tomcat 6.0.30 중요 패치 내용

- 49728, 50084: Improve PID file handling when another process is managing the PID file and Tomcat does not have write access. (markt)

- 49909, 50201: Provide a mechanism to log requests rejected before they reach the AccessLogValve to appear in the access log. (markt/kkolinko)

- Return a copy of the current URLs for the WebappClassLoader to prevent modification. This facilitated, although it wasn't the root cause, CVE-2010-1622. (markt)

- Provide better web application state information via JMX. (markt)

- Add a new filter, org.apache.catalina.filters.CsrfPreventionFilter, to provide generic cross-site request forgery (CSRF) protection for web applications. (markt)

- 50222: Modify memory leak prevention code so it pins the system class loader in memory rather than than the common class loader, which is better for embedded systems. (schultz)

- 50413: Ensure 304s are not returned when using static files as error pages. (markt)

- 50459: Fix thread/classloader binding issues in StandardContext. (slaurent)

- 50642: Move the sun.net.www.http.HttpClient keep-alive thread memory leak protection from the JreMemoryLeakPreventionListener to the WebappClassLoader since the thread that triggers the memory leak is created on demand. (markt)

- Avoid a NPE for APR connector unlockAccept with default soTimeout. (mturk)

- 47913: Return the IP address rather than null for getRemoteHost() with the APR connector if the IP address does not resolve. (markt)

- 48925: request.getLocalAddr() returns null when using the default Jk AJP/1.3 connector. (rjung)

- 49497: Stop accepting new requests (inc keep-alive) once the BIO connector is paused and the current request has finished processing. (markt)

- 49521: Disable scanning for a free port in Jk AJP/1.3 connector by default. Do not change maxPort field value of ChannelSocket in its setPort() and init() methods. Add support for maxPort attribute on a Connector element as a synonym for channelSocket.maxPort. (kkolinko)

- Improve recycling of processors in Http11NioProtocol. (kkolinko)

- 50072: NIO connector can mis-read request line if not sent in a single packet. (markt/kkolinko)

- 49972: Fix potential thread safe issue when formatting dates for use in HTTP headers. (markt)

- 49986: Fix thread safety issue in JSP reloading. (timw))

- 49985: Fix thread safety issue in EL parser. (markt)

- Configure the Manager web application to use the new CSRF protection. To take advantage of this protection, the manager role must be removed from all users and the new manager-gui and manager-script roles used instead. (markt)

- CVE-2010-4172: Multiple XSS in Manager application. (markt/kkolinko)