The Apache Way Contribute ASF Sponsors

Formal board meeting minutes from 2010 through present. Please Note: The board typically approves minutes from one meeting during the next board meeting, so minutes will be published roughly one month later than the scheduled date. Other corporate records are published, as is an alternate categorized view of all board meeting minutes.

2017 | 2016 | 2015 | 2014 | 2013 | 2012 | 2011 | 2010 | 2009 | 2008 | 2007 | 2006 | 2005 | 2004 | 2003 | 2002 | 2001 | 2000 | 1999 | Pre-organization meetings

Tomcat

15 Mar 2017 [Mladen Turk / Isabel]

## Description:
 - A Java Servlet, JavaServer Pages, Java WebSocket and Java
   Unified Expression language specifications implementation.

## Issues:
 - There are no issues requiring board attention at this time

## Activity:
-  Continued healthy activity across multiple components and
   responsiveness on both dev and user lists.
-  TomcatCon has been organised to run along side ApacheCon
   with 3 days of content in a single track dedicated to Apache Tomcat.
   The content has just been agreed. Next step marketing.

## PMC changes:

 - Currently 24 PMC members.
 - No new PMC members added in the last 3 months
 - Last PMC addition was Felix Schumacher on Mon Oct 26 2015

## Committer base changes:

 - Currently 43 committers.
 - Emmanuel Bourg was added as a committer on Fri Jan 20 2017

## Releases:

 - Apache Tomcat 7.0.75 was released on Tue Jan 24 2017
 - Apache Tomcat 8.0.41 was released on Tue Jan 24 2017
 - Apache Tomcat 8.5.11 was released on Mon Jan 16 2017
 - Apache Tomcat 9.0.0.M17 was released on Mon Jan 16 2017

## Trademark:
-  No new trademark issues in the last 3 months
   and  there are currently no outstanding trademark issues that the
   Apache Tomcat PMC is working on.
-  Detailed history is available at:
   https://svn.apache.org/repos/private/pmc/tomcat/trademark-status.txt

## Security:
 - Detailed status:
   http://tomcat.apache.org/security.html

 - Important: Information Disclosure CVE-2016-8745
   A bug in the error handling of the send file code for the NIO HTTP
   connector resulted in the current Processor object being added to
   the Processor cache multiple times.
   Affects: Apache Tomcat 7.0.0 to 7.0.73 and 8.0.0.RC1 to 8.0.39

21 Dec 2016 [Mladen Turk / Shane]

## Description:
  A Java Servlet, JavaServer Pages, Java WebSocket and Java
  Unified Expression language specifications implementation.

## Issues:
- There are no issues requiring board attention at this time

## Activity:
- Continued healthy activity across multiple components and
  responsiveness on both dev and user lists.

## PMC changes:
- Currently 24 PMC members.
- No new PMC members added in the last 3 months
- Last PMC addition was Felix Schumacher on Mon Oct 26 2015

## Committer base changes:
- Currently 42 committers.
- New commmitters:
   - Coty Sutherland was added as a committer on Fri Aug 26 2016
   - Huxing Zhang was added as a committer on Fri Aug 26 2016

## Releases:
- Apache Tomcat 6.0.47 was released on Oct 16 2016
- Apache Tomcat 6.0.48 was released on Nov 15 2016
- Apache Tomcat 7.0.72 was released on Sep 19 2016
- Apache Tomcat 7.0.73 was released on Nov 14 2016
- Apache Tomcat 8.0.38 was released on Oct 10 2016
- Apache Tomcat 8.0.39 was released on Nov 14 2016
- Apache Tomcat 8.5.6 was released on Oct 10 2016
- Apache Tomcat 8.5.8 was released on Nov 11 2016
- Apache Tomcat 8.5.9 was released on Dec 08 2016
- Apache Tomcat 9.0.0.M11 was released on Oct 10 2016
- Apache Tomcat 9.0.0.M13 was released on Nov 11 2016
- Apache Tomcat 9.0.0.M15 was released on Dec 08 2016
- Apache Tomcat Native 1.2.10 was released on Oct 05 2016
- Apache Tomcat Connectors 1.2.42 was released on Oct 05 2016

## Trademark:
Since our last report the Tomcat PMC dealt with the following trademark
issues:
- A minor issue with a github project that was renamed at our request
  from "Tomcat XXX" to "XXX for Tomcat".
- Some historical documentation for a product previously renamed from
  "Tomcat XXX" to "XXX for Tomcat" appeared in our regular search using
  the old name. The historical documentation was updated to use the
  correct form.
In both cases speedy resolution was aided by the fact that Tomcat PMC
members were involved in - or had close ties to - the projects
concerned.

The Tomcat PMC has decided not to pursue further a trademark issue outstanding
since 2008 since the project has been dormant for many years.

There are currently no outstanding trademark issues that the Tomcat PMC is
working on.

Detailed history is available at:
https://svn.apache.org/repos/private/pmc/tomcat/trademark-status.txt

## Security:
 - Detailed status:
   http://tomcat.apache.org/security.html

There were some low impact vulnerabilities reported and fixed in Tomcat
(6.0.47, 7.0.72):
  - Low: Timing Attack CVE-2016-0762 The Realm Implementations used different
    amount of time for authentication requests with or without a password
  - Low: Security Manager Bypass CVE-2016-5018 The SecurityManager could be
    bypassed
  - Low: System Property Disclosure CVE-2016-6794 System Properties could be
    read, that should have been protected by a SecurityManager
  - Low: Security Manager Bypass CVE-2016-6796 A configured SecurityManager
    could be bypassed
  - Low: Unrestricted Access to Global Resources CVE-2016-6797 Webapps could
    access global JNDI ressources even when they were not explicitly
    configured for the Webapp
There were some important vulnerabilities reported and fixed in Tomcat
(6.0.48, 7.0.73, 8.0.39, 8.5.8, 8.5.9, 9.0.0.M13):
  - Important: Information Disclosure CVE-2016-6816 HTTP request line was not
    parsed correctly
  - Important: Denial of Service CVE-2016-6817 The HTTP/2 header parser could
    be tricked into an infinite loop
  - Important: Remote Code Execution CVE-2016-8735 The
    JmxRemoteLifecycleListener was vulnerable to a remote execution attack
  - Important: Information Disclosure CVE-2016-8745 When using NIO and
    sendfile requests could be shared between to concurrent threads, which led
    to possible information leakage

21 Sep 2016 [Mladen Turk / Brett]

## Description:
 Apache Tomcat is a Java Servlet, JavaServer Pages, Java WebSocket,
 Java Unified Expression language and Java Authentication Service
 Provider Interface for Containers specifications implementation.

## Issues:
 There are no issues requiring board attention at this time

## Activity:
 Continued healthy activity across multiple components and
 responsiveness on both dev and user lists.

## PMC changes:
 - Currently 24 PMC members.
 - No new PMC members added in the last 3 months
 - Last PMC addition was Felix Schumacher on Mon Oct 26 2015

## Committer base changes:
 - Currently 42 committers.
 - New commmitters:
   - Coty Sutherland was added as a committer on Fri Aug 26 2016
   - Huxing Zhang was added as a committer on Fri Aug 26 2016

## Releases:
 - Apache Tomcat 7.0.70 was released on Jun 19 2016
 - Apache Tomcat 8.0.37 was released on Sep 05 2016
 - Apache Tomcat 8.5.5 was released on Sep 05 2016
 - Apache Tomcat 9.0.0.M10 was released on Sep 05 2016

## Trademark:
 - Detailed status:
   https://svn.apache.org/repos/private/pmc/tomcat/trademark-status.txt

## Security:
 - Detailed status:
   http://tomcat.apache.org/security.html

15 Jun 2016 [Mladen Turk / Isabel]

Apache Tomcat is a Java Servlet, JavaServer Pages, Java WebSocket, Java
Unified Expression language and Java Authentication Service Provider
Interface for Containers specifications implementation.

Issues:
There are no issues requiring board attention at this time

Activity:
- Continued healthy activity across multiple components and responsiveness
  on both dev and user lists.
- Three presentations on Tomcat were given at ApacheCon NA and a meetup one
  evening was held with about ten participants.
- A spate of Bugzilla spam was succcessfully blocked by the infra team.
- Currently five branches are actively maintained. This will be reduced to
  three sometime later this year as 8.0.x reaches EOL (replaced by 8.5.x)
  and 6.0.x will be reach EOL at the end of this year.
- A roughly monthly release cycle is held up for 9.0.x, 8.5.x, 8.0.x and
  7.0.x and a roughly six monthly release cycle for 6.0.x.
- Open bugs (excluding enhancement requests and those where furthe
  information is required from the OP) are fixed before each release.
- There are three components where there is less activity.
  taglibs is dormant and it needs to be discussed whether it should be
  placed into Tomcat's attic.
  The Tomcat Maven Plugin needs committers. Currently it is only compatible
  with 7.0.x and lower, only.
  The connectors component is fairly mature will still sees bugs reports and
  needs committers in order to address them.
- Discussion about inviting a new committer has started with no conclusion
  yet.

Tomcat 9 has a dependency on the Servlet 4 specification which is part
of Java EE 8. There has been much public discussion about the (lack of)
progress [1] of Java EE 8. We do not intend to let this slow down Tomcat
development. We continue to review the situation and take action as
necessary. For example, Tomcat 8.5.x was introduced to make HTTP/2 (and
other new features) available in a production quality release so users
weren't waiting for Tomcat 9.

PMC changes:
 - Currently 24 PMC members.
 - Last PMC addition was Felix Schumacher on Mon Oct 26 2015

Committer base changes:
 - Currently 40 committers.
 - Last committer addition was Martin Tzvetanov Grigorov at Tue Oct 27 2015

Releases:
 - Apache Tomcat 6.0.45 was released on Feb 10 2016
 - Apache Tomcat 7.0.69 was released on Apr 15 2016
 - Apache Tomcat 8.0.33 was released on Mar 24 2016
 - Apache Tomcat 8.0.35 was released on May 16 2016
 - Apache Tomcat 8.0.36 was released on Jun 13 2016
 - Apache Tomcat 8.5.0 (beta) was released on Mar 24 2016
 - Apache Tomcat 8.5.2 (beta) was released on May 16 2016
 - Apache Tomcat 8.5.3 was released on Jun 13 2016
 - Apache Tomcat 9.0.0.M4 was released on Mar 16 2016
 - Apache Tomcat 9.0.0.M6 was released on May 16 2016
 - Apache Tomcat 9.0.0.M8 was released on Jun 13 2016
 - Apache Tomcat Native 1.2.6 was released on Apr 26 2016
 - Apache Tomcat Native 1.2.7 was released on May 8 2016

Trademark:
  - Detailed status:
    https://svn.apache.org/repos/private/pmc/tomcat/trademark-status.txt

Security:
  - Detailed status:
    http://tomcat.apache.org/security.html

16 Mar 2016 [Mladen Turk / Bertrand]

## Description:
   A Java Servlet, JavaServer Pages, Java WebSocket and Java
   Unified Expression language specifications implementation.

## Issues:
 - There are no issues requiring board attention at this time

## Activity:
 - Continued healthy activity across multiple components and
   responsiveness on both dev and user lists.

## PMC changes:

 - Currently 24 PMC members.
 - No new PMC members added in the last 3 months
 - Last PMC addition was Felix Schumacher on Mon Oct 26 2015

## Committer base changes:

 - Currently 40 committers.
 - No new committers added in the last 3 months
 - Last committer addition was Martin Tzvetanov Grigorov at Tue Oct 27 2015

## Releases:

 - Apache Tomcat 6.0.45 was released on Feb 10 2016
 - Apache Tomcat 7.0.67 was released on Dec 09 2015
 - Apache Tomcat 7.0.68 was released on Feb 15 2016
 - Apache Tomcat 8.0.32 was released on Feb 08 2016
 - Apache Tomcat 9.0.0.M3 was released on Feb 05 2016


## Mailing list activity:

 - TODO Please explain what the following statistics mean
   for the project. If there is nothing significant in the figures, omit this
   section.

