Tomcat 7 was released yesterday and despite what you may have seen posted on DZone, it's a beta, not production code. Tomcat 7 introduces support for the Servlet 3.0, JSP 2.2 and EL 2.2, and some other goodies.
Tomcat 7 offers cross site request forgery protection and added security on the tomcat manager and host manager applications. It offers protection against session fixation attacks as well as memory leak detection and prevention.
Tomcat 7 introduces alias support, which allows the inclusion of external content to be served within web applications. If I'm understanding it correctly, if you have a company-wide set of custom error pages or images, there is now no need for you to import them within your web app archives. Like an alias directive with apache, just set up an /errors alias pointing to that external file location (or /images, /scripts, whatever) and you're good to go. Aliases may make our lives easier as webapp administrators and it helps put tomcat one step further in replacing apache at the web tier, (it just needs a good mod_rewrite and some mechanism to safely run on a port below 1024).
Mark Thomas at SpringSource has a pretty good write-up about tomcat 7 on the tomcatexpert.com site but, to be honest, the tomcat7.com community site operated by MuleSoft has a much better introduction to everything included in tomcat 7.
Downloads are available at the Tomcat 7 download page.