0.16 (not released)
- Apache Tomcat 8.0.15 - 2014-11-07
- Apache Tomcat 8.0.14 - 2014-09-29
- Apache Tomcat 8.0.13 (not released)
- Apache Tomcat 7.0.59 - 2015-02-04
- Apache Tomcat 7.0.58 (not released)
- Apache Tomcat 7.0.57 - 2014-11-11
- Apache Tomcat 7.0.56 - 2014-10-06
- Apache Tomcat 6.0.43 - 2014-11-22
- Apache Tomcat Native 1.1.32 - 2014-10-23
- Apache Standard Taglib 1.2.2 (not released)
- Apache Standard Taglib 1.2.3 - 2015-02-20
## Mailing list activity:
- users@tomcat.apache.org:
- 2978 subscribers (up 8 in the last 3 months):
- 1411 emails sent to list (1284 in previous quarter)
- dev@tomcat.apache.org:
- 853 subscribers (down -5 in the last 3 months):
- 4974 emails sent to list (4943 in previous quarter)
- taglibs-user@tomcat.apache.org:
- 350 subscribers (down -9 in the last 3 months):
- 5 emails sent to list (13 in previous quarter)
- announce@tomcat.apache.org:
- 3631 subscribers (up 131 in the last 3 months):
- 7 emails sent to list (8 in previous quarter)
## Security:
- Important: Request Smuggling CVE-2014-0227
It was possible to craft a malformed chunk as part of a chunked
request that caused Tomcat to read part of the request body as a new
request. Announced 2015-02-09
- Important: XXE and RCE via XSL extension in JSTL XML tags CVE-2015-0254
When an application uses <x:parse> or <x:transform> JSTL tags to
process untrusted XML documents, a request may utilize external entity
references to access resources on the host system or utilize XSLT
extensions that may allow remote execution. Announced 2015-02-27
## Trademark:
- Detailed status:
https://svn.apache.org/repos/private/pmc/tomcat/trademark-status.txt
- We have started the process to register Tomcat as a trademark in the US
and are considering making a request to do the same in the EU.
No report was submitted.
No report was submitted.
No report was submitted.
General: Continued healthy activity across multiple components and responsiveness on both dev and user lists. Issues: The Apache Tomcat PMC continues to monitor the progress of the discussions with Oracle regarding regaining access to the TCKs. After a brief burst of activity at the end of April / beginning of May this appears to have stalled again. Releases: * Apache Tomcat 8.0.9 - stable, 2014-06-26 * Apache Tomcat 8.0.10 (not released) * Apache Tomcat 8.0.11 - 2014-08-26 * Apache Tomcat 8.0.12 - 2014-09-06 * Apache Tomcat 7.0.55 - 2014-07-29 * Apache Tomcat Native 1.1.31 - 2014-07-08 Development: There was lots of development activity on Apache Tomcat 7 and Apache Tomcat 8. We had first stable release of Apache Tomcat 8. Community: Ian Darwin requested to step down from his PMC membership and went emeritus. Security: CVE-2013-4444 - Important: Remote Code Execution In very limited circumstances, it was possible for an attacker to upload a malicious JSP to a Tomcat server and then trigger the execution of that JSP. While Remote Code Execution would normally be viewed as a critical vulnerability, the circumstances under which this is possible are, in the view of the Tomcat security team, sufficiently limited that this vulnerability is viewed as important. Trademark: Detailed status: https://svn.apache.org/repos/private/pmc/tomcat/trademark-status.txt
General: Continued healthy activity across multiple components and responsiveness on both dev and user lists. Issues: The Apache Tomcat PMC continues to monitor the progress of the discussions with Oracle regarding regaining access to the TCKs. After a brief burst of activity at the end of April / beginning of May this appears to have stalled again. Releases: * Apache Tomcat 8.0.4 (not released) * Apache Tomcat 8.0.5 - beta, 2014-03-27 * Apache Tomcat 8.0.6 (not released) * Apache Tomcat 8.0.7 (not released) * Apache Tomcat 8.0.8 - beta, 2014-05-21 * Apache Tomcat 7.0.53 - 2014-03-30 * Apache Tomcat 7.0.54 - 2014-05-22 * Apache Tomcat 6.0.40 (not released) * Apache Tomcat 6.0.41 - 2014-05-23 * Apache Tomcat Connectors 1.2.40 - 2014-04-15 * Apache Tomcat Native 1.1.30 - 2014-04-15 Development: There was lots of development activity on Apache Tomcat 7 and Apache Tomcat 8. Community: There were no changes in community since the last report. A problematic user who persistently (over several years) refused to improve their interactions with the community was unsubscribed from the users list and blocked from resubscribing after all other attempts at addressing the issues failed. Security: * CVE-2014-0075 - Important: Denial of Service It was possible to craft a malformed chunk size as part of a chucked request that enabled an unlimited amount of data to be streamed to the server, bypassing the various size limits enforced on a request. This enabled a denial of service attack. * CVE-2014-0096 - Important: Information disclosure The default servlet allows web applications to define (at multiple levels) an XSLT to be used to format a directory listing. When running under a security manager, the processing of these was not subject to the same constraints as the web application. This enabled a malicious web application to bypass the file access constraints imposed by the security manager via the use of external XML entities. * CVE-2014-0099 - Important: Information disclosure The code used to parse the request content length header did not check for overflow in the result. This exposed a request smuggling vulnerability when Tomcat was located behind a reverse proxy that correctly processed the content length header. * CVE-2014-0119 - Low: Information Disclosure In limited circumstances it was possible for a malicious web application to replace the XML parsers used by Tomcat to process XSLTs for the default servlet, JSP documents, tag library descriptors (TLDs) and tag plugin configuration files. The injected XML parser(s) could then bypass the limits imposed on XML external entities and/or have visibility of the XML files processed for other web applications deployed on the same Tomcat instance. Trademark: Detailed status: https://svn.apache.org/repos/private/pmc/tomcat/trademark-status.txt Registered interest with V.P. Brand in registering Tomcat and Apache Tomcat. Waiting to hear from V.P. Brand on what the next steps will be.
General: Continued healthy activity across multiple components and responsiveness on both dev and user lists. Issues: There are no issues requiring Board attention at this time. Releases: * Apache Tomcat 8.0.0-RC10 - alpha, 2013-12-26 * Apache Tomcat 8.0.1 - beta, 2014-02-02 * Apache Tomcat 8.0.2 (not released) * Apache Tomcat 8.0.3 - beta, 2014-02-11 * Apache Tomcat 7.0.48 (not released) * Apache Tomcat 7.0.49 (not released) * Apache Tomcat 7.0.50 - 2014-01-08 * Apache Tomcat 7.0.51 (not released) * Apache Tomcat 7.0.52 - 2014-02-17 * Apache Tomcat 6.0.38 (not released) * Apache Tomcat 6.0.39 - 2014-01-31 * Apache Tomcat Connectors 1.2.38 (not released) * Apache Tomcat Connectors 1.2.39 - 2014-03-11 * Apache Standard Taglib 1.2.0 (not released) * Apache Standard Taglib 1.2.1 - 2014-01-02 Development: There was lots of development activity on Apache Tomcat 7 and Apache Tomcat 8. Recently some work has been done on new NIO2 connector. There was the first release of Apache Standard Taglib 1.2, an implementation of JSTL 1.2 (JSR 052). It is the first release of a tag library, after migrating Apache Taglibs project from Apache Jakarta to Apache Tomcat several years ago. It is the first release that implements JSTL 1.2 specification. Community: There were no changes in community since the last report. We have organised a day long Tomcat Summit for ApacheCon. Topics for discussion are currently based around future development direction but any attendee is welcome to add their own topic(s). Security: * CVE-2013-2067 - Important: Session fixation FORM authentication associates the most recent request requiring authentication with the current session. By repeatedly sending a request for an authenticated resource while the victim is completing the login form, an attacker could inject a request that would be executed using the victim's credentials. * CVE-2013-2071 - Moderate: Information disclosure Bug 54178 described a scenario where elements of a previous request may be exposed to a current request. This was very difficult to exploit deliberately but fairly likely to happen unexpectedly if an application used AsyncListeners that threw RuntimeExceptions. * CVE-2013-4590 - Low: Information disclosure Application provided XML files such as web.xml, context.xml, .tld, .tagx and .jspx allowed XXE which could be used to expose Tomcat internals to an attacker. This vulnerability only occurs when Tomcat is running web applications from untrusted sources such as in a shared hosting environment. * CVE-2013-4322 - Important: Denial of service The fix for CVE-2012-3544 was not complete. It did not cover the following cases: chunk extensions were not limited whitespace after the : in a trailing header was not limited * CVE-2014-0050 - Important: Denial of Service It was possible to craft a malformed Content-Type header for a multipart request that caused Apache Tomcat to enter an infinite loop. A malicious user could, therefore, craft a malformed request that triggered a denial of service. Trademark: Detailed status: https://svn.apache.org/repos/private/pmc/tomcat/trademark-status.txt We have received a request from Canonical to use the Tomcat logo to identify their Tomcat installation bundle for JuJu, their virtualised platform. We intend to grant them permission to do so (with some constraints).