 - users@tomcat.apache.org:
    - 3027 subscribers (up 6 in the last 3 months):
    - 1190 emails sent to list (1034 in previous quarter)

 - dev@tomcat.apache.org:
    - 855 subscribers (up 11 in the last 3 months):
    - 3126 emails sent to list (3585 in previous quarter)

 - announce@tomcat.apache.org:
    - 4033 subscribers (up 70 in the last 3 months):
    - 16 emails sent to list (6 in previous quarter)

 - taglibs-user@tomcat.apache.org:
    - 357 subscribers (down -2 in the last 3 months):
    - 2 emails sent to list (1 in previous quarter)


## Bugzilla Statistics:

 - 73 Bugzilla tickets created in the last 3 months
 - 89 Bugzilla tickets resolved in the last 3 months

## Trademark:
  - Detailed status:
    https://svn.apache.org/repos/private/pmc/tomcat/trademark-status.txt

## Security:
  - Detailed status:
    http://tomcat.apache.org/security.html

20 Jan 2016 [Mladen Turk / Chris]

## Description:
   A Java Servlet, JavaServer Pages, Java WebSocket and Java
   Unified Expression language specifications implementation.

## Issues:
 - There are no issues requiring board attention at this time

## Activity:
 - Continued healthy activity across multiple components and
   responsiveness on both dev and user lists.
 - We have released a first milestone release of the current
   development branch (Tomcat 9.0.x).
 - We have started a regular Webinar series - one every two weeks.
   We do each Webinar twice (to try and cover as much as the world
   as possible) and make a recording available on YouTube.
   https://www.youtube.com/channel/UCpqpJ0-G1lYfUBQ6_36Au_g
   Is is early days and we are still experimenting with various
   technical and organisational options to figure out what works best.
 - We have also started to gather known recordings of Tomcat related
   presentations on the project website.
   http://tomcat.apache.org/presentations.html
 - We are keeping a closer eye on our Twitter account and making sure
   we announce releases, Webinars etc via Twitter as well as the
   usual mailing lists.
 - Apache Tomcat Native project (a connector implementation for
   Tomcat based on APR/OpenSSL) development focus has switched to
   version 1.2.x, with the first 1.2.0 release in October 2015,
   up to 1.2.4 several days ago.

## Health report:
 - TODO - Please use this paragraph to elaborate on why
   the current project activity (mails, commits, bugs etc) is at its current
   level.

## PMC changes:

 - Currently 24 PMC members.
 - New PMC members:
    - Felix Schumacher was added to the PMC on Mon Oct 26 2015
    - Martin Grigorov was added to the PMC on Mon Oct 26 2015

## Committer base changes:

 - Currently 40 committers.
 - New commmitters:
    - Ognjen Blagojević was added as a committer on Fri Oct 23 2015
    - Martin Tzvetanov Grigorov was added as a committer on Tue Oct 27 2015

## Releases:

 - Apache Tomcat 9.0.0.M1 (alpha) was released on Thu Nov 19 2015
 - Apache Tomcat 8.0.30 was released on Sat Dec 05 2015
 - Apache Tomcat 8.0.29 was released on Tue Nov 24 2015
 - Apache Tomcat 8.0.28 was released on Mon Oct 12 2015
 - Apache Tomcat 8.0.27 was released on Thur Oct 01 2015
 - Apache Tomcat 7.0.67 was released on Wed Dec 09 2015
 - Apache Tomcat 7.0.65 was released on Sun Oct 18 2015
 - Apache Tomcat Native 1.2.4 was released on Mon Jan 11 2016
 - Apache Tomcat Native 1.2.3 was released on Tue Dec 15 2015
 - Apache Tomcat Native 1.2.2 was released on Mon Nov 09 2015
 - Apache Tomcat Native 1.2.0 was released on Wed Oct 28 2015
 - Apache Tomcat Native 1.1.34 was released on Tue Dec 15 2015


## Mailing list activity:

 - users@tomcat.apache.org:
    - 3023 subscribers (up 15 in the last 3 months):
    - 902 emails sent to list (1002 in previous quarter)

 - dev@tomcat.apache.org:
    - 850 subscribers (up 10 in the last 3 months):
    - 3472 emails sent to list (2399 in previous quarter)

 - taglibs-user@tomcat.apache.org:
    - 353 subscribers (down -1 in the last 3 months):
    - 1 emails sent to list (0 in previous quarter)

 - announce@tomcat.apache.org:
    - 3977 subscribers (up 72 in the last 3 months):
    - 9 emails sent to list (4 in previous quarter)

## Trademark:
  - Detailed status:
    https://svn.apache.org/repos/private/pmc/tomcat/trademark-status.txt

16 Dec 2015 [Mladen Turk / Sam]

No report was submitted.

21 Oct 2015 [Mladen Turk / Shane]

This report from the Apache Tomcat PMC is being made at the recommendation of
V.P. Brand to support the Tomcat project's request for additional funding to
register our trademarks in the EU, India and China. This is in addition to our
registration in the US that is already in progress.

The funding required to meet this request is a one-off cost of $2,465.

The driver for this request is the desire of the Tomcat PMC to reduce the
ongoing impact of trademark infringements and to reduce the risk to the Tomcat
community of a future significant dispute over the project's marks.

The regions in this request for registration have been selected based on where
we see the greatest concentrations of the Tomcat community.

The board may think that since Tomcat has been in existence since 1999 that
the marks are well known and that there is no need to register the marks. The
Tomcat PMC strongly disagrees with this view. The longevity of the Tomcat
project means that a large eco-system of products has built up around Tomcat
and the size of that ecosystem increases, rather than decreases, the
likelihood of infringement.

The Tomcat PMC already has experience of handling multiple infringements of
the project's marks. We continue to concerned about any infringement due to
the potential harm it could cause to the community. The risks to the community
include:
- Potential users of Tomcat put off by their poor experience or the poor
experience of others with a low quality product intended to be used with
Tomcat that, due to the infringing name, is assumed to be a product of the ASF
and therefore indicative of the quality of ASF products.
- Potential users of Tomcat drawn to other products because those products
provide similar functionality to Tomcat and use an infringing name which
(deliberately or not) confuses users into thinking they are using Tomcat when
they are not.
- Resolving infringements requires significant volunteer energy which is then
not available to support the community. This reduces the quality of community
support and thereby makes Tomcat less attractive.
- Specifically for China, that operates a first to register rather than first
to use system, there is a significant risk that another organisation registers
Tomcat. That would cause us all sorts of problems that would require large
amounts volunteer energy to resolve as well as placing additional demands on
infrastructure.

All of these risks boil down to reducing the size of the Tomcat community and
diverting that community from developing, using and supporting Tomcat. The
smaller the community, the smaller the pool of contributors, the fewer of
those who will advance to committer and hopefully on to PMC member and ASF
member. The fewer committers and PMC members the community has, the greater
the risk to the long term survivability of the project.

To be clear, we are not saying that the Tomcat community is struggling to
survive under a flood of trademark infringements. We are saying the trademark
infringements have had, and continue to have, a negative impact on the project
and that registering our marks would reduce the ongoing impact and reduce the
risk of a future, more significant, trademark dispute.

It is also worth pointing out (with the notable exception of China) that
registration is not required in order to successfully resolve a trademark
dispute. However, as we explain later, registration does reduce the likelihood
of infringement and simplifies the process of resolution. Where the infringer
contests the issue, registration significantly reduces the time and cost of
resolution.

To date, the Tomcat PMC has resolved disputes using one of the following
paths:

1) A polite request to the product owners to change the name with which they
happily complied.
2) As 1) but the product owner had gone AWOL. In such cases the company
hosting the product (e.g. Apple, Google etc.) had to be approached to request
that the product is taken down.
3) A polite request to the product owners which is met with a "That trademark
isn't registered. I can do what I like." response. The PMC then has to take
the time to educate them that this is not that case and, eventually, the
product name is changed.
4) A large(ish) corporation has a commercial product based on Tomcat and the
sales/marketing team are keen to emphasis this to sell their product based on
Tomcat's reputation. This normally results in multiple small to medium
infringements over a long period of time. It has been resolved by an ongoing
engagement by the PMC with the infringing company to educate as to what is
allowed and to encourage the company to put processes in place to reduce /
eliminate future infringing. Depending on the frequency and serious of the
infringements, support from V.P. Brand / ASF lawyers may be requested to get
the message across to more senior figures.

1) Is easy to fix and not a great drain on the project since it only takes a
few minutes to send a polite e-mail.

2) Depends a lot on the hosting company. Some are easier to work with than
others. Resolving these usually takes a couple of hours.

3) We have had several of these and they can take up a fair amount of
volunteer time (days) to resolve.

4) We have only had one of these but it took weeks of volunteer time and
support from V.P. Brand to resolve. It also requires ongoing monitoring to
ensure that the issue remains resolved.


The benefits to the Tomcat PMC of registering our marks are as follows:
- less volunteer energy required to resolve 'simple' infringements since a
registered mark negates the whole "But that mark isn't registered"
counter-argument;
- less volunteer energy required to resolve 'simple' infringements since a
registered mark simplifies the trademark infringement reporting process for
most large 'hosting' providers (e.g. Google, Apple, etc.)
- less corporate infringements (and hence less volunteer energy required to
resolve them) since a registered mark will appear in the searches performed
when selecting product names and corporations tend to give registered marks a
wider berth than unregistered ones;
- significantly reduces the potential for us to lose the right to use the
project mark's in China;
- should an infringer refuse to stop their infringement (we haven't had this
happen yet but it feels like only a matter of time) a registered mark greatly
simplifies the resolution process (and makes it a lot less expensive).

On that last point, there have been a couple of occasions where it felt like
it was 50/50 whether the infringing party was going to stop the infringement.
Fortunately, so far, continued dialogue has resulted in the right outcome.
However, it does feel like only matter of time before an infringer refuses to
stop their infringement. Having the marks registered before that happens will
save us both time and money in that case.

The Apache Tomcat PMC

16 Sep 2015 [Mladen Turk / Brett]

# Description:
   A Java Servlet, JavaServer Pages, Java WebSocket and Java
   Unified Expression language specifications implementation.

## Activity:
 - Continued healthy activity across multiple components and
   responsiveness on both dev and user lists.
 - We hope to have a milestone release of the current development
   branch (Tomcat 9.0.x) later in the autumn once HTTP/2 support
   has progressed.

## Issues:
 - There are no issues requiring board attention at this time

## PMC/Committership changes:

 - Currently 38 committers and 22 LDAP committee group members.
 - No new LDAP committee group members added in the last 3 months
 - Last LDAP committee group addition was Jeremy Boynes at Fri Mar 06 2015
 - No new committers added in the last 3 months
 - Last committer addition was André Warnier at Fri Jan 02 2015

## Releases:

 - Apache Tomcat 8.0.24 was released on Mon Jul 06 2015
 - Apache Tomcat 8.0.26 was released on Fri Aug 21 2015
 - Apache Tomcat 7.0.64 was released on Mon Aug 24 2015
 - Apache Tomcat 7.0.63 was released on Sun Jul 05 2015
 - Apache Tomcat Connectors 1.2.41 was released on Tue Aug 11 2015

## Mailing list activity:

 - users@tomcat.apache.org:
    - 3009 subscribers (up 1 in the last 3 months):
    - 1063 emails sent to list (1452 in previous quarter)

 - dev@tomcat.apache.org:
    - 833 subscribers (down -10 in the last 3 months):
    - 3099 emails sent to list (4361 in previous quarter)

 - taglibs-user@tomcat.apache.org:
    - 353 subscribers (up 1 in the last 3 months):
    - 0 emails sent to list (1 in previous quarter)

 - announce@tomcat.apache.org:
    - 3861 subscribers (up 110 in the last 3 months):
    - 5 emails sent to list (11 in previous quarter)


## Trademark:
  - Detailed status:
    https://svn.apache.org/repos/private/pmc/tomcat/trademark-status.txt
  - We have started the process to register Tomcat as a trademark in the US,
    EU, India and China. We have also requested the registration of "Tomcat"
    as a service in the US.

17 Jun 2015 [Mladen Turk / Jim]

## Description:
   A Java Servlet, JavaServer Pages, Java WebSocket and Java
   Unified Expression language specifications implementation.

## Activity:
 - Continued healthy activity across multiple components and
   responsiveness on both dev and user lists.
 - We announced that End-Of-Life for the Apache Tomcat 6.0.x
   series will be 31 December 2016.
 - We hope to have a milestone release of the current development
   branch (Tomcat 9.0.x) later in the summer once HTTP/2 support
   has progressed.

