The Apache Tomcat team released version 6.0.37, which primarily contains bug fixes but also includes some security fixes.
One of the neat enhancements in this release is the addition of the SSLHonorCipherOrder directive, which lets the administrator pin the order that ssl encryption ciphers will be offered to ssl clients. With it, you can now configure tomcat to prioritize RC4 encryption ciphers if you're looking to do some BEAST remediation.
Another SSL-related change in this release is that you can now disable TLS Compression on the APR connector (assuming you're using a version of OpenSSL that allows you to disable TLS compression). This can help provide additional protection against the CRIME attack/vulnerability.
See the Apache Tomcat 6 Changelog for all the enhancments and fixes in this release and you can download source and binaries from a tomcat 6 mirror site.
The Apache Tomcat team released version 7.0.39, which is mostly a bug fix release. The release announcement lists the following notable enhancements:
- There have been multiple improvements in the bytes to/from characters conversion process. The core conversion process has been refactored to use the NIO APIs. This has resulted in a number of improvements including invalid UTF-8 byte sequences at the end of a series of bytes now trigger a conversion error rather than being silently swallowed. Errors detected in request URIs will be replaced with the replacement character (allowing the application to respond to the invalid URI as it wishes) and errors in request bodies will trigger an IOException. The use of the JVM provided UTF-8 decoder has been replaced by a better UTF-8 decoder derived from Apache Harmony. This improved decoder has earlier detection of error conditions and more closely follows the Unicode specification regarding the use of replacement characters.
- The annotation scanning process now provides more information if the scan fails due to broken class dependencies. There is now enough information to identify the class(es) at fault. The JAR scanning process that supports annotation scanning has also seen multiple improvements and fixes including the exclusion by default of the Bootstrap class path from the scan.
- Upgraded a number of Tomcat's dependencies including Commons Daemon to 1.0.14, Commons IO to 2.4 and Commons FileUpload to r1458500. A new dependency on Commons Codec was added to replace Tomcat's internal Base64 encoder/decoder.