Content

Older news

2023-12-12 Tomcat 9.0.84 Released

The Apache Tomcat Project is proud to announce the release of version 9.0.84 of Apache Tomcat. This release implements specifications that are part of the Java EE 8 platform. The notable changes compared to 9.0.83 include:

  • Background processes for a Container no longer execute while lifecycle operations are in progress for that Container.
  • Correct unintended escaping of XML in some WebDAV responses.
  • Use a 408 status code if a read timeout occurs during HTTP request processing instead of an HTTP 400 status.

Full details of these changes, and all the other changes, are available in the Tomcat 9 changelog.

Download

2023-12-12 Tomcat 11.0.0-M15 Released

The Apache Tomcat Project is proud to announce the release of version 11.0.0-M15 (alpha) of Apache Tomcat. This release is a milestone release and is targeted at Jakarta EE 11.

Users of Tomcat 10 onwards should be aware that, as a result of the move from Java EE to Jakarta EE as part of the transfer of Java EE to the Eclipse Foundation, the primary package for all implemented APIs has changed from javax.* to jakarta.*. This will almost certainly require code changes to enable applications to migrate from Tomcat 9 and earlier to Tomcat 10 and later. A migration tool is available to aid this process.

The notable changes in this release are:

  • Background processes for a Container no longer execute while lifecycle operations are in progress for that Container.
  • Align with the latest additions and changes from the Servlet 6.1 specification.
  • Update the sample.war included in the documentation to use the Jakarta EE APIs.

Full details of these changes, and all the other changes, are available in the Tomcat 11 (alpha) changelog.

Download

2023-12-12 Tomcat 8.5.97 Released

The Apache Tomcat Project is proud to announce the release of version 8.5.97 of Apache Tomcat. This release implements specifications that are part of the Java EE 7 platform. The notable changes compared to 8.5.96 include:

  • Background processes for a Container no longer execute while lifecycle operations are in progress for that Container.
  • Correct unintended escaping of XML in some WebDAV responses.
  • Use a 408 status code if a read timeout occurs during HTTP request processing instead of an HTTP 400 status.

Full details of these changes, and all the other changes, are available in the Tomcat 8 changelog.

Please note that Apache Tomcat 8.5.x will reach End-of-life (EOL) on 31 March 2024.

Download

2023-12-12 Tomcat 10.1.17 Released

The Apache Tomcat Project is proud to announce the release of version 10.1.17 of Apache Tomcat. This release implements specifications that are part of the Jakarta EE 10 platform.

Applications that run on Tomcat 9 and earlier will not run on Tomcat 10 without changes. Java EE based applications designed for Tomcat 9 and earlier may be placed in the $CATALINA_BASE/webapps-javaee directory and Tomcat will automatically convert them to Jakarta EE and copy them to the webapps directory. This conversion is performed using the Apache Tomcat migration tool for Jakarta EE tool which is also available as a separate download for off-line use.

The notable changes in this release are:

  • Background processes for a Container no longer execute while lifecycle operations are in progress for that Container.
  • Correct unintended escaping of XML in some WebDAV responses.
  • Use a 408 status code if a read timeout occurs during HTTP request processing instead of an HTTP 400 status.

Full details of these changes, and all the other changes, are available in the Tomcat 10.1 changelog.

Download

2023-11-15 Tomcat 9.0.83 Released

The Apache Tomcat Project is proud to announce the release of version 9.0.83 of Apache Tomcat. This release implements specifications that are part of the Java EE 8 platform. The notable changes compared to 9.0.82 include:

  • Fix reloading TLS configuration could cause the Connector to refuse new connections or the JVM to crash.
  • Ensure that an IOException during the reading of the request triggers always error handling, regardless of whether the application swallows the exception.

Full details of these changes, and all the other changes, are available in the Tomcat 9 changelog.

Download

2023-11-14 Tomcat 10.1.16 Released

The Apache Tomcat Project is proud to announce the release of version 10.1.16 of Apache Tomcat. This release implements specifications that are part of the Jakarta EE 10 platform.

Applications that run on Tomcat 9 and earlier will not run on Tomcat 10 without changes. Java EE based applications designed for Tomcat 9 and earlier may be placed in the $CATALINA_BASE/webapps-javaee directory and Tomcat will automatically convert them to Jakarta EE and copy them to the webapps directory. This conversion is performed using the Apache Tomcat migration tool for Jakarta EE tool which is also available as a separate download for off-line use.

The notable changes in this release are:

  • Fix reloading TLS configuration could cause the Connector to refuse new connections or the JVM to crash.
  • Ensure that an IOException during the reading of the request triggers always error handling, regardless of whether the application swallows the exception.

Full details of these changes, and all the other changes, are available in the Tomcat 10.1 changelog.

Download

2023-11-13 Tomcat 8.5.96 Released

The Apache Tomcat Project is proud to announce the release of version 8.5.96 of Apache Tomcat. This release implements specifications that are part of the Java EE 7 platform. The notable changes compared to 8.5.95 include:

  • Fix reloading TLS configuration could cause the Connector to refuse new connections or the JVM to crash.
  • Ensure that an IOException during the reading of the request always triggers error handling, regardless of whether the application swallows the exception.
  • The status manager servlet can now output statistics as json.

Full details of these changes, and all the other changes, are available in the Tomcat 8 changelog.

Please note that Apache Tomcat 8.5.x will reach End-of-life (EOL) on 31 March 2024.

Download

2023-11-15 Tomcat 11.0.0-M14 Released

The Apache Tomcat Project is proud to announce the release of version 11.0.0-M14 (alpha) of Apache Tomcat. This release is a milestone release and is targeted at Jakarta EE 11.

Users of Tomcat 10 onwards should be aware that, as a result of the move from Java EE to Jakarta EE as part of the transfer of Java EE to the Eclipse Foundation, the primary package for all implemented APIs has changed from javax.* to jakarta.*. This will almost certainly require code changes to enable applications to migrate from Tomcat 9 and earlier to Tomcat 10 and later. A migration tool is available to aid this process.

The notable changes in this release are:

  • Add OpenSSL integration using the FFM API rather than Tomcat Native. OpenSSL support may be enabled by adding the org.apache.catalina.core.OpenSSLLifecycleListener listener on the Server element when using Java 22 or later.
  • Fix reloading TLS configuration could cause the Connector to refuse new connections or the JVM to crash.
  • Ensure that an IOException during the reading of the request triggers always error handling, regardless of whether the application swallows the exception.