General: Continued healthy activity across multiple components and responsiveness on both dev and user lists. Issues: There are no issues requiring Board attention at this time. Releases: * Apache Tomcat 8.0.0-RC2 (not released) * Apache Tomcat 8.0.0-RC3 * Apache Tomcat 8.0.0-RC4 (not released) * Apache Tomcat 8.0.0-RC5 * Apache Tomcat 7.0.43 (not released) * Apache Tomcat 7.0.44 (not released) * Apache Tomcat 7.0.45 (not released) * Apache Tomcat 7.0.46 (not released) * Apache Tomcat 7.0.47 * Apache Tomcat Maven Plugin 2.2.0 * Apache Tomcat Native 1.1.28 * Apache Tomcat Native 1.1.29 Development: There was lots of development activity on Apache Tomcat 7 and Apache Tomcat 8 release candidate. Community: Konstantin Preißer has been voted as new Apache Tomcat committer. Violeta Georgieva and Christopher Schultz have been voted as new Apache Tomcat PMC members. Security: There were no publicly disclosed security issues from the last Board report. Trademark: There are no pending trademark issues which would require board's attention at this time.
General Continued healthy activity across multiple components and responsiveness on both dev and user lists. Issues In our last report we raised an issue about being unable to access latest TCKs for the Servlet, JSP, EL and WebSocket specifications. It is our understanding that there is an ongoing discussion with Oracle on this subject. We have now released the first Tomcat 8 Release Candidate and access to the TCKs would benefit future releases. What is the status of the discussions with Oracle, when do you expect those discussions to conclude and is there a view of what the outcome of the discussion is likely to be? Releases * Apache Tomcat 8.0.0-RC1 * Apache Tomcat 7.0.42 Development There was lots of development activity on Apache Tomcat 7 and Apache Tomcat 8 release candidate. With Apache Tomcat 8, support is added for the Java WebSocket specification. This adds to the Servlet, JSP and Unified Expression Language specifications already supported. Java WebSocket support has also been back-ported to Tomcat 7. There is also some development to enable IPV6 support for mod_jk. One of our contributors has been doing great work improving the look of our documentation and web site. The updated main website has been rolled out and the documentation will be updated as new releases are made. Community There were no changes in community membership. Security There were no publicly disclosed security issues from the last Board report. Trademark Detailed status: https://svn.apache.org/repos/private/pmc/tomcat/trademark-status.txt There are no pending trademark issues which would require board's attention at this time.
AI: Sam follow up regarding TCKs.
General: Continued healthy activity across multiple components and responsiveness on both dev and user lists. Issues: We are currently unable to access the latest TCKs for the Servlet, JSP, EL and WebSocket specifications pending the ASF's ongoing discussion with Oracle regarding TCK renewal. This means we are unable to test Tomcat 8 against these specifications and provide the assurance (that many of our users look for) that Tomcat 8 has passed the TCKs. This is not an immediate concern but will become increasingly important as we approach the first release of Tomcat 8 (probably later this year). Releases: * Apache Tomcat 7.0.41 * Apache Tomcat 7.0.40 * Apache Tomcat 7.0.39 * Apache Tomcat 7.0.38 * Apache Tomcat 6.0.37 Development: There was lots of development activity on Apache Tomcat 7 and forthcoming Apache Tomcat 8 release. Community: Konstantin Kolinko has been voted as Apache Software Foundation member. Beside that there were no changes in community membership. Security: * CVE-2013-2071 - Moderate: Information disclosure Fixes a scenario where elements of a previous request may be exposed to a current request. * CVE-2013-2067 - Important: Session fixation FORM authentication associates the most recent request requiring authentication with the current session. This issue was identified by the Tomcat security team on 15 Oct 2012 and made public on 10 May 2013. Trademark: Detailed status: https://svn.apache.org/repos/private/pmc/tomcat/trademark-status.txt There are no pending trademark issues which would require board's attention at this time.
General Continued healthy activity across multiple components and responsiveness on both dev and user lists. Issues There are no issues requiring Board attention at this time. Releases * Apache Tomcat 7.0.37 * Apache Tomcat 7.0.36 * Apache Tomcat 7.0.35 * Apache Tomcat Native 1.1.27 * Apache Tomcat 5.5.36 * Apache Tomcat Maven Plugin 2.1.0 Development There was lots of development activity on Apache Tomcat 7 and forthcoming Apache Tomcat 8 release. Community Violeta Georgieva has been voted as new Tomcat committer. Added comments.apache.org to TC 7 live docs to improve user community interaction. Security We are working on number of other non critical security issues which will be disclosed with future releases. Trademark Detailed status https://svn.apache.org/repos/private/pmc/tomcat/trademark-status.txt There are no pending trademark issues which would require board's attention at this time.
General: Continued healthy activity across multiple components and responsiveness on both dev and user lists. Issues: The Tomcat PMC is concerned about the ongoing uncertainty over the future of the TCK agreement. The Tomcat PMC is working with the VP Legal Affairs on a way forward for on-going access to the TCKs. The TCKs are a useful tool and the Tomcat PMC would like to retain access to them if an acceptable agreement can be reached with Oracle. Releases: - Apache Tomcat 7.0.34 - Apache Tomcat 7.0.33 - Apache Tomcat 7.0.32 - Apache Tomcat 6.0.36 - Apache Tomcat 5.5.36 - Apache Tomcat Maven Plugin 2.0.0 Development: There was lots of development activity on forthcoming Apache Tomcat 8 release. Community: There were no changes in community since the last report. Security: - CVE-2012-4431 - Important: Bypass of CSRF prevention filter The CSRF prevention filter could be bypassed if a request was made to a protected resource without a session identifier present in the request. - CVE-2012-2733 - Important: Denial of service The checks that limited the permitted size of request headers were implemented too late in the request parsing process for the HTTP NIO connector. This enabled a malicious user to trigger an OutOfMemoryError by sending a single request with very large headers. - CVE-2012-3546 - Important: Bypass of security constraints This issue was identified by the Tomcat security team on 13 July 2012 and made public on 4 December 2012. * CVE-2012-3439 - Moderate: DIGEST authentication weakness Three weaknesses in Tomcat's implementation of DIGEST authentication were identified and resolved. We are working on number of other non critical security issues which will be disclosed with future releases. Trademark: Detailed status can be found at https://svn.apache.org/repos/private/pmc/tomcat/trademark-status.txt There are no pending trademark issues which would require board's attention at this time.
General: Continued healthy activity across multiple components and responsiveness on both dev and user lists. Issues: There are no issues requiring Board attention at this time. Releases: * Apache Tomcat 7.0.30 * Apache Tomcat 7.0.29 * Apache Tomcat 7.0.28 * Apache Tomcat Native 1.1.24 Development: There was lots of development activity on forthcoming Apache Tomcat 8 release. Community: Keiichi Fujino has joined Apache Tomcat PMC. Security: We were working on number of non critical security issues which will be disclosed with future releases. Trademark: Detailed status: https://svn.apache.org/repos/private/pmc/tomcat/trademark-status.txt There are no pending trademark issues which would require board's attention at this time.