## Issues:
 - There are no issues requiring board attention at this time

## PMC/Committership changes:

 - Currently 38 committers and 22 PMC members in the project.
 - No new PMC members added in the last 3 months
 - Last PMC addition was Jeremy Boynes at Fri Mar 06 2015
 - No new committers added in the last 3 months
 - Last committer addition was André Warnier at Fri Jan 02 2015

## Releases:

 - Apache Tomcat 8.0.23 was released on Fri May 22 2015
 - Apache Tomcat 8.0.22 was released on Tue May 05 2015
 - Apache Tomcat 7.0.62 was released on Wed May 13 2015
 - Apache Tomcat 7.0.61 was released on Mon Apr 06 2015
 - Apache Tomcat 6.0.44 was released on Tue May 12 2015
 - Apache Tomcat Native 1.1.33 was released on Mon Mar 23 2015

## Mailing list activity:

 - users@tomcat.apache.org:
    - 3006 subscribers (up 31 in the last 3 months):
    - 1441 emails sent to list (1377 in previous quarter)

 - dev@tomcat.apache.org:
    - 839 subscribers (down -13 in the last 3 months):
    - 4165 emails sent to list (5043 in previous quarter)

 - taglibs-user@tomcat.apache.org:
    - 352 subscribers (up 2 in the last 3 months):
    - 1 emails sent to list (5 in previous quarter)

 - announce@tomcat.apache.org:
    - 3755 subscribers (up 117 in the last 3 months):
    - 11 emails sent to list (7 in previous quarter)


## Trademark:
  - Detailed status:
    https://svn.apache.org/repos/private/pmc/tomcat/trademark-status.txt
  - We have started the process to register Tomcat as a trademark in the US,
    EU, India and China. We have also requested the registration of "Tomcat"
    as a service in the US.

18 Mar 2015 [Mladen Turk / Bertrand]

## Description:
   A Java Servlet and JavaServer Pages specifications implementation.

## Activity:
 - Continued healthy activity across multiple components and
   responsiveness on both dev and user lists.
 - There was lots of development activity on Apache Tomcat 7
   and Apache Tomcat 8.
 - Preparation work for Tomcat 9 in under way.
 - Continuing maintenance work on Apache Standard Taglib
   (an implementation of JavaServer Pages Standard Tag Library (JSTL) 1.2).
   A security and bug fix release was performed.

## Issues:
 - There are no issues requiring board attention at this time

## PMC/Committership changes:

 - Currently 38 committers and 22 PMC members in the project.
 - Yoav Shapira requested to step down from his PMC membership
   and went emeritus
 - Jeremy Boynes was added to the PMC on Fri Mar 06 2015
 - André Warnier was added as a committer on Fri Jan 02 2015

## Releases:
  - Apache Tomcat 8.0.20 - 2015-02-20
  - Apache Tomcat 8.0.19 (not released)
  - Apache Tomcat 8.0.18 - 2015-01-26
  - Apache Tomcat 8.0.17 - 2015-01-16
  - Apache Tomcat 8.0.16 (not released)
  - Apache Tomcat 8.0.15 - 2014-11-07
  - Apache Tomcat 8.0.14 - 2014-09-29
  - Apache Tomcat 8.0.13 (not released)
  - Apache Tomcat 7.0.59 - 2015-02-04
  - Apache Tomcat 7.0.58 (not released)
  - Apache Tomcat 7.0.57 - 2014-11-11
  - Apache Tomcat 7.0.56 - 2014-10-06
  - Apache Tomcat 6.0.43 - 2014-11-22
  - Apache Tomcat Native 1.1.32 - 2014-10-23
  - Apache Standard Taglib 1.2.2 (not released)
  - Apache Standard Taglib 1.2.3 - 2015-02-20

## Mailing list activity:

 - users@tomcat.apache.org:
    - 2978 subscribers (up 8 in the last 3 months):
    - 1411 emails sent to list (1284 in previous quarter)

 - dev@tomcat.apache.org:
    - 853 subscribers (down -5 in the last 3 months):
    - 4974 emails sent to list (4943 in previous quarter)

 - taglibs-user@tomcat.apache.org:
    - 350 subscribers (down -9 in the last 3 months):
    - 5 emails sent to list (13 in previous quarter)

 - announce@tomcat.apache.org:
    - 3631 subscribers (up 131 in the last 3 months):
    - 7 emails sent to list (8 in previous quarter)

## Security:
  - Important: Request Smuggling CVE-2014-0227
    It was possible to craft a malformed chunk as part of a chunked
    request that caused Tomcat to read part of the request body as a new
    request. Announced 2015-02-09
  - Important: XXE and RCE via XSL extension in JSTL XML tags CVE-2015-0254
    When an application uses <x:parse> or <x:transform> JSTL tags to
    process untrusted XML documents, a request may utilize external entity
    references to access resources on the host system or utilize XSLT
    extensions that may allow remote execution. Announced 2015-02-27


## Trademark:
  - Detailed status:
    https://svn.apache.org/repos/private/pmc/tomcat/trademark-status.txt
  - We have started the process to register Tomcat as a trademark in the US
    and are considering making a request to do the same in the EU.

18 Feb 2015 [Mladen Turk / Greg]

No report was submitted.

21 Jan 2015 [Mladen Turk / Doug]

No report was submitted.

17 Dec 2014 [Mladen Turk / Greg]

No report was submitted.

17 Sep 2014 [Mladen Turk / Greg]

 General:
 Continued healthy activity across multiple components and
 responsiveness on both dev and user lists.

Issues:
 The Apache Tomcat PMC continues to monitor the progress of the
 discussions with Oracle regarding regaining access to the TCKs.
 After a brief burst of activity at the end of April / beginning
 of May this appears to have stalled again.

Releases:
 * Apache Tomcat 8.0.9 - stable, 2014-06-26
 * Apache Tomcat 8.0.10 (not released)
 * Apache Tomcat 8.0.11 - 2014-08-26
 * Apache Tomcat 8.0.12 - 2014-09-06
 * Apache Tomcat 7.0.55 - 2014-07-29
 * Apache Tomcat Native 1.1.31 - 2014-07-08

Development:
 There was lots of development activity on Apache Tomcat 7
 and Apache Tomcat 8. We had first stable release of Apache
 Tomcat 8.

Community:
 Ian Darwin requested to step down from his PMC membership and
 went emeritus.

Security:
 CVE-2013-4444 - Important: Remote Code Execution
 In very limited circumstances, it was possible for an attacker
 to upload a malicious JSP to a Tomcat server and then trigger
 the execution of that JSP. While Remote Code Execution would
 normally be viewed as a critical vulnerability, the circumstances
 under which this is possible are, in the view of the Tomcat
 security team, sufficiently limited that this vulnerability is
 viewed as important.


Trademark:
 Detailed status:
 https://svn.apache.org/repos/private/pmc/tomcat/trademark-status.txt

18 Jun 2014 [Mladen Turk / Ross]

  General:
  Continued healthy activity across multiple components and
  responsiveness on both dev and user lists.

Issues:
  The Apache Tomcat PMC continues to monitor the progress of the
  discussions with Oracle regarding regaining access to the TCKs.
  After a brief burst of activity at the end of April / beginning
  of May this appears to have stalled again.

Releases:
  * Apache Tomcat 8.0.4 (not released)
  * Apache Tomcat 8.0.5 - beta, 2014-03-27
  * Apache Tomcat 8.0.6 (not released)
  * Apache Tomcat 8.0.7 (not released)
  * Apache Tomcat 8.0.8 - beta, 2014-05-21
  * Apache Tomcat 7.0.53 - 2014-03-30
  * Apache Tomcat 7.0.54 - 2014-05-22
  * Apache Tomcat 6.0.40 (not released)
  * Apache Tomcat 6.0.41 - 2014-05-23
  * Apache Tomcat Connectors 1.2.40 - 2014-04-15
  * Apache Tomcat Native 1.1.30 - 2014-04-15

Development:
  There was lots of development activity on Apache Tomcat 7
  and Apache Tomcat 8.

Community:
  There were no changes in community since the last report.
  A problematic user who persistently (over several years)
  refused to improve their interactions with the community was
  unsubscribed from the users list and blocked from resubscribing
  after all other attempts at addressing the issues failed.

Security:
 * CVE-2014-0075 - Important: Denial of Service
   It was possible to craft a malformed chunk size as part of a
   chucked request that enabled an unlimited amount of data to
   be streamed to the server, bypassing the various size limits
   enforced on a request. This enabled a denial of service attack.
 * CVE-2014-0096 - Important: Information disclosure
   The default servlet allows web applications to define
   (at multiple levels) an XSLT to be used to format a directory
   listing. When running under a security manager, the processing
   of these was not subject to the same constraints as the web
   application. This enabled a malicious web application to bypass
   the file access constraints imposed by the security manager via
   the use of external XML entities.
 * CVE-2014-0099 - Important: Information disclosure
   The code used to parse the request content length header did not
   check for overflow in the result. This exposed a request
   smuggling vulnerability when Tomcat was located behind a reverse
   proxy that correctly processed the content length header.
 * CVE-2014-0119 - Low: Information Disclosure
   In limited circumstances it was possible for a malicious web
   application to replace the XML parsers used by Tomcat to
   process XSLTs for the default servlet, JSP documents, tag
   library descriptors (TLDs) and tag plugin configuration files.
   The injected XML parser(s) could then bypass the limits
   imposed on XML external entities and/or have visibility of
   the XML files processed for other web applications deployed
   on the same Tomcat instance.

Trademark:
  Detailed status:
  https://svn.apache.org/repos/private/pmc/tomcat/trademark-status.txt
  Registered interest with V.P. Brand in registering Tomcat and Apache
  Tomcat. Waiting to hear from V.P. Brand on what the next
  steps will be.

19 Mar 2014 [Mladen Turk / Chris]

  General:
  Continued healthy activity across multiple components and
  responsiveness on both dev and user lists.

Issues:
  There are no issues requiring Board attention at this time.

Releases:
  * Apache Tomcat 8.0.0-RC10 - alpha, 2013-12-26
  * Apache Tomcat 8.0.1 - beta, 2014-02-02
  * Apache Tomcat 8.0.2 (not released)
  * Apache Tomcat 8.0.3 - beta, 2014-02-11
  * Apache Tomcat 7.0.48 (not released)
  * Apache Tomcat 7.0.49 (not released)
  * Apache Tomcat 7.0.50 - 2014-01-08
  * Apache Tomcat 7.0.51 (not released)
  * Apache Tomcat 7.0.52 - 2014-02-17
  * Apache Tomcat 6.0.38 (not released)
  * Apache Tomcat 6.0.39 - 2014-01-31
  * Apache Tomcat Connectors 1.2.38 (not released)
  * Apache Tomcat Connectors 1.2.39 - 2014-03-11
  * Apache Standard Taglib 1.2.0 (not released)
  * Apache Standard Taglib 1.2.1 - 2014-01-02

Development:
  There was lots of development activity on Apache Tomcat 7
  and Apache Tomcat 8. Recently some work has been done on
  new NIO2 connector.
  There was the first release of Apache Standard Taglib 1.2, an
  implementation of JSTL 1.2 (JSR 052). It is the first release
  of a tag library, after migrating Apache Taglibs project from
  Apache Jakarta to Apache Tomcat several years ago. It is the
  first release that implements JSTL 1.2 specification.

Community:
  There were no changes in community since the last report.
  We have organised a day long Tomcat Summit for ApacheCon.
  Topics for discussion are currently based around future development
  direction but any attendee is welcome to add their own topic(s).

Security:
 * CVE-2013-2067 - Important: Session fixation
   FORM authentication associates the most recent request
   requiring authentication with the current session.
   By repeatedly sending a request for an authenticated
   resource while the victim is completing the login form,
   an attacker could inject a request that would be executed
   using the victim's credentials.
 * CVE-2013-2071 - Moderate: Information disclosure
   Bug 54178 described a scenario where elements of a previous
   request may be exposed to a current request. This was very
   difficult to exploit deliberately but fairly likely to happen
   unexpectedly if an application used AsyncListeners that
   threw RuntimeExceptions.
 * CVE-2013-4590 - Low: Information disclosure
   Application provided XML files such as web.xml, context.xml,
   .tld, .tagx and .jspx allowed XXE which could be used to
   expose Tomcat internals to an attacker. This vulnerability
   only occurs when Tomcat is running web applications from untrusted
   sources such as in a shared hosting environment.
 * CVE-2013-4322 - Important: Denial of service
   The fix for CVE-2012-3544 was not complete.
   It did not cover the following cases:
   chunk extensions were not limited
   whitespace after the : in a trailing header was not limited
 * CVE-2014-0050 - Important: Denial of Service
   It was possible to craft a malformed Content-Type header for
   a multipart request that caused Apache Tomcat to enter an
   infinite loop. A malicious user could, therefore, craft a
   malformed request that triggered a denial of service.

