Apache Tomcat 9.0.74

What's new in this version:

Catalina:
- Fix: 65995: Implement RFC 9239 and use text/javascript as the media type for JavaScript rather than application/javascript
- Add: Add an access log valve that uses a json format. Based on pull request #539 provided by Thomas Meyer
- Add: Harden the FORM authentication process against DoS attacks by using a reduced session timeout if the FORM authentication process creates a session. The duration of this timeout is configured by the authenticationSessionTimeout attribute of the FORM authenticator
- Fix: 66527: Correct the Javadoc for the Tomcat.addWebapp() methods that incorrectly stated that the docBase parameter could be a relative path
- Fix: 66524 Correct eviction ordering in WebResource cache to by LRU as intended
- Update: Use server.xml to reduce the default value of maxParameterCount from 10,000 to 1,000. If not configured in server.xml, the default remains 10,000
- Add: Update Digest authentication support to align with RFC 7616. This adds a new configuration attribute, algorithms, to the DigestAuthenticator with a default of SHA-256,MD5
- Update: Add support code for custom user attributes in RealmBase. Based on code from #473 by Carsten Klein
- Fix: Expand the set of HTTP request headers considered sensitive that should be skipped when generating a response to a TRACE request. This aligns with 11.0.x
- Fix: 66541: Improve handling for cached resources for resources that use custom URL schemes. The scheme specific equals() and hashcode() algorithms, if present, will now be used for URLs for these resources. This addresses a potential performance issue with some OSGi custom URL schemes that can trigger potentially slow DNS lookups in some configurations. Based on a patch provided by Tom Whitmore
- Fix: When using a custom session manager deployed as part of the web application, avoid ClassNotFoundExceptions when validating session IDs extracted from requests
- Fix: 66543: Give StandardContext#fireRequestDestroyEvent its own log message
- Fix: 66554: Initialize Random during server initialization to avoid possible JVM thread creation in the webapp context on some platforms
- Update: Make the server utility executor available to webapps using a Servlet context attribute named org.apache.tomcat.util.threads.ScheduledThreadPoolExecutor

Coyote:
- Fix: JSON filter should support specific escaping for common special characters as defined in RFC 8259. Based on code submitted by Thomas Meyer
- Fix: 66511: Fix GzipOutputFilter (used for compressed HTTP responses) when used with direct buffers. Patch suggested by Arjen Poutsma
- Fix: 66512: Align AJP handling of invalid HTTP response headers (they are now removed from the response) with HTTP
- Fix: 66530: Correct a regression in the fix for bug 66442 that meant that streams without a response body did not decrement the active stream count when completing leading to ERR_HTTP2_SERVER_REFUSED_STREAM for some connections
- Code: Refactor synchronization blocks locking on SocketWrapper to use ReentrantLock to support users wishing to experiment with project Loom

Jasper:
- Fix: 66536: Fix parsing of tag files that meant that tag directives could be ignored for some tag files

Cluster:
- Fix: 66535: Redefine the maxValidTime attribute of FarmWarDeployer to be the maximum time allowed between receiving parts of a transferred file before the transfer is cancelled and the associated resources cleaned-up. A new warning message will be logged if the file transfer is cancelled

WebSocket:
- Fix: 66508: When using WebSocket with NIO2, avoid waiting for a timeout before sending the close frame if an I/O error occurs during a write

Other:
- Add: Improvements to French translations
- Add: Improvements to Japanese translations. Contributed by Shirayuking and tak7iji
- Add: Improvements to Chinese translations. Contributed by totoo
- Code: Refactor code using MD5Encoder to use HexUtils.toHexString()
- Fix: 66507: Fix a bug that $JAVA_OPTS is not passed to the jvm in catalina.sh when calling version. Patch suggested by Eric Hamilton
- Update: Update the internal fork of Commons DBCP to f131286 (2023-03-08, 2.10.0-SNAPSHOT). This corrects a regression introduced in 9.0.71
- Fix: Improve the error messages if JRE_HOME or JAVA_HOME are not set correctly. On windows, align the handling of JRE_HOME and JAVA_HOME for the start-up scripts and the service install script
- Update: Update UnboundID to 6.0.8
- Update: Update Checkstyle to 10.9.3
- Update: Update Jacoco to 0.8.9