General: Continued healthy activity across multiple components and responsiveness on both dev and user lists. Issues: There are no issues requiring Board attention at this time. Releases: * Apache Tomcat 7.0.27 * Apache Tomcat Connectors 1.2.37 * Apache Tomcat Connectors 1.2.36 * Apache Tomcat Connectors 1.2.35 * Apache Taglibs Parent POM 3 Community: There were no changes in community membership Security: There were few minor reported security issues which has been handled as plain bugs. Trademark: Detailed status: https://svn.apache.org/repos/private/pmc/tomcat/trademark-status.txt There are no pending trademark issues which would require board's attention.
General: Continued healthy activity across multiple components and responsiveness on both dev and user lists. Issues: There are no issues requiring Board attention at this time. Releases: * Apache Tomcat 7.0.26 * Apache Tomcat 7.0.25 * Apache Tomcat 5.5.35 * Apache Tomcat Connectors 1.2.33 * Apache Tomcat Native 1.1.23 * Apache Taglibs Parent POM 1 * Apache Tomcat Maven Plugin 2.0-beta-1 Community: Olivier Lamy has been elected as new Apache Tomcat PMC member. Security: * CVE-2012-0022 Denial of service * CVE-2011-3375 Information disclosure * CVE-2011-1184 Multiple weaknesses in HTTP DIGEST authentication Note: Mitre elected to break this issue down into multiple issues and have allocated the following additional references to parts of this issue: CVE-2011-5062, CVE-2011-5063 and CVE-2011-5064. The Apache Tomcat security team will continue to treat this as a single issue using the reference CVE-2011-1184. Trademark: Detailed status: https://svn.apache.org/repos/private/pmc/tomcat/trademark-status.txt Tomcat PMC initiated licensing discussion with Oracle regarding a couple of issues with Oracle's JSTL release. Waiting for the response from their legal team.
Continued healthy activity across multiple components and responsiveness on both dev and user lists. Issues: There are no issues requiring Board attention at this time. Releases: * Apache Tomcat 7.0.23 * Apache Tomcat 7.0.22 * Apache Tomcat 6.0.35 * Apache Tomcat 5.5.34 Community: There were no community membership changes since the last board report. Security: * CVE-2011-1184 Multiple weaknesses in HTTP DIGEST authentication * CVE-2011-3376 Privilege Escalation Trademark: Detailed status: https://svn.apache.org/repos/private/pmc/tomcat/trademark-status.txt
General:
Continued healthy activity across multiple components and
responsiveness on both dev and user lists.
We have announced on mailing lists that support for
Apache Tomcat 5.5.x will end on 30 September 2012. Updating
official web site will follow.
There are no issues requiring Board attention at this time.
Releases:
* Apache Tomcat 7.0.16
* Apache Tomcat 7.0.19
* Apache Tomcat 7.0.20
* Apache Tomcat 7.0.21
* Apache Tomcat 6.0.33
* Apache Tomcat Native 1.1.22
* Apache Tomcat Native 1.1.22
* Apache Tomcat Connectors 1.2.32
Community:
Two new committers (Eiji Takahashi and Olivier Lamy) joined
the Apache Tomcat team.
Security:
* CVE-2011-3190
The AJP protocol is designed so that when a request includes
a request body, an unsolicited AJP message is sent to Tomcat
that includes the first part (or possibly all) of the
request body. In certain circumstances, Tomcat did not
process this message as a request body but as a new request.
* CVE-2011-2729
Due to a bug in the capabilities code, jsvc
(the service wrapper for Linux that is part of the
Commons Daemon project) does not drop capabilities allowing
the application to access files and directories owned
by superuser.
* CVE-2011-2526
Tomcat provides support for sendfile with the HTTP NIO and
HTTP APR connectors. sendfile is used automatically for
content served via the DefaultServlet and deployed web
applications may use it directly via setting request attributes.
These request attributes were not validated. When running
under a security manager, this lack of validation allowed
a malicious web application to do one or more of the following
that would normally be prevented by a security manager:
- return files to users that the security manager should
make inaccessible
- terminate (via a crash) the JVM
* CVE-2011-2204
When using the MemoryUserDatabase (based on tomcat-users.xml)
and creating users via JMX, an exception during the user
creation process may trigger an error message in the JMX
client that includes the user's password. This error message
is also written to the Tomcat logs. User passwords are visible
to administrators with JMX access and/or administrators with
read access to the tomcat-users.xml file. Users that do not
have these permissions but are able to read log files may be
able to discover a user's password.
* CVE-2011-2481
The re-factoring of XML validation for Tomcat 7.0.x re-introduced
the vulnerability previously reported as CVE-2009-0783.
This was initially reported as a memory leak. If a web
application is the first web application loaded, this bugs
allows that web application to potentially view and/or alter the
web.xml, context.xml and tld files of other web applications
deployed on the Tomcat instance.
Trademark:
Detailed status is in the private tomcat repository.
Good to see trademark status tracked in svn.
General:
Continued healthy activity across multiple components and
responsiveness on both dev and user lists.
There are no issues requiring Board attention at this time.
Releases:
* Apache Tomcat 7.0.12
* Apache Tomcat 7.0.14
Community:
There were no community membership changes since the
last board report.
Couple of developers were present at the Apache Retreat in
Knockree working on various issues and code, namely AJP
NIO connector.
Security:
* CVE-2011-1183
A regression in the fix for CVE-2011-1088
meant that security constraints were ignored when no login
configuration was present in the web.xml and the web
application was marked as meta-data complete.
* CVE-2011-1475
Changes introduced to the HTTP BIO connector to support
Servlet 3.0 asynchronous requests did not fully account
for HTTP pipelining.
* CVE-2011-1582
An error in the fixes for CVE-2011-1088/CVE-2011-1183 meant
that security constraints configured via annotations were
ignored on the first request to a Servlet. Subsequent requests
were secured correctly.
Trademark:
Reviewed private@tomcat.a.o for all trademark issues and created
status file in svn for tracking.
Current status:
* Resolved
7 products, 2 web sites, 1 advert. 10 total
* In progress
3 products promised to rename
1 product with legal-internal
1 product in process of renaming (just domain name left)
1 product considering entering incubation
1 website promised to make updates
Issues:
We are still waiting for EL 2.2 TCK. 18 months and counting.
Shane awards a rare gold star for working with third parties on brand issues!
Summary: The project continues to be active on a number of fronts. There are no issues requiring Board attention at this time. Releases: Apache Tomcat 7.0.11 - released Apache Tomcat 7.0.10 - released Apache Tomcat 7.0.8 - released Apache Tomcat 7.0.7 - released Apache Tomcat 7.0.6 - released as first stable Apache Tomcat 6.0.32 - released Apache Tomcat 6.0.30 - released Apache Tomcat 5.5.33 - released Apache Tomcat 5.5.32 - released Security: We've been working closely with security issue reports and the Apache Security committee on quickly replying to issues, resolving them, and coordinating public disclosures. CVE-2011-1088 Security constraint bypass. When a web application was started, ServletSecurity annotations were ignored. CVE-2011-0534 Remote Denial Of Service. The NIO connector expands its buffer endlessly during request line processing. That behaviour can be used for a denial of service attack using a carefully crafted request. CVE-2011-0013 Cross-site scripting. The HTML Manager interface displayed web application provided data, such as display names, without filtering. Development: Development was concentrated mainly on fixing bugs for the current releases and pushing those releases out. We hope to have some committers at Knockree Retreat Plans still TBD. GSoC: Change of approach in an effort to increase student ownership of their GSoC work. No plans to propose projects for students. Happy to consider student proposed projects. JCP: EL 2.2 TCK still not available over 12 months since the initial request from the ASF. Not expecting it any time soon. Currently challenging two Servlet 3.0 TCK tests. The ASF JIRA instance is now running on the latest Tomcat 7 release. Trademark Issues: We currently have two open trademark issues: - http://itunes.apple.com/us/app/itomcats/id388474856?mt=8&ign-mpt=uo%3D4 Rainer Jung is following up - http://tomcat.jaxmao.org/ Initial e-mail sent, no response received after 4 weeks We have three trademark issues resolved: - Tomcat plug-in for Eclipse changed their name to "Mongrel" - Apache Tomcat Maven Plugin will become Apache Tomcat sub-project via incubator. - TomCat Publishing. New independent book publisher. Not IT related. Not an issue. Community: There were no changes in the committership nor PMC membership during this quarter.