Full details of these changes, and all the other changes, are available in the Tomcat 11 (alpha) changelog.

Note: There are known regressions: with jdbc-pool (see bug 67664) and with Connector configurations when compression is enabled (see bug 67670). They will be fixed in the next release.

Download

2023-10-13 Tomcat 9.0.82 Released

The Apache Tomcat Project is proud to announce the release of version 9.0.82 of Apache Tomcat. This release implements specifications that are part of the Java EE 8 platform. The notable changes compared to 9.0.81 include:

  • Correct a regression in 9.0.81 that broke the Tomcat JBDC connection pool.
  • Correct a regression in 9.0.81 that broke HTTP compression.

Full details of these changes, and all the other changes, are available in the Tomcat 9 changelog.

Download

2023-10-10 Tomcat 9.0.81 Released

The Apache Tomcat Project is proud to announce the release of version 9.0.81 of Apache Tomcat. This release implements specifications that are part of the Java EE 8 platform. The notable changes compared to 9.0.81 include:

  • Update Tomcat Native to 1.2.39 to pick up Windows binaries built with OpenSSL 3.0.11.
  • Provide a lifecycle listener that will automatically reload TLS configurations a set time before the certificate is due to expire. This is intended to be used with third-party tools that regularly renew TLS certificates.
  • Improve performance of EL expressions in JSPs that use implicit objects.
  • Several improvements to thread safety and recycling cleanup.

Full details of these changes, and all the other changes, are available in the Tomcat 9 changelog.

Note: There are known regressions: with jdbc-pool (see bug 67664) and with Connector configurations when compression is enabled (see bug 67670). They will be fixed in the next release.

Download

2023-10-16 Tomcat 10.1.15 Released

The Apache Tomcat Project is proud to announce the release of version 10.1.15 of Apache Tomcat. This release implements specifications that are part of the Jakarta EE 10 platform.

Applications that run on Tomcat 9 and earlier will not run on Tomcat 10 without changes. Java EE based applications designed for Tomcat 9 and earlier may be placed in the $CATALINA_BASE/webapps-javaee directory and Tomcat will automatically convert them to Jakarta EE and copy them to the webapps directory. This conversion is performed using the Apache Tomcat migration tool for Jakarta EE tool which is also available as a separate download for off-line use.

The notable changes in this release are:

  • Correct a regression in 10.1.14 that broke the Tomcat JBDC connection pool
  • Correct a regression in 10.1.14 that broke HTTP compression

Full details of these changes, and all the other changes, are available in the Tomcat 10.1 changelog.

Download

2023-10-16 Tomcat 8.5.95 Released

The Apache Tomcat Project is proud to announce the release of version 8.5.95 of Apache Tomcat. This release implements specifications that are part of the Java EE 7 platform. The notable changes compared to 8.5.94 include:

  • Correct a regression in 8.5.94 that broke the Tomcat JBDC connection pool
  • Correct a regression in 8.5.94 that broke HTTP compression

Full details of these changes, and all the other changes, are available in the Tomcat 8 changelog.

Please note that Apache Tomcat 8.5.x will reach End-of-life (EOL) on 31 March 2024.

Download

2023-10-14 Tomcat 11.0.0-M13 Released

The Apache Tomcat Project is proud to announce the release of version 11.0.0-M13 (alpha) of Apache Tomcat. This release is a milestone release and is targeted at Jakarta EE 11.

Users of Tomcat 10 onwards should be aware that, as a result of the move from Java EE to Jakarta EE as part of the transfer of Java EE to the Eclipse Foundation, the primary package for all implemented APIs has changed from javax.* to jakarta.*. This will almost certainly require code changes to enable applications to migrate from Tomcat 9 and earlier to Tomcat 10 and later. A migration tool is available to aid this process.

The notable changes in this release are:

  • Correct a regression in 11.0.0-M12 that broke the Tomcat JBDC connection pool.
  • Correct a regression in 11.0.0-M12 that broke HTTP compression.

Full details of these changes, and all the other changes, are available in the Tomcat 11 (alpha) changelog.

Note: There are known regressions: with jdbc-pool (see bug 67664) and with Connector configurations when compression is enabled (see bug 67670). They will be fixed in the next release.

Download

2023-10-10 Tomcat 10.1.14 Released

The Apache Tomcat Project is proud to announce the release of version 10.1.14 of Apache Tomcat. This release implements specifications that are part of the Jakarta EE 10 platform.

Applications that run on Tomcat 9 and earlier will not run on Tomcat 10 without changes. Java EE based applications designed for Tomcat 9 and earlier may be placed in the $CATALINA_BASE/webapps-javaee directory and Tomcat will automatically convert them to Jakarta EE and copy them to the webapps directory. This conversion is performed using the Apache Tomcat migration tool for Jakarta EE tool which is also available as a separate download for off-line use.

The notable changes in this release are:

  • Update Tomcat Native to 1.2.39 to pick up Windows binaries built with OpenSSL 3.0.11.
  • Provide a lifecycle listener that will automatically reload TLS configurations a set time before the certificate is due to expire. This is intended to be used with third-party tools that regularly renew TLS certificates.
  • Improve performance of EL expressions in JSPs that use implicit objects.
  • Several improvements to thread safety and recycling cleanup.

Full details of these changes, and all the other changes, are available in the Tomcat 10.1 changelog.

Note: There are known regressions: with jdbc-pool (see bug 67664) and with Connector configurations when compression is enabled (see bug 67670). They will be fixed in the next release.

Download

2023-10-10 Tomcat 8.5.94 Released

The Apache Tomcat Project is proud to announce the release of version 8.5.94 of Apache Tomcat. This release implements specifications that are part of the Java EE 7 platform. The notable changes compared to 8.5.93 include:

  • Update Tomcat Native to 1.2.39 to pick up Windows binaries built with OpenSSL 3.0.11.
  • Provide a lifecycle listener that will automatically reload TLS configurations a set time before the certificate is due to expire. This is intended to be used with third-party tools that regularly renew TLS certificates.
  • Improve performance of EL expressions in JSPs that use implicit objects.
  • Several improvements to thread safety and recycling cleanup.

Full details of these changes, and all the other changes, are available in the Tomcat 8 changelog.