Trademark:
  Detailed status:
  https://svn.apache.org/repos/private/pmc/tomcat/trademark-status.txt
  We have received a request from Canonical to use the Tomcat logo to
  identify their Tomcat installation bundle for JuJu, their virtualised
  platform. We intend to grant them permission to do so (with some
  constraints).

18 Dec 2013 [Mladen Turk / Sam]

  General:
  Continued healthy activity across multiple components and
  responsiveness on both dev and user lists.

Issues:
  There are no issues requiring Board attention at this time.

Releases:
 * Apache Tomcat 8.0.0-RC2 (not released)
 * Apache Tomcat 8.0.0-RC3
 * Apache Tomcat 8.0.0-RC4 (not released)
 * Apache Tomcat 8.0.0-RC5
 * Apache Tomcat 7.0.43 (not released)
 * Apache Tomcat 7.0.44 (not released)
 * Apache Tomcat 7.0.45 (not released)
 * Apache Tomcat 7.0.46 (not released)
 * Apache Tomcat 7.0.47
 * Apache Tomcat Maven Plugin 2.2.0
 * Apache Tomcat Native 1.1.28
 * Apache Tomcat Native 1.1.29


Development:
  There was lots of development activity on Apache Tomcat 7
  and Apache Tomcat 8 release candidate.

Community:
  Konstantin Preißer has been voted as new Apache Tomcat committer.
  Violeta Georgieva and Christopher Schultz have been voted as
  new Apache Tomcat PMC members.

Security:
  There were no publicly disclosed security issues from
  the last Board report.

Trademark:
  There are no pending trademark issues which would require board's
  attention at this time.

18 Sep 2013 [Mladen Turk / Brett]

  General
  Continued healthy activity across multiple components and
  responsiveness on both dev and user lists.

Issues
  In our last report we raised an issue about being unable to
  access latest TCKs for the Servlet, JSP, EL and WebSocket
  specifications. It is our understanding that there is an
  ongoing discussion with Oracle on this subject. We have now
  released the first Tomcat 8 Release Candidate and access to
  the TCKs would benefit future releases.
  What is the status of the discussions with Oracle, when do
  you expect those discussions to conclude and is there a view
  of what the outcome of the discussion is likely to be?

Releases
 * Apache Tomcat 8.0.0-RC1
 * Apache Tomcat 7.0.42

Development
  There was lots of development activity on Apache Tomcat 7
  and Apache Tomcat 8 release candidate.
  With Apache Tomcat 8, support is added for the Java WebSocket
  specification. This adds to the Servlet, JSP and Unified
  Expression Language specifications already supported.
  Java WebSocket support has also been back-ported to Tomcat 7.
  There is also some development to enable IPV6 support for mod_jk.
  One of our contributors has been doing great work improving the
  look of our documentation and web site. The updated main website
  has been rolled out and the documentation will be updated as new
  releases are made.

Community
  There were no changes in community membership.

Security
  There were no publicly disclosed security issues from
  the last Board report.

Trademark
  Detailed status:
  https://svn.apache.org/repos/private/pmc/tomcat/trademark-status.txt
  There are no pending trademark issues which would require board's
  attention at this time.

AI: Sam follow up regarding TCKs.

19 Jun 2013 [Mladen Turk / Shane]

  General:
  Continued healthy activity across multiple components and
  responsiveness on both dev and user lists.

Issues:
  We are currently unable to access the latest TCKs for the
  Servlet, JSP, EL and WebSocket specifications pending the
  ASF's ongoing discussion with Oracle regarding TCK renewal.
  This means we are unable to test Tomcat 8 against these
  specifications and provide the assurance (that many of our
  users look for) that Tomcat 8 has passed the TCKs. This is
  not an immediate concern but will become increasingly
  important as we approach the first release of Tomcat 8
  (probably later this year).

Releases:
 * Apache Tomcat 7.0.41
 * Apache Tomcat 7.0.40
 * Apache Tomcat 7.0.39
 * Apache Tomcat 7.0.38
 * Apache Tomcat 6.0.37

Development:
  There was lots of development activity on Apache Tomcat 7
  and forthcoming Apache Tomcat 8 release.

Community:
  Konstantin Kolinko has been voted as Apache Software Foundation
  member. Beside that there were no changes in community
  membership.

Security:
 * CVE-2013-2071 - Moderate: Information disclosure
   Fixes a scenario where elements of a previous request may be
   exposed to a current request.
 * CVE-2013-2067 - Important: Session fixation
   FORM authentication associates the most recent request requiring
   authentication with the current session.
   This issue was identified by the Tomcat security team on
   15 Oct 2012 and made public on 10 May 2013.

Trademark:
  Detailed status:
  https://svn.apache.org/repos/private/pmc/tomcat/trademark-status.txt
  There are no pending trademark issues which would require board's
  attention at this time.

20 Mar 2013 [Mladen Turk / Bertrand]

  General
  Continued healthy activity across multiple components and
  responsiveness on both dev and user lists.

Issues
  There are no issues requiring Board attention at this time.

Releases
 * Apache Tomcat 7.0.37
 * Apache Tomcat 7.0.36
 * Apache Tomcat 7.0.35
 * Apache Tomcat Native 1.1.27
 * Apache Tomcat 5.5.36
 * Apache Tomcat Maven Plugin 2.1.0

Development
  There was lots of development activity on Apache Tomcat 7
  and forthcoming Apache Tomcat 8 release.

Community
  Violeta Georgieva has been voted as new Tomcat committer.
  Added comments.apache.org to TC 7 live docs to improve user
  community interaction.

Security
  We are working on number of other non critical security issues
  which will be disclosed with future releases.

Trademark
  Detailed status
  https://svn.apache.org/repos/private/pmc/tomcat/trademark-status.txt
  There are no pending trademark issues which would require board's
  attention at this time.

19 Dec 2012 [Mladen Turk / Jim]

General:
Continued healthy activity across multiple components and
responsiveness on both dev and user lists.

Issues:
The Tomcat PMC is concerned about the ongoing uncertainty
over the future of the TCK agreement. The Tomcat PMC is
working with the VP Legal Affairs on a way forward for
on-going access to the TCKs. The TCKs are a useful tool and
the Tomcat PMC would like to retain access to them if an
acceptable agreement can be reached with Oracle.

Releases:
 - Apache Tomcat 7.0.34
 - Apache Tomcat 7.0.33
 - Apache Tomcat 7.0.32
 - Apache Tomcat 6.0.36
 - Apache Tomcat 5.5.36
 - Apache Tomcat Maven Plugin 2.0.0

Development:
There was lots of development activity on forthcoming
Apache Tomcat 8 release.

Community:
There were no changes in community since the last report.

Security:
 - CVE-2012-4431 - Important: Bypass of CSRF prevention filter
   The CSRF prevention filter could be bypassed if a request
   was made to a protected resource without a session identifier
   present in the request.
 - CVE-2012-2733 - Important: Denial of service
   The checks that limited the permitted size of request headers
   were implemented too late in the request parsing process for
   the HTTP NIO connector. This enabled a malicious user to
   trigger an OutOfMemoryError by sending a single request with
   very large headers.
 - CVE-2012-3546 - Important: Bypass of security constraints
   This issue was identified by the Tomcat security team on
   13 July 2012 and made public on 4 December 2012.
 * CVE-2012-3439 - Moderate: DIGEST authentication weakness
   Three weaknesses in Tomcat's implementation of DIGEST
   authentication were identified and resolved.

We are working on number of other non critical security issues
which will be disclosed with future releases.

Trademark:
Detailed status can be found at
https://svn.apache.org/repos/private/pmc/tomcat/trademark-status.txt
There are no pending trademark issues which would require board's
attention at this time.

19 Sep 2012 [Mladen Turk / Jim]

  General:
  Continued healthy activity across multiple components and
  responsiveness on both dev and user lists.

Issues:
  There are no issues requiring Board attention at this time.

Releases:
 * Apache Tomcat 7.0.30
 * Apache Tomcat 7.0.29
 * Apache Tomcat 7.0.28
 * Apache Tomcat Native 1.1.24

Development:
  There was lots of development activity on forthcoming
  Apache Tomcat 8 release.

Community:
  Keiichi Fujino has joined Apache Tomcat PMC.

Security:
  We were working on number of non critical security issues
  which will be disclosed with future releases.

Trademark:
  Detailed status:
  https://svn.apache.org/repos/private/pmc/tomcat/trademark-status.txt
  There are no pending trademark issues which would require board's
  attention at this time.

20 Jun 2012 [Mladen Turk / Roy]

  General:
  Continued healthy activity across multiple components and
  responsiveness on both dev and user lists.

Issues:
  There are no issues requiring Board attention at this time.

Releases:
 * Apache Tomcat 7.0.27
 * Apache Tomcat Connectors 1.2.37
 * Apache Tomcat Connectors 1.2.36
 * Apache Tomcat Connectors 1.2.35
 * Apache Taglibs Parent POM 3

Community:
  There were no changes in community membership

Security:
  There were few minor reported security issues which has been
  handled as plain bugs.

Trademark:
  Detailed status:
  https://svn.apache.org/repos/private/pmc/tomcat/trademark-status.txt
  There are no pending trademark issues which would require board's
  attention.

21 Mar 2012 [Mladen Turk / Greg]

General:
Continued healthy activity across multiple components and
responsiveness on both dev and user lists.
Issues:
There are no issues requiring Board attention at this time.

Releases:
 * Apache Tomcat 7.0.26
 * Apache Tomcat 7.0.25
 * Apache Tomcat 5.5.35
 * Apache Tomcat Connectors 1.2.33
 * Apache Tomcat Native 1.1.23
 * Apache Taglibs Parent POM 1
 * Apache Tomcat Maven Plugin 2.0-beta-1

Community:
Olivier Lamy has been elected as new Apache Tomcat PMC member.

Security:
 * CVE-2012-0022 Denial of service
 * CVE-2011-3375 Information disclosure
 * CVE-2011-1184 Multiple weaknesses in HTTP DIGEST authentication
   Note: Mitre elected to break this issue down into multiple issues
   and have allocated the following additional references to parts of
   this issue: CVE-2011-5062, CVE-2011-5063 and CVE-2011-5064.
   The Apache Tomcat security team will continue to treat this as a
   single issue using the reference CVE-2011-1184.

Trademark:
  Detailed status:
  https://svn.apache.org/repos/private/pmc/tomcat/trademark-status.txt
  Tomcat PMC initiated licensing discussion with Oracle regarding a
  couple of issues with Oracle's JSTL release. Waiting for the response
  from their legal team.

21 Dec 2011 [Mladen Turk / Doug]

Continued healthy activity across multiple components and
responsiveness on both dev and user lists.

Issues:
There are no issues requiring Board attention at this time.

Releases:
 * Apache Tomcat 7.0.23
 * Apache Tomcat 7.0.22
 * Apache Tomcat 6.0.35
 * Apache Tomcat 5.5.34

Community:
There were no community membership changes since the
last board report.

Security:
 * CVE-2011-1184 Multiple weaknesses in HTTP DIGEST authentication
 * CVE-2011-3376 Privilege Escalation

Trademark:
  Detailed status:
  https://svn.apache.org/repos/private/pmc/tomcat/trademark-status.txt

21 Sep 2011 [Mladen Turk / Bertrand]

 General:
 Continued healthy activity across multiple components and
 responsiveness on both dev and user lists.
 We have announced on mailing lists that support for
 Apache Tomcat 5.5.x will end on 30 September 2012. Updating
 official web site will follow.

 There are no issues requiring Board attention at this time.


Releases:
 * Apache Tomcat 7.0.16
 * Apache Tomcat 7.0.19
 * Apache Tomcat 7.0.20
 * Apache Tomcat 7.0.21
 * Apache Tomcat 6.0.33
 * Apache Tomcat Native 1.1.22
 * Apache Tomcat Native 1.1.22
 * Apache Tomcat Connectors 1.2.32


Community:
  Two new committers (Eiji Takahashi and Olivier Lamy) joined
  the Apache Tomcat team.