Shane: Many thanks for excellent branding coverage.
Summary -------------- The project continues to be active on a number of fronts. There are no issues requiring Board attention at this time. Releases ------------- Apache Tomcat 7.0.5 - released Apache Tomcat 7.0.4 - released Apache Tomcat 5.5.31 - released Apache Tomcat Connectors 1.2.31 - released Security ------------ We've been working closely with security issue reports and the Apache Security committee on quickly replying to issues, resolving them, and coordinating public disclosures. CVE-2010-4172 The Manager application used the user provided parameters sort and orderBy directly without filtering thereby permitting cross-site scripting. Development ------------------- Development was concentrated mainly on fixing bugs for the current releases and pushing those releases out. Thanks to the infrastructure team (specifically Gavin in this case) we now have CI builds of the Tomcat 6 & 7 docs that will update with every commit. The new front page for Tomcat 7 has been developed and we are working on the new Tomcat site with the same look and feel. A work has begun on Parallel deployment, a feature that essentially allows having two (or more) versions of the same application deployed side-by-side.. We have also made sure to make our project compliant with the newest ASF trademark guidelines. Community ----------------- We are pleased to have two new members in our team. Christopher Schultz and Sylvain Laurent were voted as new committers. We have also launched the official Apache Tomcat project Twitter feed.
Summary:
The project continues to be active on a number of fronts.
There are no issues requiring Board attention at this time.
Releases:
Apache Tomcat 7.0.2 - released
Apache Tomcat 7.0.1 - not released
Apache Tomcat 6.0.29 - released
Apache Tomcat 6.0.28 - released
Apache Tomcat 6.0.27 - not released
Apache Tomcat 5.5.31 - voted (announcement pending)
Apache Tomcat 5.5.30 - released
Security:
We've been working closely with security issue reports and the Apache
Security committee on quickly replying to issues, resolving them, and
coordinating public disclosures.
CVE-2010-2227: Remote Denial Of Service and Information Disclosure
Vulnerability
Several flaws in the handling of the 'Transfer-Encoding' header
were found that prevented the recycling of a buffer. A remote
attacker could trigger this flaw which would cause subsequent
requests to fail and/or information to leak between requests.
This flaw is mitigated if Tomcat is behind a reverse proxy
(such as Apache httpd 2.2) as the proxy should reject the invalid
transfer encoding header.
CVE-2010-1157: Information disclosure in authentication headers
The WWW-Authenticate HTTP header for BASIC and DIGEST authentication
includes a realm name. If a <realm-name> element is specified for the
application in web.xml it will be used. However, a <realm-name> is not
specified then Tomcat will generate realm name using the code snippet
request.getServerName() + ":" + request.getServerPort().
In some circumstances this can expose the local host name or IP address
of the machine running Tomcat.
Development:
Development was concentrated mainly on fixing bugs for the current
releases and pushing those releases out.
The GSOC work completed. It was touch and go whether or not it was going
to be successful for a while but we ended up with some cool enhancements
and additions fixes to Tomcat 7's JMX support which allow a user to
configure a working Tomcat instance over JMX from an absolute bare
minimum starting point. The student appears to be continuing with their
involvement with the project.
Tomcat 7 has reached about 10% of total Tomcat downloads
(not counting mirrors) which is pretty good considering it is still beta.
Community:
There was lot of activity on Users list recently and we are
planning to offer a commit privileges to couple of most active users
that are also willing to be involved into development by
providing code patches.
Summary -------------- The project continues to be active on a number of fronts. There are no issues requiring Board attention at this time. Releases ------------- We have released Apache Tomcat 5.5.29 which mainly fix numerous bugs over the previous 5.5.28 release. We have also prepared number of Apache Tomcat 7.0 release candidates which are used to polish the API before creating 7.0.x branch and switching to RTC policy. Security ------------ We have been working closely with security issue reports and the Apache Security committee on quickly replying to issues, resolving them, and coordinating public disclosures. CVE-2010-1157: Information disclosure in authentication headers. The WWW-Authenticate HTTP header for BASIC and DIGEST authentication includes a realm name. If a <realm-name> element is specified for the application in web.xml it will be used. However, a <realm-name> is not specified then Tomcat will generate realm name using the code snippet request.getServerName() + ":" + request.getServerPort(). In some circumstances this can expose the local host name or IP address of the machine running Tomcat. Development ------------------- Development was concentrated mainly on releasing Tomcat 7.0 and the effort to make it specification compliant. Tomcat 7.0 also now passes the TCK with security manager enabled, which was not true for a very long time. We plan to release Tomcat 6.0.27 this month and are currently in the review process. Finally we plan to release first Tomcat 7 public release within the next few weeks. Community ----------------- We had a strong presence at Apache Retreat (Ireland) and have determined the sessions for the Tomcat track at Apache Con 2010.
Summary -------------- The project continues to be active on a number of fronts. There are no issues requiring Board attention at this time. Releases ------------- We have released Apache Tomcat 6.0.24 and 6.0.26. We have released Tomcat Connectors 1.2.30. Version 1.2.29 was released but later withdrawn because of regression in IIS connector. And we have also released Tomcat Native versions 1.1.19 and 1.1.20. Security ------------ We've been working closely with security issue reports and the Apache Security committee on quickly replying to issues, resolving them, and coordinating public disclosures. CVE-2009-2693: Arbitrary file deletion and/or alteration on deploy When deploying WAR files, the WAR files were not checked for directory traversal attempts. This allows an attacker to create arbitrary content outside of the web root by including entries such as ../../bin/catalina.sh in the WAR. CVE-2009-2901: Insecure partial deploy after failed deploy By default, Tomcat automatically deploys any directories placed in a host's appBase. This behaviour is controlled by the autoDeploy attribute of a host which defaults to true. After a failed undeploy, the remaining files will be deployed as a result of the autodeployment process. Depending on circumstances, files normally protected by one or more security constraints may be deployed without those security constraints, making them accessible without authentication. This issue only affects Windows platforms. CVE-2009-2902: Unexpected file deletion in work directory When deploying WAR files, the WAR file names were not checked for directory traversal attempts. For example, deploying and undeploying ...war allows an attacker to cause the deletion of the current contents of the host's work directory which may cause problems for currently running applications. Development ------------------- Development was concentrated mainly on fixing bugs for the current releases and pushing those releases out. Recent months have seen further significant reductions in the bug backlog for Tomcat 5 & 6. Unresolved bugs now number ~20 with the oldest opened around a month ago. Tomcat 7 development is progressing. The JSP 2.2 and EL 2.2 implementations are complete and pass the TCK. The Servlet 3.0 is nearly complete with just the asynchronous work and the TCK testing remaining. The hope is to have a TCK compliant Tomcat 7 release by the end of March. Community ----------------- Tim Whittington was elected as new Apache Tomcat committer. Konstantin Kolinko was voted onto the Apache Tomcat PMC. Also a few of us will be present at Apache Retreat in Ireland next month. We have also invited a few users that are very active and helpful at Apache Tomcat users list, hoping that will encourage them for eventual development involvement.
Summary -------------- The project continues to be active on a number of fronts. There are no issues requiring Board attention at this time. Releases ------------- We have released Tomcat Native 1.1.18. Security ------------ We've been working closely with security issue reports and the Apache Security committee on quickly replying to issues, resolving them, and coordinating public disclosures. CVE-2009-3548 - Insecure default password The Windows installer defaults to a blank password for the administrative user. If this is not changed during the install process, then by default a user is created with the name admin, roles admin and manager and a blank password. Development ------------------- Development was concentrated mainly on fixing bugs for the current releases and on finalizing the Tomcat 7. The new Tomcat Lite was moved from the sandbox to the modules directory. We have requested the Solaris Zone for Tomcat PMC which we would like to use for creating daily and release builds. Community ----------------- There were no changes in the committership nor PMC membership during this quarter.
Jim to make sure that sure that the Tomcat project is aware of infra-managed build options before rolling their own on a zone.