Note: There are known regressions: with jdbc-pool (see bug 67664) and with Connector configurations when compression is enabled (see bug 67670). They will be fixed in the next release.

Please note that Apache Tomcat 8.5.x will reach End-of-life (EOL) on 31 March 2024.

Download

2023-10-10 Tomcat 9.0.81 Released

The Apache Tomcat Project is proud to announce the release of version 9.0.81 of Apache Tomcat. This release implements specifications that are part of the Java EE 8 platform. The notable changes compared to 9.0.81 include:

  • Update Tomcat Native to 1.2.39 to pick up Windows binaries built with OpenSSL 3.0.11.
  • Provide a lifecycle listener that will automatically reload TLS configurations a set time before the certificate is due to expire. This is intended to be used with third-party tools that regularly renew TLS certificates.
  • Improve performance of EL expressions in JSPs that use implicit objects.
  • Several improvements to thread safety and recycling cleanup.

Full details of these changes, and all the other changes, are available in the Tomcat 9 changelog.

Note: There are known regressions: with jdbc-pool (see bug 67664) and with Connector configurations when compression is enabled (see bug 67670). They will be fixed in the next release.

Download

2023-10-10 Tomcat 11.0.0-M12 Released

The Apache Tomcat Project is proud to announce the release of version 11.0.0-M12 (alpha) of Apache Tomcat. This release is a milestone release and is targeted at Jakarta EE 11.

Users of Tomcat 10 onwards should be aware that, as a result of the move from Java EE to Jakarta EE as part of the transfer of Java EE to the Eclipse Foundation, the primary package for all implemented APIs has changed from javax.* to jakarta.*. This will almost certainly require code changes to enable applications to migrate from Tomcat 9 and earlier to Tomcat 10 and later. A migration tool is available to aid this process.

The notable changes in this release are:

  • Provide a lifecycle listener that will automatically reload TLS configurations a set time before the certificate is due to expire. This is intended to be used with third-party tools that regularly renew TLS certificates.
  • Remove support for HTTP/2 server push.
  • Update Tomcat Native to 2.0.6 to pick up Windows binaries built with OpenSSL 3.0.11.

Full details of these changes, and all the other changes, are available in the Tomcat 11 (alpha) changelog.

Note: There are known regressions: with jdbc-pool (see bug 67664) and with Connector configurations when compression is enabled (see bug 67670). They will be fixed in the next release.

Download

2023-10-02 Tomcat Native 2.0.6 Released

The Apache Tomcat Project is proud to announce the release of version 2.0.6 of Tomcat Native. The notable changes compared to 2.0.5 include:

  • Disable OCSP if the insecure optionalNoCA certificate verification option is used
  • The windows binaries in this release have been built with OpenSSL 3.0.11

Download | Change log for 2.0.6

2023-09-12 Tomcat Connectors 1.2.49 Released

The Apache Tomcat Project is proud to announce the release of version 1.2.49 of Apache Tomcat Connectors. This version fixes a number of bugs found in previous releases.

Download | ChangeLog for 1.2.49

2023-08-25 Tomcat 10.1.13 Released

The Apache Tomcat Project is proud to announce the release of version 10.1.13 of Apache Tomcat. This release implements specifications that are part of the Jakarta EE 10 platform.

Applications that run on Tomcat 9 and earlier will not run on Tomcat 10 without changes. Java EE based applications designed for Tomcat 9 and earlier may be placed in the $CATALINA_BASE/webapps-javaee directory and Tomcat will automatically convert them to Jakarta EE and copy them to the webapps directory. This conversion is performed using the Apache Tomcat migration tool for Jakarta EE tool which is also available as a separate download for off-line use.

The notable changes in this release are:

  • If an application or library sets both a non-500 error code and the jakarta.servlet.error.exception request attribute, use the provided error code during error page processing rather than assuming an error code of 500.
  • Fix for FORM authentication open redirect - CVE-2023-41080

Full details of these changes, and all the other changes, are available in the Tomcat 10.1 changelog.

Download

2023-08-25 Tomcat 9.0.80 Released

The Apache Tomcat Project is proud to announce the release of version 9.0.80 of Apache Tomcat. This release implements specifications that are part of the Java EE 8 platform. The notable changes compared to 9.0.79 include:

  • If an application or library sets both a non-500 error code and the jakarta.servlet.error.exception request attribute, use the provided error code during error page processing rather than assuming an error code of 500.
  • Fix for FORM authentication open redirect - CVE-2023-41080

Full details of these changes, and all the other changes, are available in the Tomcat 9 changelog.

Download

2023-08-25 Tomcat 11.0.0-M11 Released

The Apache Tomcat Project is proud to announce the release of version 11.0.0-M11 (alpha) of Apache Tomcat. This release is a milestone release and is targeted at Jakarta EE 11.

Users of Tomcat 10 onwards should be aware that, as a result of the move from Java EE to Jakarta EE as part of the transfer of Java EE to the Eclipse Foundation, the primary package for all implemented APIs has changed from javax.* to jakarta.*. This will almost certainly require code changes to enable applications to migrate from Tomcat 9 and earlier to Tomcat 10 and later. A migration tool is available to aid this process.

The notable changes in this release are:

  • Update the HTTP parameter handling to align with the changes in the Jakarta Servlet 6.1 API Javadoc for the ServletRequest methods used to obtain request parameters. Invalid parameters and/or exceeding parameter size and/or quantity limits now trigger exceptions. As a consequence, the FailedRequestFilter has been removed.
  • If an application or library sets both a non-500 error code and the jakarta.servlet.error.exception request attribute, use the provided error code during error page processing rather than assuming an error code of 500.
  • Fix for FORM authentication open redirect - CVE-2023-41080

Full details of these changes, and all the other changes, are available in the Tomcat 11 (alpha) changelog.

Download

2023-08-25 Tomcat 8.5.93 Released

The Apache Tomcat Project is proud to announce the release of version 8.5.93 of Apache Tomcat. This release implements specifications that are part of the Java EE 7 platform. The notable changes compared to 8.5.92 include:

  • If an application or library sets both a non-500 error code and the jakarta.servlet.error.exception request attribute, use the provided error code during error page processing rather than assuming an error code of 500.
  • Fix for FORM authentication open redirect - CVE-2023-41080

Full details of these changes, and all the other changes, are available in the Tomcat 8 changelog.

