Blogging Techstacks

A few days ago, the apache tomcat team announced that Tomcat 7 through version 7.0.18, Tomcat 6 through version 6.0.32, and Tomcat 5.5 through version 5.5.33 contained some information disclosure and availability-related vulnerabilities.  Today, the Apache Tomcat team released version 7.0.19, which addresses these vulnerabilities within Tomcat 7.  Presumably, updates for Tomcat 5.5 and Tomcat 6 will be forthcoming as well.

There are some new features in this release as well:

1. JSP recompilation now occurs whenever the last-modified date changes, regardless of whether the date is earlier or later
2. An alternative connection pooling option, jdbc-pool, is included
3. The Windows installer can now be used to install multiple instances.

The Tomcat 7 changelog lists all the fixes, features, and changes that have been incorporated into this version.  version 7.0.17 and 7.0.18 were never formally released so tomcat 7.0.19 incorporates changes from those versions as well.  

Downloads are available at the tomcat mirror sites.

The Apache Tomcat team released Tomcat 7.0.14.  This release incorporates bug fixes and a few new features:

1. A new StuckThreadDetectionValve, which is designed to identify long running requests.
2. JAAS support for the JMXRemoteLifecycleListener
3. Alignment of mime mappings to match the Apache Web Server

The release incorporates changes and fixes from the unreleased 7.0.13 version as well--see the tomcat changelog for full details and download Tomcat 7.0.14 from a mirror near you.

The tomcatexpert site has a new article describing new session fixation protection features built into tomcat 7 (and more current versions of tomcat 6) written by Mark Thomas.  It describes what it is, what it is used for, and how to disable it if necessary (although turning it off should not be done unless absolutely necessary).  Check it out!