Summary -------------- The project continues to be active on a number of fronts. There are no issues requiring Board attention at this time. Releases ------------- We have released Tomcat 5.5.28. and 4.1.40 versions. Tomcat 4.1.40 was the last 4.1.x version we plan to release. Security ------------ There were no security issue reports that would require urgent resolution from the last board report. Development ------------------- Development was concentrated mainly on fixing bugs for the current releases and on figuring out the needed tasks for Tomcat 7. Three taglibs from Jakarta Taglibs were successfully migrated over to the Tomcat SVN; namely Reusable Dialog Components (RDC), Standard Tag Library (JSTL implementation) and an in development Extended Tag Library. Migration of the web site is in progress and user mailing list migration is requested in INFRA-2185. Also we reorganized the SVN repository layout to better serve the multiple branches and project modularity. Community ----------------- Glen Nielsen PMC membership status was changed to emeritus on his own request. Also the SVN access was granted to JSP taglibs team so they can continue development. We have also voted the proposed 10th anniversary Tomcat logo, and we hope to have it's final form in the next couple of weeks.
Summary -------------- The project continues to be active on a number of fronts. There are no issues requiring Board attention at this time. Releases ------------- We have released Tomcat 6.0.20. Tomcat 6.0.19 was not released due to some small packaging localization issues. We are currently in the release process for 5.5.28 and 4.1.40 versions. Tomcat 4.1.40 is likely to be the last 4.1.x release. Mod_jk 1.2.28 was released with numerous of binaries for selected platforms. Finally JDBC Pool 1.0.3 was released. Security ------------ We've been working closely with security issue reports and the Apache Security committee on quickly replying to issues, resolving them, and coordinating public disclosures. CVE-2008-5515 - Information disclosure vulnerability When using a RequestDispatcher obtained from the Request, the target path was normalised before the query string was removed. A request that included a specially crafted request parameter could be used to access content that would otherwise be protected by a security constraint or by locating it in under the WEB-INF directory. Fixed and included in 6.0.20 release CVE-2008-5519 - Information disclosure vulnerability Situations where faulty clients set Content-Length without providing data, or where a user submits repeated requests very quickly, may permit one user to view the response associated with a different user's request. Fixed in the mod_jk 1.2.27 release, but was assigned CVE number later. CVE-2009-0033 - DoS vulnerability If Tomcat receives a request with invalid headers via the Java AJP connector, it does not return an error and instead closes the AJP connection. In case this connector is member of a mod_jk load balancing worker, this member will be put into an error state and will be blocked from use for approximately one minute. Thus the behaviour can be used for a denial of service attack using a carefully crafted request. Fixed and included in 6.0.20 release CVE-2009-0580 - Information disclosure vulnerability Due to insufficient error checking in some authentication classes, Tomcat allows for the enumeration (brute force testing) of user names by supplying illegally URL encoded passwords. The attack is possible if FORM based authentication (j_security_check) is used with the MemoryRealm. Fixed in the SVN for all major Tomcat branches and included in the Tomcat 6.0.20 release. CVE-2009-0781 - Cross-site scripting vulnerability The calendar application in the examples web application contains an XSS flaw due to invalid HTML which renders the XSS filtering protection ineffective. Fixed in the SVN for all major Tomcat branches and included in the Tomcat 6.0.20 release. CVE-2009-0783 - Information disclosure vulnerability Bugs 29936 and 45933 allowed a web application to replace the XML parser used by Tomcat to process web.xml, context.xml and tld files. In limited circumstances these bugs may allow a rogue web application to view and/or alter the web.xml, context.xml and tld files of other web applications deployed on the Tomcat instance. Fixed in the SVN for all major Tomcat branches and included in the Tomcat 6.0.20 release. Currently there are no pending security issues. Development ------------------- Development was concentrated mainly on security issues and fixing bugs for the current releases. Jakarta PMC proposed and we accepted to move the JSP Standard Tag Library technologies project (Taglibs) from Jakarta and continue its development inside Apache Tomcat. Also we are currently discussing to reorganize SVN repository to better server the multiple branches and project modularity. Tomcat 7 / Servlet 3.0 is still in the early stages of development. Community ----------------- There were no changes in the PMC membership during this quarter. We are very happy that Konstantin Kolinko joined us as a new committer. We are preparing the Tomcat day for this year Apache Con US, and it seems majority of Tomcat PMC members will be present on the conference giving it's best to promote a 10th year anniversary of both ASF and Apache Tomcat.
We should highlight 10 years of Tomcat at the next ApacheCon US.
Apache Tomcat Board Report, March 2009 Summary -------------- The project continues to be active on a number of fronts. There are no issues requiring Board attention at this time. Releases ------------- We didn't cut any release from the last board report. However we are in the process of releasing mod_jk 1.2.28 and Tomcat 6.0.19. Security ------------ We've been working closely with security issue reports and the Apache Security committee on quickly replying to issues, resolving them, and coordinating public disclosures. CVE-2009-0781 - Cross-site scripting vulnerability The calendar application in the examples web application contains an XSS flaw due to invalid HTML which renders the XSS filtering protection ineffective. Fixed in the SVN for all major Tomcat branches. We are working on few other security issues not mentioned here because they have not been publicly disclosed yet. Development ------------------- Development was concentrated mainly on security issues and fixing bugs for the current releases. Community ----------------- There were no changes in the committership nor PMC membership during this quarter.
Summary -------------- The project continues to be active on a number of fronts. There are no issues requiring Board attention at this time. Releases ------------- We cut a number of releases mostly of our connector branches. Tomcat Connectors 1.2.27 was released last month, both primarily bug fix and feature enhancement over the previous 1.2.26 release. Tomcat Native connector 1.1.16 was released, primarily minor bug fix release over the previous 1.1.15 release. And finally Tomcat 4.1.39 was released including a number of recently resolved security issues. Security ------------ We've been working closely with security issue reports and the Apache Security committee on quickly replying to issues, resolving them, and coordinating public disclosures. CVE-2008-2938 will shortly be updated to correctly ID the root cause as the JVM rather than Tomcat. Development ------------------- Development was concentrated mainly on security issues and fixing bugs for the current releases. We branched Tomcat Native connector to 1.1.x stable and all future development will took place in head aiming 1.2.x versions. The 1.1.x branch is considered stable and will have RTC commit policy. Community ----------------- After last quarter's new committers and PMC members, there were no changes the committership nor PMC membership this time. The new commit policy is working very fine, and we've been very active both in commit and release volume.
Summary -------------- The project continues to be active on a number of fronts. There are no issues requiring Board attention at this time. Releases ------------- We cut a number of releases incorporating majority of our active branches. Tomcat 6.0.18 was released last month, both primarily bug fix and security fix release over the previous 6.0.16 release. Although we tagged 6.0.17 it wasn't released due to security fixes that were incorporated in 6.0.18. Tomcat Native connector 1.1.14 was released, primarily bug fix release over the previous 1.1.13 release. Tomcat Native connector 1.1.15 was released, fixing IPV4/IPV6 bug over the previous releases. Finally Tomcat 5.5.27 was released, fixing bugs and security issues over the previous 5.5.26 release. Security ------------ We've been working closely with security issue reports and the Apache Security committee on quickly replying to issues, resolving them, and coordinating public disclosures. The following security issues has been resolved: CVE-2008-1232 The message argument of HttpServletResponse.sendError() call is not only displayed on the error page, but is also used for the reason-phrase of HTTP response. 6.0.x: Fixed, released and announced 5.5.x: Fixed in the SVN and announced 4.1.x: Fixed in the SVN and announced CVE-2008-1947 The Host Manager web application did not escape user provided data before including it in the output. This enabled a XSS attack. 6.0.x: Fixed, released and announced 5.5.x: Fixed, released and announced CVE-2008-2370 When using a RequestDispatcher the target path was normalised before the query string was removed. 6.0.x: Fixed, released and announced 5.5.x: Fixed, released and announced 4.1.x: Fixed in the SVN and announced CVE-2008-2938 If a context is configured with allowLinking="true" and the connector is configured with URIEncoding="UTF-8" then a malformed request may be used to access arbitrary files on the server. 6.0.x: Fixed, released and announced 5.5.x: Fixed, released and announced 4.1.x: Fixed in the SVN and announced CVE-2008-0128 When using the SingleSignOn Valve via https the Cookie JSESSIONIDSSO is transmitted without the "secure" attribute. 4.1.x: Fixed in the SVN and announced Development ------------------- Development was concentrated mainly on security issues and fixing bugs for the current releases. We are currently in discussions to use some of the code Costin was working on for more then 3 years inside 'Tomcat Lite' branch. Mod_jk had a lots of bug fixes since last released version, so we plan to release a new version 1.2.27 this month. Community ----------------- After last quarter's new committers and PMC members, there were no changes the committership nor PMC membership this time. The new commit policy is working very fine, and we've been very active both in commit and release volume.