Please note that Apache Tomcat 8.5.x will reach End-of-life (EOL) on 31 March 2024.

Download

2023-08-15 Tomcat 9.0.79 Released

The Apache Tomcat Project is proud to announce the release of version 9.0.79 of Apache Tomcat. This release implements specifications that are part of the Java EE 8 platform. The notable changes compared to 9.0.78 include:

  • Refactor HTTP/2 implementation to reduce pinning when using virtual threads.
  • Pass through ciphers referring to an OpenSSL profile, such as PROFILE=SYSTEM instead of producing an error trying to parse it.
  • Update Tomcat Native to 2.0.5.

Full details of these changes, and all the other changes, are available in the Tomcat 9 changelog.

Download

2023-08-14 Tomcat 10.1.12 Released

The Apache Tomcat Project is proud to announce the release of version 10.1.12 of Apache Tomcat. This release implements specifications that are part of the Jakarta EE 10 platform.

Applications that run on Tomcat 9 and earlier will not run on Tomcat 10 without changes. Java EE based applications designed for Tomcat 9 and earlier may be placed in the $CATALINA_BASE/webapps-javaee directory and Tomcat will automatically convert them to Jakarta EE and copy them to the webapps directory. This conversion is performed using the Apache Tomcat migration tool for Jakarta EE tool which is also available as a separate download for off-line use.

The notable changes in this release are:

  • Refactor HTTP/2 implementation to reduce pinning when using virtual threads.
  • Pass through ciphers referring to an OpenSSL profile, such as PROFILE=SYSTEM instead of producing an error trying to parse it.
  • Update Tomcat Native to 2.0.5.

Full details of these changes, and all the other changes, are available in the Tomcat 10.1 changelog.

Download

2023-08-14 Tomcat 8.5.92 Released

The Apache Tomcat Project is proud to announce the release of version 8.5.92 of Apache Tomcat. This release implements specifications that are part of the Java EE 7 platform. The notable changes compared to 8.5.91 include:

  • Refactor HTTP/2 implementation to reduce pinning when using virtual threads.
  • Fix a NullPointerException when flushing batched WebSocket messages with compression enabled using permessage-deflate.
  • Update Tomcat Native to 1.2.38 to pick up Windows binaries built with OpenSSL 1.1.1v

Full details of these changes, and all the other changes, are available in the Tomcat 8 changelog.

Please note that Apache Tomcat 8.5.x will reach End-of-life (EOL) on 31 March 2024.

Download

2023-08-14 Tomcat 11.0.0-M10 Released

The Apache Tomcat Project is proud to announce the release of version 11.0.0-M10 (alpha) of Apache Tomcat. This release is a milestone release and is targeted at Jakarta EE 11.

Users of Tomcat 10 onwards should be aware that, as a result of the move from Java EE to Jakarta EE as part of the transfer of Java EE to the Eclipse Foundation, the primary package for all implemented APIs has changed from javax.* to jakarta.*. This will almost certainly require code changes to enable applications to migrate from Tomcat 9 and earlier to Tomcat 10 and later. A migration tool is available to aid this process.

The notable changes in this release are:

  • Refactor HTTP/2 implementation to reduce pinning when using virtual threads.
  • Pass through ciphers referring to an OpenSSL profile, such as PROFILE=SYSTEM instead of producing an error trying to parse it.
  • Update Tomcat Native to 2.0.5.

Full details of these changes, and all the other changes, are available in the Tomcat 11 (alpha) changelog.

Download

2023-08-07 Tomcat Native 2.0.5 Released

The Apache Tomcat Project is proud to announce the release of version 2.0.5 of Tomcat Native. The notable changes compared to 2.0.4 include:

  • Align default pass phrase prompt with HTTPd
  • Update autotools and associated fixes
  • Fix memory leak in SNI processing
  • The windows binaries in this release have been built with OpenSSL 3.0.10

Download | Change log for 2.0.5

2023-08-07 Tomcat Native 1.2.38 Released

The Apache Tomcat Project is proud to announce the release of version 1.2.38 of Tomcat Native. The notable changes since 1.2.37 include:

  • Align default pass phrase prompt with HTTPd
  • Fix memory leak in SNI processing
  • Windows binaries built with OpenSSL 1.1.1v.

Download | Change log for 1.2.38

2023-07-10 Tomcat 9.0.78 Released

The Apache Tomcat Project is proud to announce the release of version 9.0.78 of Apache Tomcat. This release implements specifications that are part of the Java EE 8 platform. The notable changes compared to 9.0.76 include:

  • Add ContextNamingInfoListener, a listener which creates context naming information environment entries.
  • Add PropertiesRoleMappingListener, a listener which populates the context's role mapping from a properties file.

Full details of these changes, and all the other changes, are available in the Tomcat 9 changelog.

Download

2023-07-10 Tomcat 10.1.11 Released

The Apache Tomcat Project is proud to announce the release of version 10.1.11 of Apache Tomcat. This release implements specifications that are part of the Jakarta EE 10 platform.

Applications that run on Tomcat 9 and earlier will not run on Tomcat 10 without changes. Java EE based applications designed for Tomcat 9 and earlier may be placed in the $CATALINA_BASE/webapps-javaee directory and Tomcat will automatically convert them to Jakarta EE and copy them to the webapps directory. This conversion is performed using the Apache Tomcat migration tool for Jakarta EE tool which is also available as a separate download for off-line use.

The notable changes in this release are:

  • Add ContextNamingInfoListener, a listener which creates context naming information environment entries.
  • Add PropertiesRoleMappingListener, a listener which populates the context's role mapping from a properties file.

Full details of these changes, and all the other changes, are available in the Tomcat 10.1 changelog.

Download

2023-07-10 Tomcat 8.5.91 Released

The Apache Tomcat Project is proud to announce the release of version 8.5.91 of Apache Tomcat. This release implements specifications that are part of the Java EE 7 platform. The notable changes compared to 8.5.90 include:

  • Add ContextNamingInfoListener, a listener which creates context naming information environment entries.
  • Add PropertiesRoleMappingListener, a listener which populates the context's role mapping from a properties file.

Full details of these changes, and all the other changes, are available in the Tomcat 8 changelog.

Please note that Apache Tomcat 8.5.x will reach End-of-life (EOL) on 31 March 2024.