Security:
 * CVE-2011-3190
   The AJP protocol is designed so that when a request includes
   a request body, an unsolicited AJP message is sent to Tomcat
   that includes the first part (or possibly all) of the
   request body. In certain circumstances, Tomcat did not
   process this message as a request body but as a new request.
 * CVE-2011-2729
   Due to a bug in the capabilities code, jsvc
   (the service wrapper for Linux that is part of the
    Commons Daemon project) does not drop capabilities allowing
   the application to access files and directories owned
   by superuser.
 * CVE-2011-2526
   Tomcat provides support for sendfile with the HTTP NIO and
   HTTP APR connectors. sendfile is used automatically for
   content served via the DefaultServlet and deployed web
   applications may use it directly via setting request attributes.
   These request attributes were not validated. When running
   under a security manager, this lack of validation allowed
   a malicious web application to do one or more of the following
   that would normally be prevented by a security manager:
   - return files to users that the security manager should
     make inaccessible
   - terminate (via a crash) the JVM
 * CVE-2011-2204
   When using the MemoryUserDatabase (based on tomcat-users.xml)
   and creating users via JMX, an exception during the user
   creation process may trigger an error message in the JMX
   client that includes the user's password. This error message
   is also written to the Tomcat logs. User passwords are visible
   to administrators with JMX access and/or administrators with
   read access to the tomcat-users.xml file. Users that do not
   have these permissions but are able to read log files may be
   able to discover a user's password.
 * CVE-2011-2481
   The re-factoring of XML validation for Tomcat 7.0.x re-introduced
   the vulnerability previously reported as CVE-2009-0783.
   This was initially reported as a memory leak. If a web
   application is the first web application loaded, this bugs
   allows that web application to potentially view and/or alter the
   web.xml, context.xml and tld files of other web applications
   deployed on the Tomcat instance.

Trademark:
  Detailed status is in the private tomcat repository.

Good to see trademark status tracked in svn.

15 Jun 2011 [Mladen Turk / Shane]

 General:
 Continued healthy activity across multiple components and
 responsiveness on both dev and user lists.

 There are no issues requiring Board attention at this time.

Releases:
 * Apache Tomcat 7.0.12
 * Apache Tomcat 7.0.14

Community:
 There were no community membership changes since the
 last board report.
 Couple of developers were present at the Apache Retreat in
 Knockree working on various issues and code, namely AJP
 NIO connector.

Security:
 * CVE-2011-1183
   A regression in the fix for CVE-2011-1088
   meant that security constraints were ignored when no login
   configuration was present in the web.xml and the web
   application was marked as meta-data complete.
 * CVE-2011-1475
   Changes introduced to the HTTP BIO connector to support
   Servlet 3.0 asynchronous requests did not fully account
   for HTTP pipelining.
 * CVE-2011-1582
   An error in the fixes for CVE-2011-1088/CVE-2011-1183 meant
   that security constraints configured via annotations were
   ignored on the first request to a Servlet. Subsequent requests
   were secured correctly.

Trademark:
  Reviewed private@tomcat.a.o for all trademark issues and created
  status file in svn for tracking.

  Current status:
  * Resolved
      7 products, 2 web sites, 1 advert. 10 total
  * In progress
      3 products promised to rename
      1 product with legal-internal
      1 product in process of renaming (just domain name left)
      1 product considering entering incubation
      1 website promised to make updates

Issues:
  We are still waiting for EL 2.2 TCK. 18 months and counting.

Shane awards a rare gold star for working with third parties on brand issues!

16 Mar 2011 [Mladen Turk / Doug]

Summary:
The project continues to be active on a number of fronts.
There are no issues requiring Board attention at this time.


Releases:
Apache Tomcat 7.0.11 - released
Apache Tomcat 7.0.10 - released
Apache Tomcat 7.0.8  - released
Apache Tomcat 7.0.7  - released
Apache Tomcat 7.0.6  - released as first stable

Apache Tomcat 6.0.32 - released
Apache Tomcat 6.0.30 - released

Apache Tomcat 5.5.33 - released
Apache Tomcat 5.5.32 - released


Security:
We've been working closely with security issue reports and the Apache
Security committee on quickly replying to issues, resolving them, and
coordinating public disclosures.

CVE-2011-1088 Security constraint bypass. When a web application was
started, ServletSecurity annotations were ignored.

CVE-2011-0534 Remote Denial Of Service. The NIO connector expands its
buffer endlessly during request line processing. That behaviour can
be used for a denial of service attack using a carefully crafted
request.

CVE-2011-0013 Cross-site scripting. The HTML Manager interface
displayed web application provided data, such as display names,
without filtering.


Development:
Development was concentrated mainly on fixing bugs for the current
releases and pushing those releases out.

We hope to have some committers at Knockree Retreat
Plans still TBD.

GSoC: Change of approach in an effort to increase student ownership of
their GSoC work. No plans to propose projects for students. Happy to
consider student proposed projects.

JCP: EL 2.2 TCK still not available over 12 months since the initial
request from the ASF. Not expecting it any time soon. Currently
challenging two Servlet 3.0 TCK tests.

The ASF JIRA instance is now running on the latest Tomcat 7 release.


Trademark Issues:
We currently have two open trademark issues:
- http://itunes.apple.com/us/app/itomcats/id388474856?mt=8&ign-mpt=uo%3D4
 Rainer Jung is following up
- http://tomcat.jaxmao.org/
 Initial e-mail sent, no response received after 4 weeks

We have three trademark issues resolved:
- Tomcat plug-in for Eclipse changed their name to "Mongrel"
- Apache Tomcat Maven Plugin will become Apache Tomcat sub-project
 via incubator.
- TomCat Publishing. New independent book publisher. Not IT related.
 Not an issue.


Community:
There were no changes in the committership nor PMC membership
during this quarter.

Shane: Many thanks for excellent branding coverage.

15 Dec 2010 [Mladen Turk / Roy]

Summary
--------------
The project continues to be active on a number of fronts.
There are no issues requiring Board attention at this time.


Releases
-------------
Apache Tomcat 7.0.5  - released
Apache Tomcat 7.0.4  - released

Apache Tomcat 5.5.31 - released

Apache Tomcat Connectors 1.2.31 - released


Security
------------
We've been working closely with security issue reports and the Apache
Security committee on quickly replying to issues, resolving them, and
coordinating public disclosures.

CVE-2010-4172 The Manager application used the user provided parameters
sort and orderBy directly without filtering thereby permitting
cross-site scripting.



Development
-------------------
Development was concentrated mainly on fixing bugs for the current
releases and pushing those releases out.

Thanks to the infrastructure team (specifically Gavin in this case) we
now have CI builds of the Tomcat 6 & 7 docs that will update with every
commit.

The new front page for Tomcat 7 has been developed and we are
working on the new Tomcat site with the same look and feel.

A work has begun on Parallel deployment, a feature that
essentially allows having two (or more) versions of the same
application deployed side-by-side..

We have also made sure to make our project compliant with the
newest ASF trademark guidelines.


Community
-----------------
We are pleased to have two new members in our team.
Christopher Schultz and Sylvain Laurent were voted as new committers.
We have also launched the official Apache Tomcat project Twitter feed.

22 Sep 2010 [Mladen Turk / Shane]

Summary:

The project continues to be active on a number of fronts.
There are no issues requiring Board attention at this time.


Releases:

Apache Tomcat 7.0.2  - released
Apache Tomcat 7.0.1  - not released

Apache Tomcat 6.0.29 - released
Apache Tomcat 6.0.28 - released
Apache Tomcat 6.0.27 - not released

Apache Tomcat 5.5.31 - voted (announcement pending)
Apache Tomcat 5.5.30 - released

Security:

We've been working closely with security issue reports and the Apache
Security committee on quickly replying to issues, resolving them, and
coordinating public disclosures.

CVE-2010-2227: Remote Denial Of Service and Information Disclosure
              Vulnerability
 Several flaws in the handling of the 'Transfer-Encoding' header
 were found that prevented the recycling of a buffer. A remote
 attacker could trigger this flaw which would cause subsequent
 requests to fail and/or information to leak between requests.
 This flaw is mitigated if Tomcat is behind a reverse proxy
 (such as Apache httpd 2.2) as the proxy should reject the invalid
 transfer encoding header.

CVE-2010-1157: Information disclosure in authentication headers
 The WWW-Authenticate HTTP header for BASIC and DIGEST authentication
 includes a realm name. If a <realm-name> element is specified for the
 application in web.xml it will be used. However, a <realm-name> is not
 specified then Tomcat will generate realm name using the code snippet
 request.getServerName() + ":" + request.getServerPort().
 In some circumstances this can expose the local host name or IP address
 of the machine running Tomcat.

Development:

Development was concentrated mainly on fixing bugs for the current
releases and pushing those releases out.

The GSOC work completed. It was touch and go whether or not it was going
to be successful for a while but we ended up with some cool enhancements
and additions fixes to Tomcat 7's JMX support which allow a user to
configure a working Tomcat instance over JMX from an absolute bare
minimum starting point. The student appears to be continuing with their
involvement with the project.

Tomcat 7 has reached about 10% of total Tomcat downloads
(not counting mirrors) which is pretty good considering it is still beta.


Community:

There was lot of activity on Users list recently and we are
planning to offer a commit privileges to couple of most active users
that are also willing to be involved into development by
providing code patches.

16 Jun 2010 [Mladen Turk / Doug]

Summary
--------------
The project continues to be active on a number of fronts.
There are no issues requiring Board attention at this time.


Releases
-------------
We have released Apache Tomcat 5.5.29 which mainly fix numerous
bugs over the previous 5.5.28 release.
We have also prepared number of Apache Tomcat 7.0 release candidates
which are used to polish the API before creating 7.0.x branch and
switching to RTC policy.


Security
------------
We have been working closely with security issue reports and the Apache
Security committee on quickly replying to issues, resolving them, and
coordinating public disclosures.

CVE-2010-1157: Information disclosure in authentication headers.
The WWW-Authenticate HTTP header for BASIC and DIGEST authentication
includes a realm name. If a <realm-name> element is specified for the
application in web.xml it will be used. However, a <realm-name> is
not specified then Tomcat will generate realm name using the code
snippet request.getServerName() + ":" + request.getServerPort().
In some circumstances this can expose the local host name or IP
address of the machine running Tomcat.


Development
-------------------
Development was concentrated mainly on releasing Tomcat 7.0
and the effort to make it specification compliant. Tomcat 7.0 also
now passes the TCK with security manager enabled, which was not
true for a very long time.
We plan to release Tomcat 6.0.27 this month and are currently
in the review process. Finally we plan to release first Tomcat 7
public release within the next few weeks.


Community
-----------------
We had a strong presence at Apache Retreat (Ireland) and have determined
the sessions for the Tomcat track at Apache Con 2010.

17 Mar 2010 [Mladen Turk / Jim]

Summary
--------------
The project continues to be active on a number of fronts.
There are no issues requiring Board attention at this time.


Releases
-------------
We have released Apache Tomcat 6.0.24 and 6.0.26.
We have released Tomcat Connectors 1.2.30. Version 1.2.29 was
released but later withdrawn because of regression in IIS connector.
And we have also released Tomcat Native versions 1.1.19 and 1.1.20.


Security
------------
We've been working closely with security issue reports and the Apache
Security committee on quickly replying to issues, resolving them, and
coordinating public disclosures.

CVE-2009-2693: Arbitrary file deletion and/or alteration on deploy
 When deploying WAR files, the WAR files were not checked for
 directory traversal attempts. This allows an attacker to create
 arbitrary content outside of the web root by including entries
 such as ../../bin/catalina.sh in the WAR.

CVE-2009-2901: Insecure partial deploy after failed deploy
 By default, Tomcat automatically deploys any directories placed
 in a host's appBase. This behaviour is controlled by the autoDeploy
 attribute of a host which defaults to true. After a failed undeploy,
 the remaining files will be deployed as a result of the
 autodeployment process. Depending on circumstances, files normally
 protected by one or more security constraints may be deployed without
 those security constraints, making them accessible without
 authentication. This issue only affects Windows platforms.

CVE-2009-2902: Unexpected file deletion in work directory
 When deploying WAR files, the WAR file names were not checked for
 directory traversal attempts. For example, deploying and undeploying
 ...war allows an attacker to cause the deletion of the current
 contents of the host's work directory which may cause problems for
 currently running applications.


Development
-------------------
Development was concentrated mainly on fixing bugs for the current
releases and pushing those releases out.

Recent months have seen further significant reductions in the bug
backlog for Tomcat 5 & 6. Unresolved bugs now number ~20 with the oldest
opened around a month ago.

Tomcat 7 development is progressing. The JSP 2.2 and EL 2.2
implementations are complete and pass the TCK. The Servlet 3.0 is nearly
complete with just the asynchronous work and the TCK testing remaining.
The hope is to have a TCK compliant Tomcat 7 release by the end of March.


Community
-----------------
Tim Whittington was elected as new Apache Tomcat committer.
Konstantin Kolinko was voted onto the Apache Tomcat PMC.
Also a few of us will be present at Apache Retreat in Ireland
next month. We have also invited a few users that are very active
and helpful at Apache Tomcat users list, hoping that will
encourage them for eventual development involvement.