Summary -------------- The project continues to be active on a number of fronts. There are no issues requiring Board attention at this time. Releases ------------- There was no releases from the last report. Security ------------ We've been working closely with security issue reports and the Apache Security committee on quickly replying to issues, resolving them, and coordinating public disclosures. The following security issues has been resolved: CVE-2008-0128 JSESSIONIDSSO is transmitted without the "secure" attribute 6.0.x: Fixed, released and announced 5.5.x: Fixed, released and announced We are currently working on the following security issues: CVE-2008-1232 XSS with national characters and reason-phrase of HTTP response CVE-2008-1947 Need to get a CVE for this More XSS in manager app Development ------------------- We decided by majority that Tomcat Version 3.x will be declared as unsupported. This means removing download links from tomcat.apache.org site and marking all bugzilla issues as WONTFIX. We decided by majority that Tomcat version 4.x will be marked as de-supported giving a 12 to 16 months period before marking it as unsupported. Beyond that, development was concentrated mainly on fixing bugs for the current releases. Community ----------------- After last quarter's new committers and PMC members, there were no changes the committership nor PMC membership this time. The new commit policy is working very fine, and we've been very active both in commit and release volume.
Summary -------------- The project continues to be active on a number of fronts. There are no issues requiring Board attention at this time. Releases ------------- We cut a number of releases incorporating all our active branches. Tomcat 5.5.26 was released last month incorporating numerous security updates and bug fixes. Tomcat 6.0.16 was released last month, both primarily bug fix and security fix release over the previous 6.0.14 release Tomcat connectors, mod_jk, had a release: 1.2.26. Tomcat Native connector, had a first release: 1.1.13. Finally the Tomcat 4.1.37 was released which was primarily security fix release. Security ------------ We've been working closely with security issue reports and the Apache Security committee on quickly replying to issues, resolving them, and coordinating public disclosures. Development ------------------- We decided by majority that Tomcat Native (APR based connector) will be handled from now on as a separate subproject with its own release cycle. The standard vote/release process will be applied to it. The reason for separating this subcomponent to a separate release cycle is to better maintain this optional component, and to provide limited backward bug fix compatibility, and the fact that it is used both by Tomcat 5.5 and 6.0 branches. Community ----------------- After last quarter's new committers and PMC members, there were no changes the committership nor PMC membership this time. The new commit policy is working very fine, and we've been very active both in commit and release volume.
Summary -------------- The project continues to be active on a number of fronts. There are no issues requiring Board attention at this time. Releases ------------- There were no releases this month. However we are pretty close to releasing Tomcat 6.0.15 and mod_jk 1.2.26 Security ------------ We had less security related issues, so it seems most of them has been fixed for forthcoming releases. Development ------------------- Lots of development took place, mostly related to bug fixing the reasons 6.0.15 failed the release. The Tomcat PMC is participating in the Google Highly Open Participation (GHOP) project, an effort to involve high school students in open-source software development. We submitted five tasks to the project: three have been completed, and two are in progress: - The Tomcat FAQ was migrated from a static document set accessible only to committers to a public wiki, - New documentation in the areas of Tomcat internal dependencies, and guides on programming Tomcat Valves and Realms - Improved XSLT / CSS handling for the printer-friendly version of tomcat.apache.org pages The Tomcat PMC hopes to continue its involvement with these types of projects, and maybe pick up a couple of new contributors in the process. Community ----------------- There were no changes the committership nor PMC membership this time.
Approved by General Consent.
Summary
--------------
The project continues to be active on a number of fronts. There are
no issues requiring Board attention at this time.
Releases
-------------
There was no releases this month.
Security
------------
Development
-------------------
We have voted the new commit policy caused by serious
dispute among two leading Tomcat core developers with
different views on development process and some personal
dislike.
Here is the VOTE synopsis:
o Existence of release and development branches
in parallel with each other (dev are odd numbered,
release are even numbered).
o Development branches are CTR. If code or patches
to this branch change the API, advanced warning
is required even before the commit. It may be
open to a vote if there is debate. Larger patches,
as well as far-reaching patches should also be
community gauged before implemented.
o Release branches are RTC, with patches obtained
from the development tree. Thus, backports refer
to the SVN revision on the development tree which
adds that feature.
o Both branches have a STATUS file. For the release
branch, STATUS is also used to note backport
proposals.
o Reviews are *always* appropriate. One can call
for a formal review of a patch at any time.
o Voting is via normal ASF rules.
o Regarding large and/or API changing patches, use of
a sandbox is recommended to allow for SVN history to
be maintain, to encourage outside interest and
involvement ("Hey, I'm working on Foo. Here is the
SVN url. Come and help or at least follow along").
This also allows for more complete understanding of
the impacts before it reaches the dev branch.
The vote was passed with majority of votes from PMC members
including Jim, Yoav, Tim, Remy, Costin, Filip, Mark, Mladen,
Jean-Frederic, Rainer, Peter and Henri and without any -1.
This caused the creation of STATUS files and all significant
patches are now first put for a majority vote and review
inside:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/STATUS?view=markup
and
http://svn.apache.org/viewvc/tomcat/current/tc5.5.x/STATUS?view=markup
The Apache Tomcat 6.0.15 release was stopped because of few
minor TCK issues, so the plan is to tag and release 6.0.16 in
the following week.
Mod_jk is on the way for a 1.2.26 release with number of bug
fixes from 1.2.25 release.
Community
-----------------
There were no changes the committership nor PMC membership
this time.
So far for the last couple of moths we are able to continue
the active development with newly adopted commit rules.
Approved by General Consent.
The board will once again request another Tomcat report in November.
Approved by General Consent.
Summary -------------- The project continues to be active on a number of fronts. There are no issues requiring Board attention at this time. Releases ------------- We cut a number of releases incorporating all our active branches. Tomcat 5.5.25 was released this month. Tomcat 6, the current production branch, had one releases this past quarter: 6.0.14, which is the latest stable Tomcat at this time. Finally, the Tomcat connectors, mainly mod_jk, has a couple of releases as well: 1.2.24 and 1.2.25. However we had to revoke the 1.2.24 release because of serious regression that slipped trough the testing phase. Security ------------ The Tomcat security site (http://tomcat.apache.org/security.html) has been getting more love and attention. It now contains the vast majority of known issues and fixes for all Tomcat branches. We've been working closely with security issue reports and the Apache Security committee on quickly replying to issues, resolving them, and coordinating public disclosures. There exist few open security issues at the moment. The fixes are already in SVN, and most of them are already incorporated with 6.0.14 and 5.5.25 releases. Development ------------------- There is ongoing discussion about the purpose of the current code inside Tomcat 6 trunk, and the majority of developers have agreed to put the trunk into the sandbox. Community ----------------- After last quarter's new committers and PMC members, there were no changes the committership nor PMC membership this time. Mladen Turk was elected as new PMC Chair and voted by the ASF Board.
Discussion on dual design approaches, overall feeling is that this will resolve itself, several directors indicated that they will watch this project.
Approved by General Consent.
WHEREAS, the Board of Directors heretofore appointed Yoav Shapira to the office of Vice President, Apache Tomcat, and WHEREAS, the Board of Directors is in receipt of the resignation of Yoav Shapira from the office of Vice President, Apache Tomcat; NOW, THEREFORE, BE IT RESOLVED, that Yoav Shapira is relieved and discharged from the duties and responsibilities of the office of Vice President, Apache Tomcat, and BE IT FURTHER RESOLVED, that Mladen Turk be and hereby is appointed to the office of Vice President, Apache Tomcat, to serve in accordance with and subject to the direction of the Board of Directors and the Bylaws of the Foundation until death, resignation, retirement, removal or disqualification, or until a successor is appointed. Special order 7A, Change the Apache Tomcat Project Chair, was approved by Unanimous Vote.