Download

2023-07-10 Tomcat 11.0.0-M9 Released

The Apache Tomcat Project is proud to announce the release of version 11.0.0-M9 (alpha) of Apache Tomcat. This release is a milestone release and is targeted at Jakarta EE 11.

Users of Tomcat 10 onwards should be aware that, as a result of the move from Java EE to Jakarta EE as part of the transfer of Java EE to the Eclipse Foundation, the primary package for all implemented APIs has changed from javax.* to jakarta.*. This will almost certainly require code changes to enable applications to migrate from Tomcat 9 and earlier to Tomcat 10 and later. A migration tool is available to aid this process.

The notable changes in this release are:

  • Add ContextNamingInfoListener, a listener which creates context naming information environment entries.
  • Add PropertiesRoleMappingListener, a listener which populates the context's role mapping from a properties file.
  • Update the Jakarta EL and Jakarta WebSocket implementations to align with the latest changes planned for Jakarta EE 11.

Full details of these changes, and all the other changes, are available in the Tomcat 11 (alpha) changelog.

Download

2023-06-12 Tomcat 10.1.10 Released

The Apache Tomcat Project is proud to announce the release of version 10.1.10 of Apache Tomcat. This release implements specifications that are part of the Jakarta EE 10 platform.

Applications that run on Tomcat 9 and earlier will not run on Tomcat 10 without changes. Java EE based applications designed for Tomcat 9 and earlier may be placed in the $CATALINA_BASE/webapps-javaee directory and Tomcat will automatically convert them to Jakarta EE and copy them to the webapps directory. This conversion is performed using the Apache Tomcat migration tool for Jakarta EE tool which is also available as a separate download for off-line use.

The notable changes in this release are:

  • Add support for virtual threads. (Java 21+ only)
  • Update HTTP/2 to use the RFC-9218 prioritization scheme.
  • Deprecate the xssProtectionEnabled from HttpHeaderSecurityFilter and set the default value to false.
  • Update Tomcat Native to 2.0.4 which includes binaries for Windows built with OpenSSL 3.0.9.

Full details of these changes, and all the other changes, are available in the Tomcat 10.1 changelog.

Download

2023-06-12 Tomcat 8.5.90 Released

The Apache Tomcat Project is proud to announce the release of version 8.5.90 of Apache Tomcat. This release implements specifications that are part of the Java EE 7 platform. The notable changes compared to 8.5.89 include:

  • Add support for virtual threads. (Java 21+ only)
  • Update HTTP/2 to use the RFC-9218 prioritization scheme.
  • Deprecate the xssProtectionEnabled from HttpHeaderSecurityFilter and set the default value to false.
  • Update Tomcat Native to 1.2.37 which includes binaries for Windows built with OpenSSL 1.1.1u.

Full details of these changes, and all the other changes, are available in the Tomcat 8 changelog.

Please note that Apache Tomcat 8.5.x will reach End-of-life (EOL) on 31 March 2024.

Download

2023-06-09 Tomcat 9.0.76 Released

The Apache Tomcat Project is proud to announce the release of version 9.0.76 of Apache Tomcat. This release implements specifications that are part of the Java EE 8 platform. The notable changes compared to 9.0.75 include:

  • Add support for virtual threads. (Java 21+ only)
  • Update HTTP/2 to use the RFC-9218 prioritization scheme.
  • Deprecate the xssProtectionEnabled from HttpHeaderSecurityFilter and set the default value to false.
  • Update Tomcat Native to 2.0.4 which includes binaries for Windows built with OpenSSL 3.0.9.

Full details of these changes, and all the other changes, are available in the Tomcat 9 changelog.

Download

2023-06-08 Tomcat 11.0.0-M7 Released

The Apache Tomcat Project is proud to announce the release of version 11.0.0-M7 (alpha) of Apache Tomcat. This release is a milestone release and is targeted at Jakarta EE 11.

Users of Tomcat 10 onwards should be aware that, as a result of the move from Java EE to Jakarta EE as part of the transfer of Java EE to the Eclipse Foundation, the primary package for all implemented APIs has changed from javax.* to jakarta.*. This will almost certainly require code changes to enable applications to migrate from Tomcat 9 and earlier to Tomcat 10 and later. A migration tool is available to aid this process.

The notable changes in this release are:

  • The minimum Java version has been increased to Java 21.
  • Add support for virtual threads.
  • Add RateLimitFilter which can be used to mitigate DoS and brute force attacks.
  • Update Tomcat Native to 2.0.4 which includes binaries for Windows built with OpenSSL 3.0.9.

Full details of these changes, and all the other changes, are available in the Tomcat 11 (alpha) changelog.

Download

2023-06-02 Tomcat Native 2.0.4 Released

The Apache Tomcat Project is proud to announce the release of version 2.0.4 of Tomcat Native. The notable changes compared to 2.0.3 include:

  • The windows binaries in this release have been built with OpenSSL 3.0.9

Download | ChangeLog for 2.0.4

2023-06-02 Tomcat Native 1.2.37 Released

The Apache Tomcat Project is proud to announce the release of version 1.2.37 of Tomcat Native. The notable changes since 1.2.36 include:

  • Windows binaries built with OpenSSL 1.1.1u.

Download | ChangeLog for 1.2.37

2023-05-19 Tomcat 10.1.9 Released

The Apache Tomcat Project is proud to announce the release of version 10.1.9 of Apache Tomcat. This release implements specifications that are part of the Jakarta EE 10 platform.

Applications that run on Tomcat 9 and earlier will not run on Tomcat 10 without changes. Java EE based applications designed for Tomcat 9 and earlier may be placed in the $CATALINA_BASE/webapps-javaee directory and Tomcat will automatically convert them to Jakarta EE and copy them to the webapps directory. This conversion is performed using the Apache Tomcat migration tool for Jakarta EE tool which is also available as a separate download for off-line use.

The notable changes in this release are:

  • Many improvements to the JSON access log valve.
  • Deprecate support for the HTTP Connector settings rejectIllegalHeader and allowHostHeaderMismatch and reject HTTP headers without names.
  • Add a RateLimitFilter which can be used to mitigate DoS and Brute Force attacks.

Full details of these changes, and all the other changes, are available in the Tomcat 10.1 changelog.