16 Dec 2009 [Mladen Turk / Roy]

Summary
--------------
The project continues to be active on a number of fronts.
There are no issues requiring Board attention at this time.

Releases
-------------
We have released Tomcat Native 1.1.18.

Security
------------
We've been working closely with security issue reports and the Apache
Security committee on quickly replying to issues, resolving them, and
coordinating public disclosures.

CVE-2009-3548 - Insecure default password
 The Windows installer defaults to a blank password for the
 administrative user. If this is not changed during the install
 process, then by default a user is created with the name admin,
 roles admin and manager and a blank password.

Development
-------------------
Development was concentrated mainly on fixing bugs for the current
releases and on finalizing the Tomcat 7. The new Tomcat Lite was moved
from the sandbox to the modules directory.
We have requested the Solaris Zone for Tomcat PMC which we would
like to use for creating daily and release builds.

Community
-----------------
There were no changes in the committership nor PMC membership
during this quarter.

Jim to make sure that sure that the Tomcat project is aware of infra-managed build options before rolling their own on a zone.

23 Sep 2009 [Mladen Turk / Jim]

Summary
--------------
The project continues to be active on a number of fronts.
There are no issues requiring Board attention at this time.

Releases
-------------
We have released Tomcat 5.5.28. and 4.1.40 versions.
Tomcat 4.1.40 was the last 4.1.x version we plan to release.


Security
------------
There were no security issue reports that would require urgent
resolution from the last board report.


Development
-------------------
Development was concentrated mainly on fixing bugs for the current
releases and on figuring out the needed tasks for Tomcat 7.
Three taglibs from Jakarta Taglibs were successfully migrated over to
the Tomcat SVN; namely Reusable Dialog Components (RDC), Standard Tag
Library (JSTL implementation) and an in development Extended Tag
Library. Migration of the web site is in progress and user mailing
list migration is requested in INFRA-2185.
Also we reorganized the SVN repository layout to better serve
the multiple branches and project modularity.


Community
-----------------
Glen Nielsen PMC membership status was changed to emeritus on his
own request. Also the SVN access was granted to JSP taglibs team
so they can continue development.

We have also voted the proposed 10th anniversary Tomcat logo, and
we hope to have it's final form in the next couple of weeks.

17 Jun 2009 [Mladen Turk / Justin]

Summary
--------------
The project continues to be active on a number of fronts.
There are no issues requiring Board attention at this time.

Releases
-------------
We have released Tomcat 6.0.20. Tomcat 6.0.19 was not released
due to some small packaging localization issues.
We are currently in the release process for 5.5.28 and 4.1.40
versions. Tomcat 4.1.40 is likely to be the last 4.1.x release.
Mod_jk 1.2.28 was released with numerous of binaries for
selected platforms. Finally JDBC Pool 1.0.3 was released.

Security
------------
We've been working closely with security issue reports and the Apache
Security committee on quickly replying to issues, resolving them, and
coordinating public disclosures.

CVE-2008-5515 - Information disclosure vulnerability
 When using a RequestDispatcher obtained from the Request,
 the target path was normalised before the query string was removed.
 A request that included a specially crafted request parameter could be
 used to access content that would otherwise be protected by a security
 constraint or by locating it in under the WEB-INF directory.
 Fixed and included in 6.0.20 release

CVE-2008-5519 - Information disclosure vulnerability
 Situations where faulty clients set Content-Length without providing data,
 or where a user submits repeated requests very quickly, may permit one
 user to view the response associated with a different user's request.
 Fixed in the mod_jk 1.2.27 release, but was assigned CVE number later.

CVE-2009-0033 - DoS vulnerability
 If Tomcat receives a request with invalid headers via the
 Java AJP connector, it does not return an error and instead closes the AJP
 connection. In case this connector is member of a mod_jk load balancing
 worker, this member will be put into an error state and will be blocked
 from use for approximately one minute. Thus the behaviour can be used for
 a denial of service attack using a carefully crafted request.
 Fixed and included in 6.0.20 release

CVE-2009-0580 - Information disclosure vulnerability
 Due to insufficient error checking in some authentication classes,
 Tomcat allows for the enumeration (brute force testing) of user names by
 supplying illegally URL encoded passwords. The attack is possible if FORM
 based authentication (j_security_check) is used with the MemoryRealm.
 Fixed in the SVN for all major Tomcat branches and included in the
 Tomcat 6.0.20 release.

CVE-2009-0781 - Cross-site scripting vulnerability
 The calendar application in the examples web application contains
 an XSS flaw due to invalid HTML which renders the XSS
 filtering protection ineffective.
 Fixed in the SVN for all major Tomcat branches and included in the
 Tomcat 6.0.20 release.

CVE-2009-0783 - Information disclosure vulnerability
 Bugs 29936 and 45933 allowed a web application to replace the XML parser
 used by Tomcat to process web.xml, context.xml and tld files. In limited
 circumstances these bugs may allow a rogue web application to view and/or
 alter the web.xml, context.xml and tld files of other web applications
 deployed on the Tomcat instance.
 Fixed in the SVN for all major Tomcat branches and included in the
 Tomcat 6.0.20 release.


Currently there are no pending security issues.


Development
-------------------
Development was concentrated mainly on security issues and fixing
bugs for the current releases.
Jakarta PMC proposed and we accepted to move the
JSP Standard Tag Library technologies project (Taglibs)
from Jakarta and continue its development inside Apache Tomcat.
Also we are currently discussing to reorganize SVN repository
to better server the multiple branches and project modularity.
Tomcat 7 / Servlet 3.0 is still in the early stages of development.


Community
-----------------
There were no changes in the PMC membership during this quarter.
We are very happy that Konstantin Kolinko joined us as a new committer.

We are preparing the Tomcat day for this year Apache Con US, and
it seems majority of Tomcat PMC members will be present on the
conference giving it's best to promote a 10th year anniversary of
both ASF and Apache Tomcat.

We should highlight 10 years of Tomcat at the next ApacheCon US.

18 Mar 2009 [Mladen Turk / Geir]

Apache Tomcat Board Report, March 2009

Summary
--------------
The project continues to be active on a number of fronts.
There are no issues requiring Board attention at this time.

Releases
-------------
We didn't cut any release from the last board report.

However we are in the process of releasing mod_jk 1.2.28
and Tomcat 6.0.19.


Security
------------
We've been working closely with security issue reports and the Apache
Security committee on quickly replying to issues, resolving them, and
coordinating public disclosures.

CVE-2009-0781 - Cross-site scripting vulnerability
 The calendar application in the examples web application contains
 an XSS flaw due to invalid HTML which renders the XSS
 filtering protection ineffective.
 Fixed in the SVN for all major Tomcat branches.

We are working on few other security issues not mentioned
here because they have not been publicly disclosed yet.


Development
-------------------
Development was concentrated mainly on security issues and fixing
bugs for the current releases.


Community
-----------------
There were no changes in the committership nor PMC membership
during this quarter.

17 Dec 2008 [Mladen Turk / Bill]

Summary
--------------
The project continues to be active on a number of fronts.
There are no issues requiring Board attention at this time.

Releases
-------------
We cut a number of releases mostly of our connector branches.

Tomcat Connectors 1.2.27 was released last month, both primarily bug fix
and feature enhancement over the previous 1.2.26 release.

Tomcat Native connector 1.1.16 was released,
primarily minor bug fix release over the previous 1.1.15 release.

And finally Tomcat 4.1.39 was released including a number
of recently resolved security issues.

Security
------------
We've been working closely with security issue reports and the Apache
Security committee on quickly replying to issues, resolving them, and
coordinating public disclosures.

CVE-2008-2938 will shortly be updated to correctly ID the root cause
as the JVM rather than Tomcat.


Development
-------------------
Development was concentrated mainly on security issues and fixing
bugs for the current releases.

We branched Tomcat Native connector to 1.1.x stable and all
future development will took place in head aiming 1.2.x versions.
The 1.1.x branch is considered stable and will have RTC commit
policy.


Community
-----------------
After last quarter's new committers and PMC members, there were no
changes the committership nor PMC membership this time.
The new commit policy is working very fine, and we've been
very active both in commit and release volume.

17 Sep 2008 [Mladen Turk / Geir]

Summary
--------------
The project continues to be active on a number of fronts.
There are no issues requiring Board attention at this time.

Releases
-------------
We cut a number of releases incorporating majority of our active branches.

Tomcat 6.0.18 was released last month, both primarily bug fix
and security fix release over the previous 6.0.16 release.
Although we tagged 6.0.17 it wasn't released due to security
fixes that were incorporated in 6.0.18.

Tomcat Native connector 1.1.14 was released, primarily bug fix
release over the previous 1.1.13 release.
Tomcat Native connector 1.1.15 was released, fixing IPV4/IPV6
bug over the previous releases.

Finally Tomcat 5.5.27 was released, fixing bugs and security
issues over the previous 5.5.26 release.

Security
------------
We've been working closely with security issue reports and the Apache
Security committee on quickly replying to issues, resolving them, and
coordinating public disclosures.
The following security issues has been resolved:

CVE-2008-1232
 The message argument of HttpServletResponse.sendError() call is
 not only displayed on the error page, but is also used for
 the reason-phrase of HTTP response.
 6.0.x: Fixed, released and announced
 5.5.x: Fixed in the SVN and announced
 4.1.x: Fixed in the SVN and announced

CVE-2008-1947
 The Host Manager web application did not escape user provided data
 before including it in the output. This enabled a XSS attack.
 6.0.x: Fixed, released and announced
 5.5.x: Fixed, released and announced

CVE-2008-2370
 When using a RequestDispatcher the target path was normalised before
 the query string was removed.
 6.0.x: Fixed, released and announced
 5.5.x: Fixed, released and announced
 4.1.x: Fixed in the SVN and announced

CVE-2008-2938
 If a context is configured with allowLinking="true" and the connector
 is configured with URIEncoding="UTF-8" then a malformed request may
 be used to access arbitrary files on the server.
 6.0.x: Fixed, released and announced
 5.5.x: Fixed, released and announced
 4.1.x: Fixed in the SVN and announced

CVE-2008-0128
 When using the SingleSignOn Valve via https the Cookie JSESSIONIDSSO
 is transmitted without the "secure" attribute.
 4.1.x: Fixed in the SVN and announced


Development
-------------------
Development was concentrated mainly on security issues and fixing
bugs for the current releases. We are currently in discussions to
use some of the code Costin was working on for more then 3 years
inside 'Tomcat Lite' branch.

Mod_jk had a lots of bug fixes since last released version, so we
plan to release a new version 1.2.27 this month.


Community
-----------------
After last quarter's new committers and PMC members, there were no
changes the committership nor PMC membership this time.
The new commit policy is working very fine, and we've been
very active both in commit and release volume.

25 Jun 2008 [Mladen Turk / Justin]

Summary
--------------
The project continues to be active on a number of fronts. There are
no issues requiring Board attention at this time.

Releases
-------------
There was no releases from the last report.

Security
------------
We've been working closely with security issue reports and the Apache
Security committee on quickly replying to issues, resolving them, and
coordinating public disclosures.
The following security issues has been resolved:
CVE-2008-0128
JSESSIONIDSSO is transmitted without the "secure" attribute
6.0.x: Fixed, released and announced
5.5.x: Fixed, released and announced

We are currently working on the following security issues:
CVE-2008-1232
XSS with national characters and reason-phrase of HTTP response
CVE-2008-1947 Need to get a CVE for this
More XSS in manager app

Development
-------------------
We decided by majority that Tomcat Version 3.x will be declared
as unsupported. This means removing download links from
tomcat.apache.org site and marking all bugzilla issues as WONTFIX.
We decided by majority that Tomcat version 4.x will be marked
as de-supported giving a 12 to 16 months period before marking it
as unsupported. Beyond that, development was concentrated mainly
on fixing bugs for the current releases.

Community
-----------------
After last quarter's new committers and PMC members, there were no
changes the committership nor PMC membership this time.
The new commit policy is working very fine, and we've been
very active both in commit and release volume.

19 Mar 2008 [Mladen Turk / Justin]

Summary
--------------
The project continues to be active on a number of fronts.  There are no
issues requiring Board attention at this time.

Releases
-------------
We cut a number of releases incorporating all our active branches.

Tomcat 5.5.26 was released last month incorporating numerous security
updates and bug fixes.

Tomcat 6.0.16 was released last month, both primarily bug fix and security
fix release over the previous 6.0.14 release

Tomcat connectors, mod_jk, had a release: 1.2.26.