Summary -------------- The project continues to be active on a number of fronts. There are no issues requiring Board attention at this time. Releases ------------- We cut a number of releases incorporating all our active branches. Tomcat 5.5.22 was out a couple of months ago, 5.5.23 last month, and 5.5.24 is coming out later this month. Tomcat 4.1.35 was out a couple of months ago, shortly followed by 4.1.36, both primarily bug fix and security fix releases. Tomcat 6, the current production branch, had three releases this past quarter: 6.0.11, 6.0.12, and 6.0.13, which is the latest stable Tomcat at this time. Finally, the Tomcat connectors, mainly mod_jk, has a couple of releases as well: 1.2.22 and 1.2.23. Security ------------ The Tomcat security site (http://tomcat.apache.org/security.html) has been getting more love and attention. It now contains the vast majority of known issues and fixes for all Tomcat branches. We've been working closely with security issue reports and the Apache Security committee on quickly replying to issues, resolving them, and coordinating public disclosures. There exist one or two open security issues at the moment. The fixes are already in SVN, the issues are not major, and we're working to coordinate public disclosure with the reporters. Development ------------------- We've moved Tomcat 6.0.x into its own SVN branch, continuing work on new and experimental features in the trunk. We also have a sandbox area for really experimental stuff. Tomcat release artifacts, once approved by a PMC vote, are now published on the standard / main Maven repositories. We continue to work with downstream integrators and re-packagers of Tomcat, such as the Gentoo Linux project, on improving our release process and artifacts for their consumption. ApacheCon ----------------- Tomcat has a nice presence at this past ApacheCon (in Amsterdam), with a full day of presentations and talks about the project. There were presentations from several Tomcat committers as well as other users and contributors. From what I understand, the talks were well-attended and well-received. Community ----------------- After last quarter's new committers and PMC members, there were no changes the committership nor PMC membership this time. The PMC Chair is likely to change next month, continuing the voluntary Tomcat tradition of one year terms.
Henri noted his approval of the renewed "energy" with regards to security within the PMC.
Approved by General Consent.
Apache Tomcat Board Report, March 2007 Summary: Tomcat is chugging along, with significant development milestones achieved this quarter, and no issues requiring Board attention. Community: - We've voted in one new committer, Fabien Carrion, whose iCLA will hopefully be recorded this week. - We've voted in one new PMC member, Rainer Jung, as ACKed by the Board a couple of days ago. - We've restored one committer, Guenter Knauf, from inactive/emeritus status, back to active status, after re-verifying his iCLA and PGP key, and running an informal vote on the issue. Development: - We released the first stable version of Tomcat 6, version 6.0.10, after much testing and iteration. We feel very good about the quality, scalability, and performance of the release. Apparently it's pretty popular, too, judging by the various traffic spikes starting with the release announcement: http://people.apache.org/~vgritsenko/stats/days-trend.html - We released a couple of versions of Tomcat 5.5, including a stable 5.5.23. - We released a couple of versions of the Tomcat Connectors, including mod_jk, 1.2.19, 1.2.20, and 1.2.21. - I personally am very happy with the distributed nature of our release management, in terms of how different people are cutting releases and can back the designated RM for each branch if need be. - We've worked hard to improve Tomcat-related security information on the web site, creating a new set of summary pages using a similar model to httpd's: http://tomcat.apache.org/security.html is a work in progress, but a great improvement over the previous (lack of) data, we think. - We've also worked to improve integration and co-operation with the Apache Security Team, triaging and communicating jointly on issues, and educating some of the newer Tomcat PMC members about the process. - We've also been working more closely with downstream packagers of Tomcat for Linux, specifically Gentoo, and getting their early feedback on each release as tested in their environment. I think that's a cool process improvement, just worth noting that it's been working well.
Approved by General Consent.
Issues requiring the Board's attention: none. Development ------------------ Work continues apache on Tomcat 6 and the mod_jk connector. Both products have done multiple alpha- and beta-level releases since the last Board report. Both have received increased testing from the committers as well as outside contributors, resulting in some interesting issues discovered and addressed. We hope to have a stable mod_jk release, 1.2.20, in the next week or two, as well as another alpha-level build of Tomcat (6.0.6), and the first stable Tomcat 6 release before the next Board report. Several of the fixes found in Tomcat 6 have been back-ported to Tomcat 5.x as well, but there has been no 5.x release since 5.5.20 in September. Security ------------ On December 7th a possible security issue was reported to us by the Struts PMC, which had been notified of it earlier. After some discussion, we concluded this was a fairly minor issue with responsibility on both the Tomcat and Struts sides. There was a patch available in SVN within a day or so, and it was back-ported to previous Tomcat branches as well. I think we were all pretty pleased with the efficiency and speed of communication between the projects. Because the issue has yet to be publicly announced and this Board report may become public before the issue is announced, we are omitting the actual details here. The Tomcat PMC will be glad to provide any details required, and the discussions are archived on the mailing list archives of private@tomcat.apache.org, private@struts.apache.org, and security@tomcat.apache.org. Trademarks / Legal ---------------------------- A couple of days ago we noted that http://www.octazen.com/product_tomcatnet.html was calling their product Tomcat.NET. We contacted them, CCing the PRC for its records, and Octazen immediately agreed to relabel their product and clarify the page as to their relationship to Apache Tomcat. So this issue was resolved pleasantly and quickly. Community ---------------- Not much going on here: no new committers, no new PMC members, but no one resigning or leaving either ;)
Justin asked if the security team (aka security@apache.org) was involved regarding the "security" issue noted in the Tomcat report. Yoav, via out-of-meeting correspondance, indicated that they were.
Approved by General Consent.
- We have no issues that require attention from the Board at this time Development: - Continued work on Tomcat 6.0 development: we expect to have release 6.0.0 ready roughly at the same time that Servlet Specification v2.5 and JSP Specification v2.1 are finalized. No change here since previous Board report. - Much work has been done on the mod_jk connector, improving reliability, performance, and monitoring options for httpd / mod_jk administrators. It's been great to see the increased level of energy and enthusiasm around the connectors, and the new connector releases have been getting pre-release testing from a number of committers on various platforms. - We've also added a non-blocking HTTPS protocol connector written in Java to provide users with another choice on platforms that handle non-blocking IO threads well. - We're also diversifying release managers: Mark Thomas is the current release manager for Tomcat 4.x, Filip Hanik for Tomcat 5.x, Remy Maucherat for 6.x, and Rainer Jung for the connectors. Releases: - mod_jk 1.2.17 and 1.2.18 were released. 1.2.18 is currently the stable release (it was put out on July 20th). mod_jk 1.2.19 is in the works, expected to release in the first half of September. - Tomcat 4.1.34 was released in the first week of September, and addresses virtually all the issues reported against the previous 4.1 release. - Tomcat 5.5.18 and 5.5.19 were cut, but did not make it into final release: 5.5.20 is in the works. Tomcat 5.5.17 is still the latest stable Tomcat release. People: - No changes since last Board report.
Approved by General Consent
- We have no issues that require attention from the Board at this time Development: - Continued work on Tomcat 6.0 development: we expect to have release 6.0.0 ready roughly at the same time that Servlet Specification v2.5 and JSP Specification v2.1 are finalized. - Continued work on one new and improved clustering implementations (two alternative ones, tenatively referred to as Tribes and GroupCom) for Tomcat 6.0. These will possibly be back-ported as optional modules for Tomcat 5.5 in the future. - Continued work and testing on an experimental NIO (as in java.nio) HTTP connector, although benchmarking results are unclear at this time Releases: - Continued work on the mod_jk connector, and a release candidate for 1.2.16 was put out: at least one serious bug was found, and mod_jk 1.2.17 is now in testing - A bug fix and back-porting release on the Tomcat 4.1 branch, release 4.1.32-beta, was made in early July - No new Tomcat 5.0 or 5.5 releases, 5.5.17 is still stable and latest People: - New committer: Rainer Jung <rjung@apache.org> - New PMC members: none - New PMC chair: Yoav Shapira (yoavs@apache.org)
Approved by General Consent
WHEREAS, the Board of Directors heretofore appointed Remy Maucherat to the office of Vice President, Apache Tomcat Project, and WHEREAS, the Board of Directors is in receipt of the resignation of Remy Maucherat from the office of Vice President, Apache Tomcat Project; NOW, THEREFORE, BE IT RESOLVED, that Remy Maucherat is relieved and discharged from the duties and responsibilities of the office of Vice President, Apache Tomcat Project, and BE IT FURTHER RESOLVED, that Yoav Shapira be and hereby is appointed to the office of Vice President, Apache Tomcat Project, to serve in accordance with and subject to the direction of the Board of Directors and the Bylaws of the Foundation until death, resignation, retirement, removal or disqualification, or until a successor is appointed. By Unanimous Vote, Special Order 6B, Change of Tomcat PMC Chair, was Approved.