Download

2023-05-19 Tomcat 8.5.89 Released

The Apache Tomcat Project is proud to announce the release of version 8.5.89 of Apache Tomcat. This release implements specifications that are part of the Java EE 7 platform. The notable changes compared to 8.5.88 include:

  • Reduce the default value of maxParameterCount from 10,000 to 1,000.
  • Correct a regression in the fix for bug 66442 that meant that streams without a response body did not decrement the active stream count when completing, leading to ERR_HTTP2_SERVER_REFUSED_STREAM for some connections.
  • Refactor synchronization blocks locking on SocketWrapper to use ReentrantLock to support users wishing to experiment with project Loom.
  • Implement RFC 9239; note the MIME types for Javascript has changed to text/javascript.

Full details of these changes, and all the other changes, are available in the Tomcat 8 changelog.

Please note that Apache Tomcat 8.5.x will reach End-of-life (EOL) on 31 March 2024.

Download

2023-05-10 Tomcat 9.0.75 Released

The Apache Tomcat Project is proud to announce the release of version 9.0.75 of Apache Tomcat. This release implements specifications that are part of the Java EE 8 platform. The notable changes compared to 9.0.74 include:

  • Many improvements to the json access log valve.
  • Deprecate support for the HTTP Connector settings rejectIllegalHeader and allowHostHeaderMismatch.

Full details of these changes, and all the other changes, are available in the Tomcat 9 changelog.

Download

2023-05-09 Tomcat 11.0.0-M6 Released

The Apache Tomcat Project is proud to announce the release of version 11.0.0-M6 (alpha) of Apache Tomcat. This release is a milestone release and is targeted at Jakarta EE 11.

Users of Tomcat 10 onwards should be aware that, as a result of the move from Java EE to Jakarta EE as part of the transfer of Java EE to the Eclipse Foundation, the primary package for all implemented APIs has changed from javax.* to jakarta.*. This will almost certainly require code changes to enable applications to migrate from Tomcat 9 and earlier to Tomcat 10 and later. A migration tool is available to aid this process.

The notable changes in this release are:

  • Various improvements to access logging.
  • Remove support for the HTTP Connector settings rejectIllegalHeader and allowHostHeaderMismatch. These are now hard-coded to the previous defaults.
  • Update the packaged version of the Tomcat Migration Tool for Jakarta EE to 1.0.7.

Full details of these changes, and all the other changes, are available in the Tomcat 11 (alpha) changelog.

Download

2023-05-02 Tomcat Migration Tool for Jakarta EE 1.0.7 Released

The Apache Tomcat Project is proud to announce the release of 1.0.7 of the Apache Tomcat Migration Tool for Jakarta EE. This release contains a number of bug fixes and improvements compared to version 1.0.6.

The notable changes in this release are:

  • Update OSGI servlet specification versions if present in manifest file. PR #42 provided by Ivan Furnadjiev.
  • Add configuration option, matchExcludesAgainstPathName that can be used to configure exclusions based on path name rather than just file name. PR 38 provided by Réda Housni Alaoui.
  • When converting directories, rename files according to the chosen profile.
  • Work-around a known JDK bug when converting using the streaming approach.

Full details of these changes, and all the other changes, are available in the changelog.

Download

2023-04-19 Tomcat 10.1.8 Released

The Apache Tomcat Project is proud to announce the release of version 10.1.8 of Apache Tomcat. This release implements specifications that are part of the Jakarta EE 10 platform.

Applications that run on Tomcat 9 and earlier will not run on Tomcat 10 without changes. Java EE based applications designed for Tomcat 9 and earlier may be placed in the $CATALINA_BASE/webapps-javaee directory and Tomcat will automatically convert them to Jakarta EE and copy them to the webapps directory. This conversion is performed using the Apache Tomcat migration tool for Jakarta EE tool which is also available as a separate download for off-line use.

The notable changes in this release are:

  • Reduce the default value of maxParameterCount from 10,000 to 1,000.
  • Correct a regression in the fix for bug 66442 that meant that streams without a response body did not decrement the active stream count when completing leading to ERR_HTTP2_SERVER_REFUSED_STREAM for some connections.
  • Expand the validation of the value of the Sec-Websocket-Key header in the HTTP upgrade request that initiates a WebSocket connection. The value is not decoded but it is checked for the correct length and that only valid characters from the base64 alphabet are used.
  • Implement RFC 9239; note the MIME types for Javascript has changed to text/javascript.

Full details of these changes, and all the other changes, are available in the Tomcat 10.1 changelog.

Download

2023-04-19 Tomcat 8.5.88 Released

The Apache Tomcat Project is proud to announce the release of version 8.5.88 of Apache Tomcat. This release implements specifications that are part of the Java EE 7 platform. The notable changes compared to 8.5.87 include:

  • Reduce the default value of maxParameterCount from 10,000 to 1,000.
  • Correct a regression in the fix for bug 66442 that meant that streams without a response body did not decrement the active stream count when completing, leading to ERR_HTTP2_SERVER_REFUSED_STREAM for some connections.
  • Refactor synchronization blocks locking on SocketWrapper to use ReentrantLock to support users wishing to experiment with project Loom.
  • Implement RFC 9239; note the MIME types for Javascript has changed to text/javascript.

Full details of these changes, and all the other changes, are available in the Tomcat 8 changelog.

Please note that Apache Tomcat 8.5.x will reach End-of-life (EOL) on 31 March 2024.

Download

2023-04-18 Tomcat 9.0.74 Released

The Apache Tomcat Project is proud to announce the release of version 9.0.74 of Apache Tomcat. This release implements specifications that are part of the Java EE 8 platform. The notable changes compared to 9.0.73 include:

  • Correct a regression in the fix for bug 66442 that meant that streams without a response body did not decrement the active stream count when completing, leading to ERR_HTTP2_SERVER_REFUSED_STREAM for some connections.
  • Add an access log valve that uses a json format. Based on a pull request provided by Thomas Meyer.
  • Refactor synchronization blocks locking on SocketWrapper to use ReentrantLock to support users wishing to experiment with project Loom.

Full details of these changes, and all the other changes, are available in the Tomcat 9 changelog.

Download

2023-04-19 Tomcat 11.0.0-M5 Released

The Apache Tomcat Project is proud to announce the release of version 11.0.0-M5 (alpha) of Apache Tomcat. This release is a milestone release and is targeted at Jakarta EE 11.