Tomcat Native connector, had a first release: 1.1.13.

Finally the Tomcat 4.1.37 was released which was primarily security fix
release.

Security
------------
We've been working closely with security issue reports and the Apache
Security committee on quickly replying to issues, resolving them, and
coordinating public disclosures.

Development
-------------------
We decided by majority that Tomcat Native (APR based connector) will be
handled from now on as a separate subproject with its own release cycle.
The standard vote/release process will be applied to it. The reason for
separating this subcomponent to a separate release cycle is to better
maintain this optional component, and to provide limited backward bug fix
compatibility, and the fact that it is used both by Tomcat 5.5 and 6.0
branches.

Community
-----------------
After last quarter's new committers and PMC members, there were no changes
the committership nor PMC membership this time. The new commit policy is
working very fine, and we've been very active both in commit and release
volume.

19 Dec 2007 [Mladen Turk / Bill]

Summary
--------------
The project continues to be active on a number of fronts.  There are
no issues requiring Board attention at this time.

Releases
-------------
There were no releases this month.
However we are pretty close to releasing Tomcat 6.0.15 and mod_jk 1.2.26

Security
------------
We had less security related issues, so it seems most of them
has been fixed for forthcoming releases.

Development
-------------------
Lots of development took place, mostly related to bug
fixing the reasons 6.0.15 failed the release.

The Tomcat PMC is participating in the Google Highly Open
Participation (GHOP) project, an effort to involve high school
students in open-source software development.  We submitted five tasks
to the project: three have been completed, and two are in progress:
- The Tomcat FAQ was migrated from a static document set accessible
only to committers to a public wiki,
- New documentation in the areas of Tomcat internal dependencies, and
guides on programming Tomcat Valves and Realms
- Improved XSLT / CSS handling for the printer-friendly version of
tomcat.apache.org pages

The Tomcat PMC hopes to continue its involvement with these types of
projects, and maybe pick up a couple of new contributors in the
process.


Community
-----------------
There were no changes the committership nor PMC membership
this time.

Approved by General Consent.

14 Nov 2007 [Mladen Turk / J Aaron]

Summary
--------------
The project continues to be active on a number of fronts.  There are
no issues requiring Board attention at this time.

Releases
-------------
There was no releases this month.

Security
------------

Development
-------------------
We have voted the new commit policy caused by serious
dispute among two leading Tomcat core developers with
different views on development process and some personal
dislike.
Here is the VOTE synopsis:
 o Existence of release and development branches
   in parallel with each other (dev are odd numbered,
   release are even numbered).
 o Development branches are CTR. If code or patches
   to this branch change the API, advanced warning
   is required even before the commit. It may be
   open to a vote if there is debate. Larger patches,
   as well as far-reaching patches should also be
   community gauged before implemented.
 o Release branches are RTC, with patches obtained
   from the development tree. Thus, backports refer
   to the SVN revision on the development tree which
   adds that feature.
 o Both branches have a STATUS file. For the release
   branch, STATUS is also used to note backport
   proposals.
 o Reviews are *always* appropriate. One can call
   for a formal review of a patch at any time.
 o Voting is via normal ASF rules.
 o Regarding large and/or API changing patches, use of
   a sandbox is recommended to allow for SVN history to
   be maintain, to encourage outside interest and
   involvement ("Hey, I'm working on Foo. Here is the
   SVN url. Come and help or at least follow along").
   This also allows for more complete understanding of
   the impacts before it reaches the dev branch.

The vote was passed with majority of votes from PMC members
including Jim, Yoav, Tim, Remy, Costin, Filip, Mark, Mladen,
Jean-Frederic, Rainer, Peter and Henri and without any -1.

This caused the creation of STATUS files and all significant
patches are now first put for a majority vote and review
inside:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/STATUS?view=markup
and
http://svn.apache.org/viewvc/tomcat/current/tc5.5.x/STATUS?view=markup

The Apache Tomcat 6.0.15 release was stopped because of few
minor TCK issues, so the plan is to tag and release 6.0.16 in
the following week.

Mod_jk is on the way for a 1.2.26 release with number of bug
fixes from 1.2.25 release.

Community
-----------------
There were no changes the committership nor PMC membership
this time.

So far for the last couple of moths we are able to continue
the active development with newly adopted commit rules.

Approved by General Consent.

17 Oct 2007 [Mladen Turk / Henri]

The board will once again request another Tomcat report in November.

Approved by General Consent.

19 Sep 2007 [Mladen Turk / Bill]

Summary
--------------
The project continues to be active on a number of fronts.  There are
no issues requiring Board attention at this time.

Releases
-------------
We cut a number of releases incorporating all our active branches.

Tomcat 5.5.25 was released this month.

Tomcat 6, the current production branch, had one releases this past
quarter: 6.0.14, which is the latest stable Tomcat at this time.

Finally, the Tomcat connectors, mainly mod_jk, has a couple of
releases as well: 1.2.24 and 1.2.25. However we had to revoke
the 1.2.24 release because of serious regression that slipped trough
the testing phase.

Security
------------
The Tomcat security site (http://tomcat.apache.org/security.html) has
been getting more love and attention.  It now contains the vast
majority of known issues and fixes for all Tomcat branches.

We've been working closely with security issue reports and the Apache
Security committee on quickly replying to issues, resolving them, and
coordinating public disclosures.

There exist few open security issues at the moment.  The fixes
are already in SVN, and most of them are already incorporated with
6.0.14 and 5.5.25 releases.

Development
-------------------
There is ongoing discussion about the purpose of the current code
inside Tomcat 6 trunk, and the majority of developers have agreed
to put the trunk into the sandbox.

Community
-----------------
After last quarter's new committers and PMC members, there were no
changes the committership nor PMC membership this time.
Mladen Turk was elected as new PMC Chair and voted by the ASF Board.

Discussion on dual design approaches, overall feeling is that this will resolve itself, several directors indicated that they will watch this project.

Approved by General Consent.

18 Jul 2007

Change the Apache Tomcat Project Chair

 WHEREAS, the Board of Directors heretofore appointed Yoav Shapira
 to the office of Vice President, Apache Tomcat, and

 WHEREAS, the Board of Directors is in receipt of the resignation
 of Yoav Shapira from the office of Vice President, Apache Tomcat;

 NOW, THEREFORE, BE IT RESOLVED, that Yoav Shapira is relieved
 and discharged from the duties and responsibilities of the office
 of Vice President, Apache Tomcat, and

 BE IT FURTHER RESOLVED, that Mladen Turk be and hereby is
 appointed to the office of Vice President, Apache Tomcat, to serve
 in accordance with and subject to the direction of the Board of
 Directors and the Bylaws of the Foundation until death,
 resignation, retirement, removal or disqualification, or until a
 successor is appointed.

 Special order 7A, Change the Apache Tomcat Project Chair, was
 approved by Unanimous Vote.

20 Jun 2007 [Yoav Shapira / Greg]

Summary
--------------
The project continues to be active on a number of fronts.  There are
no issues requiring Board attention at this time.

Releases
-------------
We cut a number of releases incorporating all our active branches.

Tomcat 5.5.22 was out a couple of months ago, 5.5.23 last month, and
5.5.24 is coming out later this month.

Tomcat 4.1.35 was out a couple of months ago, shortly followed by
4.1.36, both primarily bug fix and security fix releases.

Tomcat 6, the current production branch, had three releases this past
quarter: 6.0.11, 6.0.12, and 6.0.13, which is the latest stable Tomcat
at this time.

Finally, the Tomcat connectors, mainly mod_jk, has a couple of
releases as well: 1.2.22 and 1.2.23.

Security
------------
The Tomcat security site (http://tomcat.apache.org/security.html) has
been getting more love and attention.  It now contains the vast
majority of known issues and fixes for all Tomcat branches.

We've been working closely with security issue reports and the Apache
Security committee on quickly replying to issues, resolving them, and
coordinating public disclosures.

There exist one or two open security issues at the moment.  The fixes
are already in SVN, the issues are not major, and we're working to
coordinate public disclosure with the reporters.

Development
-------------------
We've moved Tomcat 6.0.x into its own SVN branch, continuing work on
new and experimental features in the trunk.  We also have a sandbox
area for really experimental stuff.

Tomcat release artifacts, once approved by a PMC vote, are now
published on the standard / main Maven repositories.

We continue to work with downstream integrators and re-packagers of
Tomcat, such as the Gentoo Linux project, on improving our release
process and artifacts for their consumption.

ApacheCon
-----------------
Tomcat has a nice presence at this past ApacheCon (in Amsterdam), with
a full day of presentations and talks about the project.  There were
presentations from several Tomcat committers as well as other users
and contributors.  From what I understand, the talks were
well-attended and well-received.

Community
-----------------
After last quarter's new committers and PMC members, there were no
changes the committership nor PMC membership this time.  The PMC Chair
is likely to change next month, continuing the voluntary Tomcat
tradition of one year terms.

Henri noted his approval of the renewed "energy" with regards to security within the PMC.

Approved by General Consent.

28 Mar 2007 [Yoav Shapira / Jim]

Apache Tomcat Board Report, March 2007

Summary: Tomcat is chugging along, with significant development
milestones achieved this quarter, and no issues requiring Board
attention.

Community:
- We've voted in one new committer, Fabien Carrion, whose iCLA will
hopefully be recorded this week.

- We've voted in one new PMC member, Rainer Jung, as ACKed by the
Board a couple of days ago.

- We've restored one committer, Guenter Knauf, from inactive/emeritus
status, back to active status, after re-verifying his iCLA and PGP
key, and running an informal vote on the issue.

Development:
- We released the first stable version of Tomcat 6, version 6.0.10,
after much testing and iteration.  We feel very good about the
quality, scalability, and performance of the release.  Apparently it's
pretty popular, too, judging by the various traffic spikes starting
with the release announcement:
http://people.apache.org/~vgritsenko/stats/days-trend.html

- We released a couple of versions of Tomcat 5.5, including a stable 5.5.23.

- We released a couple of versions of the Tomcat Connectors, including
mod_jk, 1.2.19, 1.2.20, and 1.2.21.

- I personally am very happy with the distributed nature of our
release management, in terms of how different people are cutting
releases and can back the designated RM for each branch if need be.

- We've worked hard to improve Tomcat-related security information on
the web site, creating a new set of summary pages using a similar
model to httpd's: http://tomcat.apache.org/security.html is a work in
progress, but a great improvement over the previous (lack of) data, we
think.

- We've also worked to improve integration and co-operation with the
Apache Security Team, triaging and communicating jointly on issues,
and educating some of the newer Tomcat PMC members about the process.

- We've also been working more closely with downstream packagers of
Tomcat for Linux, specifically Gentoo, and getting their early
feedback on each release as tested in their environment.  I think
that's a cool process improvement, just worth noting that it's been
working well.

Approved by General Consent.

20 Dec 2006 [Yoav Shapira / Ken]

Issues requiring the Board's attention: none.

Development
------------------
Work continues apache on Tomcat 6 and the mod_jk connector.  Both
products have done multiple alpha- and beta-level releases since the
last Board report.  Both have received increased testing from the
committers as well as outside contributors, resulting in some
interesting issues discovered and addressed.  We hope to have a stable
mod_jk release, 1.2.20, in the next week or two, as well as another
alpha-level build of Tomcat (6.0.6), and the first stable Tomcat 6
release before the next Board report.

Several of the fixes found in Tomcat 6 have been back-ported to Tomcat
5.x as well, but there has been no 5.x release since 5.5.20 in September.

Security
------------
On December 7th a possible security issue was reported to us by the
Struts PMC, which had been notified of it earlier.  After some
discussion, we concluded this was a fairly minor issue with
responsibility on both the Tomcat and Struts sides.  There was a patch
available in SVN within a day or so, and it was back-ported to
previous Tomcat branches as well.  I think we were all pretty pleased
with the efficiency and speed of communication between the projects.

Because the issue has yet to be publicly announced and this Board
report may become public before the issue is announced, we are
omitting the actual details here.  The Tomcat PMC will be glad to
provide any details required, and the discussions are archived on the
mailing list archives of private@tomcat.apache.org,
private@struts.apache.org, and security@tomcat.apache.org.

Trademarks / Legal
----------------------------
A couple of days ago we noted that
http://www.octazen.com/product_tomcatnet.html was calling their
product Tomcat.NET.  We contacted them, CCing the PRC for its records,
and Octazen immediately agreed to relabel their product and clarify
the page as to their relationship to Apache Tomcat.  So this issue was
resolved pleasantly and quickly.