Tabled due to time constraints.
- two new committers: jhook, ralf - Tomcat 5.5.15 stable was released - Tomcat 5.5.16 was released - Tomcat 6 planning and development was start - JSP 2.1 support is in developement - a new clustering module is in development, based around a new component for group communication named Tribes, which will support more options, including primary/secondary node session replication - the new AJP APR connector has been put in production use for the ASF JIRA installation, and the two bugs found in the process have been corrected
Approved by General Consent.
No report received or submitted. Greg to contact Remy regarding status.
- Tomcat 5.5.12 release soon - migration to SVN is due to be completed next week - tomcat.apache.org web opening soon - mailing list migration planned
It was noted that the report was extremely short and low on information, especially for a new TLP. Ken was to request that the Tomcat PMC submit more detailed reports in the future.
Approved by General Consent.
Development activities: After the release of Tomcat 5.5.9 in March, the focus has been on feature additions. A new Tomcat 5.5.10 build has just been released incorporating all these changes. We will also likely bootstrap a new branch (Tomcat 6.0.x) to implement the new specifications very soon. Infrastructure: We plan to migrate to the new infrastucture (mailing lists, website, and maybe also at the same time repository migration to SVN) in conjunction with a new stable build, it seems in september. Discussions are still ongoing, and have been slowed down by the summer. There have been no new committers, and no PMC membership changes.
WHEREAS, the Board of Directors deems it to be in the best
interests of the Foundation and consistent with the Foundation's
purpose to establish a Project Management Committee charged with
the creation and maintenance of open-source software related to
the implementation of the Java Servlet and Java Server Pages
specifications, for distribution at no charge to the public.
NOW, THEREFORE, BE IT RESOLVED, that a Project Management
Committee (PMC), to be known as the "Apache Tomcat PMC", be and
hereby is established pursuant to Bylaws of the Foundation; and
be it further
RESOLVED, that the Apache Tomcat PMC be and hereby is
responsible for the creation and maintenance of software related
to creation and maintenance of open-source software related to
the implementation of the Java Servlet and Java Server Pages
specifications based on software licensed to the Foundation; and
be it further
RESOLVED, that the office of "Vice President, Apache Tomcat" be
and hereby is created, the person holding such office to serve
at the direction of the Board of Directors as the chair of the
Apache Tomcat PMC, and to have primary responsibility for
management of the projects within the scope of responsibility of
the Apache Tomcat PMC; and be it further
RESOLVED, that the persons listed immediately below be and
hereby are appointed to serve as the initial members of the
Apache Tomcat PMC:
Jean-Francois Arcand (jfarcand@apache.org)
Bill Barker (billbarker@apache.org)
Kin-man Chung (kinman@apache.org)
Jean-Frederic Clere (jfclere@apache.org)
Ian Darwin (idarwin@apache.org)
Tim Funk (funkman@apache.org)
Henri Gomez (hgomez@apache.org)
Filip Hanik (fhanik@apache.org)
Larry Isaacs (larryi@apache.org)
Jim Jagielski (jim@apache.org)
Jan Luehe (luehe@apache.org)
Costin Manolache (costin@apache.org)
Remy Maucherat (remm@apache.org)
Kurt Miller (truk@apache.org)
Glenn Nielsen (glenn@apache.org)
Amy Roh (amyroh@apache.org)
Peter Rossbach (pero@apache.org)
Yoav Shapira (yoavs@apache.org)
Mark Thomas (markt@apache.org)
Mladen Turk (mturk@apache.org)
Keith Wannamaker (keith@apache.org)
NOW, THEREFORE, BE IT FURTHER RESOLVED, that Remy Maucherat be
appointed to the office of Vice President, Apache Tomcat, to
serve in accordance with and subject to the direction of the
Board of Directors and the Bylaws of the Foundation until death,
resignation, retirement, removal or disqualification, or until a
successor is appointed; and be it further
RESOLVED, that the initial Apache Tomcat PMC be and hereby is
tasked with the creation of a set of bylaws intended to
encourage open development and increased participation in the
Apache Tomcat Project; and be it further
RESOLVED, that the initial Apache Tomcat PMC be and hereby is
tasked with the migration and rationalization of the Apache
Jakarta PMC Tomcat subproject; and be it further
RESOLVED, that all responsibility pertaining to the Jakarta
Tomcat sub-project and encumbered upon the Apache Jakarta PMC
are hereafter discharged.
There was significant debate over the creation of the
Tomcat Project, not so much regarding the project itself,
but in the requested PMC Chair.
By a vote of 5 YEA and 3 NAY, Special Order A, a Resolution to
Establish the Apache Tomcat Project, was approved.
Stefeno has the Action Item to create a list of expectations
for the new Tomcat PMC Chair.
WHEREAS, the Board of Directors deems it to be in the best interests of the Foundation and consistent with the Foundation's purpose to establish a Project Management Committee charged with the creation and maintenance of open-source software related to the implementation of the Java Servlet and Java Server Pages specifications, for distribution at no charge to the public. NOW, THEREFORE, BE IT RESOLVED, that a Project Management Committee (PMC), to be known as the "Apache Tomcat PMC", be and hereby is established pursuant to Bylaws of the Foundation; and be it further RESOLVED, that the Apache Tomcat PMC be and hereby is responsible for the creation and maintenance of software related to creation and maintenance of open-source software related to the implementation of the Java Servlet and Java Server Pages specifications based on software licensed to the Foundation; and be it further RESOLVED, that the office of "Vice President, Apache Tomcat" be and hereby is created, the person holding such office to serve at the direction of the Board of Directors as the chair of the Apache Tomcat PMC, and to have primary responsibility for management of the projects within the scope of responsibility of the Apache Tomcat PMC; and be it further RESOLVED, that the persons listed immediately below be and hereby are appointed to serve as the initial members of the Apache Tomcat PMC: Jean-Francois Arcand (jfarcand@apache.org) Bill Barker (billbarker@apache.org) Kin-man Chung (kinman@apache.org) Jean-Frederic Clere (jfclere@apache.org) Ian Darwin (idarwin@apache.org) Tim Funk (funkman@apache.org) Henri Gomez (hgomez@apache.org) Filip Hanik (fhanik@apache.org) Larry Isaacs (larryi@apache.org) Jim Jagielski (jim@apache.org) Jan Luehe (luehe@apache.org) Costin Manolache (costin@apache.org) Remy Maucherat (remm@apache.org) Kurt Miller (truk@apache.org) Glenn Nielsen (glenn@apache.org) Amy Roh (amyroh@apache.org) Peter Rossbach (pero@apache.org) Yoav Shapira (yoavs@apache.org) Mark Thomas (markt@apache.org) Mladen Turk (mturk@apache.org) Keith Wannamaker (keith@apache.org) NOW, THEREFORE, BE IT FURTHER RESOLVED, that Remy Maucherat be appointed to the office of Vice President, Apache Tomcat, to serve in accordance with and subject to the direction of the Board of Directors and the Bylaws of the Foundation until death, resignation, retirement, removal or disqualification, or until a successor is appointed; and be it further RESOLVED, that the initial Apache Tomcat PMC be and hereby is tasked with the creation of a set of bylaws intended to encourage open development and increased participation in the Apache Tomcat Project; and be it further RESOLVED, that the initial Apache Tomcat PMC be and hereby is tasked with the migration and rationalization of the Apache Jakarta PMC Tomcat subproject; and be it further RESOLVED, that all responsibility pertaining to the Jakarta Tomcat sub-project and encumbered upon the Apache Jakarta PMC are hereafter discharged. Special Order B, a Resolution to Establish the Apache Tomcat Project, was tabled to allow the board to investigate some concerns.