Users of Tomcat 10 onwards should be aware that, as a result of the move from Java EE to Jakarta EE as part of the transfer of Java EE to the Eclipse Foundation, the primary package for all implemented APIs has changed from javax.* to jakarta.*. This will almost certainly require code changes to enable applications to migrate from Tomcat 9 and earlier to Tomcat 10 and later. A migration tool is available to aid this process.

The notable changes in this release are:

  • Reduce the default value of maxParameterCount from 10,000 to 1,000.
  • Correct a regression in the fix for bug 66442 that meant that streams without a response body did not decrement the active stream count when completing leading to ERR_HTTP2_SERVER_REFUSED_STREAM for some connections.
  • Expand the validation of the value of the Sec-Websocket-Key header in the HTTP upgrade request that initiates a WebSocket connection. The value is not decoded but it is checked for the correct length and that only valid characters from the base64 alphabet are used.

Full details of these changes, and all the other changes, are available in the Tomcat 11 (alpha) changelog.

Download

2023-03-03 Tomcat 10.1.7 Released

The Apache Tomcat Project is proud to announce the release of version 10.1.7 of Apache Tomcat. This release implements specifications that are part of the Jakarta EE 10 platform.

Applications that run on Tomcat 9 and earlier will not run on Tomcat 10 without changes. Java EE based applications designed for Tomcat 9 and earlier may be placed in the $CATALINA_BASE/webapps-javaee directory and Tomcat will automatically convert them to Jakarta EE and copy them to the webapps directory. This conversion is performed using the Apache Tomcat migration tool for Jakarta EE tool which is also available as a separate download for off-line use.

The notable changes in this release are:

  • Correct a regression introduced in the fix for bug 66196 that meant that the HTTP headers and/or request line could get corrupted (one part overwriting another part) within a single request.
  • Revert the switch to using the ServiceLoader mechanism to load the custom URL protocol handlers that Tomcat uses. The original system property based approach has been restored.
  • Restore inline state after async operation in NIO2, to account the fact that unexpected exceptions are sometimes thrown by the implementation. Patch submitted by zhougang.
  • Provide a more appropriate response (501 rather than 400) when rejecting an HTTP request using the CONNECT method.
  • Add support for txt: and rnd: rewrite map types from mod_rewrite. Based on a pull request provided by Dimitrios Soumis.

Full details of these changes, and all the other changes, are available in the Tomcat 10.1 changelog.

Download

2023-03-03 Tomcat 8.5.87 Released

The Apache Tomcat Project is proud to announce the release of version 8.5.87 of Apache Tomcat. This release implements specifications that are part of the Java EE 7 platform. The notable changes compared to 8.5.86 include:

  • Correct a regression introduced in the fix for bug 66196 that meant that the HTTP headers and/or request line could get corrupted (one part overwriting another part) within a single request.
  • Provide a more appropriate response (501 rather than 400) when rejecting an HTTP request using the CONNECT method.
  • Add support for txt: and rnd: rewrite map types from mod_rewrite. Based on a pull request provided by Dimitrios Soumis.

Full details of these changes, and all the other changes, are available in the Tomcat 8 changelog.

Please note that Apache Tomcat 8.5.x will reach End-of-life (EOL) on 31 March 2024.

Download

2023-03-06 Tomcat 11.0.0-M4 Released

The Apache Tomcat Project is proud to announce the release of version 11.0.0-M4 (alpha) of Apache Tomcat. This release is a milestone release and is targeted at Jakarta EE 11.

Users of Tomcat 10 onwards should be aware that, as a result of the move from Java EE to Jakarta EE as part of the transfer of Java EE to the Eclipse Foundation, the primary package for all implemented APIs has changed from javax.* to jakarta.*. This will almost certainly require code changes to enable applications to migrate from Tomcat 9 and earlier to Tomcat 10 and later. A migration tool is under development to aid this process.

The notable changes in this release are:

  • Revert the switch to using the ServiceLoader mechanism to load the custom URL protocol handlers that Tomcat uses. The original system property based approach has been restored.
  • Provide an implementation of the sub-set of JavaBeans support that does not depend on the java.beans package. This for use by Expression Language when the java.desktop module (which is where the java.beans package resides) is not available.
  • Restore inline state after async operation in NIO2, to account the fact that unexpected exceptions are sometimes thrown by the implementation. Patch submitted by zhougang.

Full details of these changes, and all the other changes, are available in the Tomcat 11 (alpha) changelog.

Download

2023-03-03 Tomcat 9.0.73 Released

The Apache Tomcat Project is proud to announce the release of version 9.0.73 of Apache Tomcat. This release implements specifications that are part of the Java EE 8 platform. The notable changes compared to 9.0.72 include:

  • Correct a regression introduced in the fix for bug 66196 that meant that the HTTP headers and/or request line could get corrupted (one part overwriting another part) within a single request.
  • Provide a more appropriate response (501 rather than 400) when rejecting an HTTP request using the CONNECT method.
  • Add support for txt: and rnd: rewrite map types from mod_rewrite. Based on a pull request provided by Dimitrios Soumis.

Full details of these changes, and all the other changes, are available in the Tomcat 9 changelog.

Download

2023-02-24 Tomcat 10.1.6 Released

The Apache Tomcat Project is proud to announce the release of version 10.1.6 of Apache Tomcat. This release implements specifications that are part of the Jakarta EE 10 platform.

Applications that run on Tomcat 9 and earlier will not run on Tomcat 10 without changes. Java EE based applications designed for Tomcat 9 and earlier may be placed in the $CATALINA_BASE/webapps-javaee directory and Tomcat will automatically convert them to Jakarta EE and copy them to the webapps directory. This conversion is performed using the Apache Tomcat migration tool for Jakarta EE tool which is also available as a separate download for off-line use.

The notable changes in this release are:

  • Switch to using the ServiceLoader mechanism to load the custom URL protocol handlers that Tomcat uses.
  • Update the packaged version of the Apache Tomcat Native Library to 2.0.3 to pick up the Windows binaries built with with OpenSSL 3.0.8.
  • Add the shared address space specified by RFC 6598 (100.64.0.0/10) to the list of trusted proxies for RemoteIPValve/Filter.
  • Limit access to examples web application to localhost by default .

Full details of these changes, and all the other changes, are available in the Tomcat 10.1 changelog.