Community
----------------
Not much going on here: no new committers, no new PMC members, but no
one resigning or leaving either ;)

Justin asked if the security team (aka security@apache.org) was involved regarding the "security" issue noted in the Tomcat report. Yoav, via out-of-meeting correspondance, indicated that they were.

Approved by General Consent.

20 Sep 2006 [Yoav Shapira / Dirk]

- We have no issues that require attention from the Board at this time

Development:
- Continued work on Tomcat 6.0 development: we expect to have release
 6.0.0 ready roughly at the same time that Servlet Specification v2.5
 and JSP Specification v2.1 are finalized.  No change here since
 previous Board report.
- Much work has been done on the mod_jk connector, improving
 reliability, performance, and monitoring options for httpd / mod_jk
 administrators.  It's been great to see the increased level of energy
 and enthusiasm around the connectors, and the new connector releases
 have been getting pre-release testing from a number of committers on
 various platforms.
- We've also added a non-blocking HTTPS protocol connector written in
 Java to provide users with another choice on platforms that handle
 non-blocking IO threads well.
- We're also diversifying release managers: Mark Thomas is the current
 release manager for Tomcat 4.x, Filip Hanik for Tomcat 5.x, Remy
 Maucherat for 6.x, and Rainer Jung for the connectors.

Releases:
- mod_jk 1.2.17 and 1.2.18 were released.  1.2.18 is currently the
 stable release (it was put out on July 20th).  mod_jk 1.2.19 is in the
 works, expected to release in the first half of September.
- Tomcat 4.1.34 was released in the first week of September, and
 addresses virtually all the issues reported against the previous 4.1
 release.
- Tomcat 5.5.18 and 5.5.19 were cut, but did not make it into final
 release: 5.5.20 is in the works. Tomcat 5.5.17 is still the latest
 stable Tomcat release.

People:
- No changes since last Board report.

Approved by General Consent

19 Jul 2006 [Yoav Shapira / Justin]

- We have no issues that require attention from the Board at this time

Development:
- Continued work on Tomcat 6.0 development: we expect to have release
6.0.0 ready roughly at the same time that Servlet Specification v2.5
and JSP Specification v2.1 are finalized.
- Continued work on one new and improved clustering implementations
(two alternative ones, tenatively referred to as Tribes and GroupCom)
for Tomcat 6.0.  These will possibly be back-ported as optional
modules for Tomcat 5.5 in the future.
- Continued work and testing on an experimental NIO (as in java.nio)
HTTP connector, although benchmarking results are unclear at this time

Releases:
- Continued work on the mod_jk connector, and a release candidate for
1.2.16 was put out: at least one serious bug was found, and mod_jk
1.2.17 is now in testing
- A bug fix and back-porting release on the Tomcat 4.1 branch, release
4.1.32-beta, was made in early July
- No new Tomcat 5.0 or 5.5 releases, 5.5.17 is still stable and latest

People:
- New committer: Rainer Jung <rjung@apache.org>
- New PMC members: none
- New PMC chair: Yoav Shapira (yoavs@apache.org)

Approved by General Consent

27 Jun 2006

Change of Tomcat PMC Chair

 WHEREAS, the Board of Directors heretofore appointed Remy
 Maucherat to the office of Vice President, Apache Tomcat
 Project, and

 WHEREAS, the Board of Directors is in receipt of the
 resignation of Remy Maucherat from the office of Vice
 President, Apache Tomcat Project;

 NOW, THEREFORE, BE IT RESOLVED, that Remy Maucherat is relieved
 and discharged from the duties and responsibilities of the
 office of Vice President, Apache Tomcat Project, and

 BE IT FURTHER RESOLVED, that Yoav Shapira be and hereby is
 appointed to the office of Vice President, Apache Tomcat
 Project, to serve in accordance with and subject to the
 direction of the Board of Directors and the Bylaws of the
 Foundation until death, resignation, retirement, removal or
 disqualification, or until a successor is appointed.

 By Unanimous Vote, Special Order 6B, Change of Tomcat PMC Chair,
 was Approved.

27 Jun 2006 [Remy Maucherat / Justin]

Tabled due to time constraints.

15 Mar 2006 [Remy Maucherat / Sam]

- two new committers: jhook, ralf
- Tomcat 5.5.15 stable was released
- Tomcat 5.5.16 was released
- Tomcat 6 planning and development was start
- JSP 2.1 support is in developement
- a new clustering module is in development, based around a new
 component for group communication named Tribes, which will support
 more options, including primary/secondary node session replication
- the new AJP APR connector has been put in production use for the ASF
 JIRA installation, and the two bugs found in the process have been
 corrected

Approved by General Consent.

21 Dec 2005 [Remy Maucherat / Greg]

No report received or submitted. Greg to contact Remy regarding status.

21 Sep 2005 [Remy Maucherat / Ken]

- Tomcat 5.5.12 release soon
- migration to SVN is due to be completed next week
- tomcat.apache.org web opening soon
- mailing list migration planned

It was noted that the report was extremely short and low on information, especially for a new TLP. Ken was to request that the Tomcat PMC submit more detailed reports in the future.

Approved by General Consent.

28 Jul 2005 [Remy Maucherat]

Development activities:
After the release of Tomcat 5.5.9 in March, the focus has been on
feature additions. A new Tomcat 5.5.10 build has just been released
incorporating all these changes. We will also likely bootstrap a new
branch (Tomcat 6.0.x) to implement the new specifications very soon.

Infrastructure:
We plan to migrate to the new infrastucture (mailing lists, website,
and maybe also at the same time repository migration to SVN) in
conjunction with a new stable build, it seems in
september. Discussions are still ongoing, and have been slowed down by
the summer.

There have been no new committers, and no PMC membership changes.

18 May 2005

Establish the Apache Tomcat Project

   WHEREAS, the Board of Directors deems it to be in the best
   interests of the Foundation and consistent with the Foundation's
   purpose to establish a Project Management Committee charged with
   the creation and maintenance of open-source software related to
   the implementation of the Java Servlet and Java Server Pages
   specifications, for distribution at no charge to the public.

   NOW, THEREFORE, BE IT RESOLVED, that a Project Management
   Committee (PMC), to be known as the "Apache Tomcat PMC", be and
   hereby is established pursuant to Bylaws of the Foundation; and
   be it further

   RESOLVED, that the Apache Tomcat PMC be and hereby is
   responsible for the creation and maintenance of software related
   to creation and maintenance of open-source software related to
   the implementation of the Java Servlet and Java Server Pages
   specifications based on software licensed to the Foundation; and
   be it further

   RESOLVED, that the office of "Vice President, Apache Tomcat" be
   and hereby is created, the person holding such office to serve
   at the direction of the Board of Directors as the chair of the
   Apache Tomcat PMC, and to have primary responsibility for
   management of the projects within the scope of responsibility of
   the Apache Tomcat PMC; and be it further

   RESOLVED, that the persons listed immediately below be and
   hereby are appointed to serve as the initial members of the
   Apache Tomcat PMC:

     Jean-Francois Arcand (jfarcand@apache.org)
     Bill Barker (billbarker@apache.org)
     Kin-man Chung (kinman@apache.org)
     Jean-Frederic Clere (jfclere@apache.org)
     Ian Darwin (idarwin@apache.org)
     Tim Funk (funkman@apache.org)
     Henri Gomez (hgomez@apache.org)
     Filip Hanik (fhanik@apache.org)
     Larry Isaacs (larryi@apache.org)
     Jim Jagielski (jim@apache.org)
     Jan Luehe (luehe@apache.org)
     Costin Manolache (costin@apache.org)
     Remy Maucherat (remm@apache.org)
     Kurt Miller (truk@apache.org)
     Glenn Nielsen (glenn@apache.org)
     Amy Roh (amyroh@apache.org)
     Peter Rossbach (pero@apache.org)
     Yoav Shapira (yoavs@apache.org)
     Mark Thomas (markt@apache.org)
     Mladen Turk (mturk@apache.org)
     Keith Wannamaker (keith@apache.org)

   NOW, THEREFORE, BE IT FURTHER RESOLVED, that Remy Maucherat be
   appointed to the office of Vice President, Apache Tomcat, to
   serve in accordance with and subject to the direction of the
   Board of Directors and the Bylaws of the Foundation until death,
   resignation, retirement, removal or disqualification, or until a
   successor is appointed; and be it further

   RESOLVED, that the initial Apache Tomcat PMC be and hereby is
   tasked with the creation of a set of bylaws intended to
   encourage open development and increased participation in the
   Apache Tomcat Project; and be it further

   RESOLVED, that the initial Apache Tomcat PMC be and hereby is
   tasked with the migration and rationalization of the Apache
   Jakarta PMC Tomcat subproject; and be it further

   RESOLVED, that all responsibility pertaining to the Jakarta
   Tomcat sub-project and encumbered upon the Apache Jakarta PMC
   are hereafter discharged.

 There was significant debate over the creation of the
 Tomcat Project, not so much regarding the project itself,
 but in the requested PMC Chair.

 By a vote of 5 YEA and 3 NAY, Special Order A, a Resolution to
 Establish the Apache Tomcat Project, was approved.

 Stefeno has the Action Item to create a list of expectations
 for the new Tomcat PMC Chair.

27 Apr 2005

Establish the Apache Tomcat Project

 WHEREAS, the Board of Directors deems it to be in the best
 interests of the Foundation and consistent with the Foundation's
 purpose to establish a Project Management Committee charged with
 the creation and maintenance of open-source software related to
 the implementation of the Java Servlet and Java Server Pages
 specifications, for distribution at no charge to the public.

 NOW, THEREFORE, BE IT RESOLVED, that a Project Management
 Committee (PMC), to be known as the "Apache Tomcat PMC", be and
 hereby is established pursuant to Bylaws of the Foundation; and
 be it further

 RESOLVED, that the Apache Tomcat PMC be and hereby is
 responsible for the creation and maintenance of software related
 to creation and maintenance of open-source software related to
 the implementation of the Java Servlet and Java Server Pages
 specifications based on software licensed to the Foundation; and
 be it further

 RESOLVED, that the office of "Vice President, Apache Tomcat" be
 and hereby is created, the person holding such office to serve
 at the direction of the Board of Directors as the chair of the
 Apache Tomcat PMC, and to have primary responsibility for
 management of the projects within the scope of responsibility of
 the Apache Tomcat PMC; and be it further

 RESOLVED, that the persons listed immediately below be and
 hereby are appointed to serve as the initial members of the
 Apache Tomcat PMC:

   Jean-Francois Arcand (jfarcand@apache.org)
   Bill Barker (billbarker@apache.org)
   Kin-man Chung (kinman@apache.org)
   Jean-Frederic Clere (jfclere@apache.org)
   Ian Darwin (idarwin@apache.org)
   Tim Funk (funkman@apache.org)
   Henri Gomez (hgomez@apache.org)
   Filip Hanik (fhanik@apache.org)
   Larry Isaacs (larryi@apache.org)
   Jim Jagielski (jim@apache.org)
   Jan Luehe (luehe@apache.org)
   Costin Manolache (costin@apache.org)
   Remy Maucherat (remm@apache.org)
   Kurt Miller (truk@apache.org)
   Glenn Nielsen (glenn@apache.org)
   Amy Roh (amyroh@apache.org)
   Peter Rossbach (pero@apache.org)
   Yoav Shapira (yoavs@apache.org)
   Mark Thomas (markt@apache.org)
   Mladen Turk (mturk@apache.org)
   Keith Wannamaker (keith@apache.org)

 NOW, THEREFORE, BE IT FURTHER RESOLVED, that Remy Maucherat be
 appointed to the office of Vice President, Apache Tomcat, to
 serve in accordance with and subject to the direction of the
 Board of Directors and the Bylaws of the Foundation until death,
 resignation, retirement, removal or disqualification, or until a
 successor is appointed; and be it further

 RESOLVED, that the initial Apache Tomcat PMC be and hereby is
 tasked with the creation of a set of bylaws intended to
 encourage open development and increased participation in the
 Apache Tomcat Project; and be it further

 RESOLVED, that the initial Apache Tomcat PMC be and hereby is
 tasked with the migration and rationalization of the Apache
 Jakarta PMC Tomcat subproject; and be it further

 RESOLVED, that all responsibility pertaining to the Jakarta
 Tomcat sub-project and encumbered upon the Apache Jakarta PMC
 are hereafter discharged.

 Special Order B, a Resolution to Establish the Apache Tomcat
 Project, was tabled to allow the board to investigate some
 concerns.