Download

2023-02-24 Tomcat 8.5.86 Released

The Apache Tomcat Project is proud to announce the release of version 8.5.86 of Apache Tomcat. This release implements specifications that are part of the Java EE 7 platform. The notable changes compared to 8.5.85 include:

  • Add an error report valve that allows redirecting to or proxying from an external web server.
  • Add the shared address space specified by RFC 6598 (100.64.0.0/10) to the list of trusted proxies for RemoteIPValve/Filter.
  • Log basic information for each configured TLS certificate when Tomcat starts.
  • Limit access to examples web application to localhost by default.

Full details of these changes, and all the other changes, are available in the Tomcat 8 changelog.

Please note that Apache Tomcat 8.5.x will reach End-of-life (EOL) on 31 March 2024.

Download

2023-02-23 Tomcat 9.0.72 Released

The Apache Tomcat Project is proud to announce the release of version 9.0.72 of Apache Tomcat. This release implements specifications that are part of the Java EE 8 platform. The notable changes compared to 9.0.71 include:

  • Add an error report valve that allows redirecting to or proxying from an external web server.
  • Log basic information for each configured TLS certificate when Tomcat starts.
  • Add the shared address space specified by RFC 6598 (100.64.0.0/10) to the list of trusted proxies for RemoteIPValve/Filter.
  • Limit access to examples web application to localhost by default.

Full details of these changes, and all the other changes, are available in the Tomcat 9 changelog.

Download

2023-02-23 Tomcat 11.0.0-M3 Released

The Apache Tomcat Project is proud to announce the release of version 11.0.0-M3 (alpha) of Apache Tomcat. This release is a milestone release and is targeted at Jakarta EE 11.

Users of Tomcat 10 onwards should be aware that, as a result of the move from Java EE to Jakarta EE as part of the transfer of Java EE to the Eclipse Foundation, the primary package for all implemented APIs has changed from javax.* to jakarta.*. This will almost certainly require code changes to enable applications to migrate from Tomcat 9 and earlier to Tomcat 10 and later. A migration tool is under development to aid this process.

The notable changes in this release are:

  • Increase the minimum supported Java version to Java 17.
  • Remove support for starting Tomcat under a SecurityManager.
  • Remove JAX-RPC support which was removed from the Jakarta EE platform for Jakarta EE 9

Full details of these changes, and all the other changes, are available in the Tomcat 11 (alpha) changelog.

Download

2023-02-13 Tomcat Native 2.0.3 Released

The Apache Tomcat Project is proud to announce the release of version 2.0.3 of Tomcat Native. The notable changes compared to 2.0.2 include:

  • The windows binaries in this release have been built with OpenSSL 3.0.8

Download | ChangeLog for 2.0.3

2023-02-13 Tomcat Native 1.2.36 Released

The Apache Tomcat Project is proud to announce the release of version 1.2.36 of Tomcat Native. The notable changes since 1.2.35 include:

  • Windows binaries built with OpenSSL 1.1.1t.

Download | ChangeLog for 1.2.36

2023-01-19 Tomcat 8.5.85 Released

The Apache Tomcat Project is proud to announce the release of version 8.5.85 of Apache Tomcat. This release implements specifications that are part of the Java EE 7 platform. The notable changes compared to 8.5.84 include:

  • The default value of AccessLogValve's file encoding is now UTF-8.
  • Correct a regression in the refactoring that replaced the use of the URL constructors. The regression broke lookups for resources that contained one or more characters in their name that required escaping when used in a URI path.
  • When an HTTP/2 stream was reset, the current active stream count was not reduced. If enough resets occurred on a connection, the current active stream count limit was reached and no new streams could be created on that connection.
  • Change the default of the org.apache.el.GET_CLASSLOADER_USE_PRIVILEGED system property to true unless the EL library is running on Tomcat in which case the default remains false as the EL library is already called from within a privileged block and skipping the unnecessary privileged block improves performance.

Full details of these changes, and all the other changes, are available in the Tomcat 8 changelog.

Please note that Apache Tomcat 8.5.x will reach End-of-life (EOL) on 31 March 2024.

Download

2023-01-13 Tomcat 9.0.71 Released

The Apache Tomcat Project is proud to announce the release of version 9.0.71 of Apache Tomcat. This release implements specifications that are part of the Java EE 8 platform. The notable changes compared to 9.0.70 include:

  • Correct a regression in the refactoring that replaced the use of the URL constructors. The regression broke lookups for resources that contained one or more characters in their name that required escaping when used in a URI path.
  • When resetting an HTTP/2 stream because the final response has been generated before the request has been fully read, use the HTTP/2 error code NO_ERROR so that client does not discard the response. Based on a suggestion by Lorenzo Dalla Vecchia.
  • Change the default of the org.apache.el.GET_CLASSLOADER_USE_PRIVILEGED system property to true unless the EL library is running on Tomcat in which case the default remains false as the EL library is already called from within a privileged block and skipping the unnecessary privileged block improves performance.

Full details of these changes, and all the other changes, are available in the Tomcat 9 changelog.

Download

2023-01-13 Tomcat 10.1.5 Released

The Apache Tomcat Project is proud to announce the release of version 10.1.5 of Apache Tomcat. This release implements specifications that are part of the Jakarta EE 10 platform.

Applications that run on Tomcat 9 and earlier will not run on Tomcat 10 without changes. Java EE based applications designed for Tomcat 9 and earlier may be placed in the $CATALINA_BASE/webapps-javaee directory and Tomcat will automatically convert them to Jakarta EE and copy them to the webapps directory. This conversion is performed using the Apache Tomcat migration tool for Jakarta EE tool which is also available as a separate download for off-line use.

The notable changes in this release are:

  • Correct a regression in the refactoring that replaced the use of the URL constructors. The regression broke lookups for resources that contained one or more characters in their name that required escaping when used in a URI path.
  • When resetting an HTTP/2 stream because the final response has been generated before the request has been fully read, use the HTTP/2 error code NO_ERROR so that client does not discard the response. Based on a suggestion by Lorenzo Dalla Vecchia.
  • Change the default of the org.apache.el.GET_CLASSLOADER_USE_PRIVILEGED system property to true unless the EL library is running on Tomcat in which case the default remains false as the EL library is already called from within a privileged block and skipping the unnecessary privileged block improves performance.

Full details of these changes, and all the other changes, are available in the Tomcat 10.1 changelog.

Download