Apache Tomcat^®

Announcements from previous years can be found here:

• year 2019
• year 2018
• year 2017
• year 2016
• year 2015
• year 2014
• year 2013
• year 2012
• year 2011
• year 2010

The Apache Tomcat Project is proud to announce the release of version 9.0.29 of Apache Tomcat. The notable changes compared to 9.0.27 include:

• Improvements to Async error handling
• Stricter processing of HTTP headers when looking for specific token values
• Fix various issues that could lead to modification to a JSP not being reflected in the served page

Full details of these changes, and all the other changes, are available in the Tomcat 9 changelog.

Download

The Apache Tomcat Project is proud to announce the release of version 8.5.49 of Apache Tomcat. Apache Tomcat 8.5.x replaces 8.0.x and includes new features pulled forward from Tomcat 9.0.x. The minimum Java version and implemented specification versions remain unchanged. The notable changes compared to 8.5.47 include:

• Improvements to Async error handling
• Stricter processing of HTTP headers when looking for specific token values
• Fix various issues that could lead to modification to a JSP not being reflected in the served page

Full details of these changes, and all the other changes, are available in the Tomcat 8.5 changelog.

Download

The Apache Tomcat Project is proud to announce the release of version 9.0.27 of Apache Tomcat. The notable changes compared to 9.0.26 include:

• Update to Commons Daemon 1.2.2 to pick up the fix for a regression in Commons Daemon 1.2.0 and 1.2.1 that triggered a crash on startup when running on a Windows OS that had not been fully updated.
• Fix some edge cases with NIO2 and TLS that could cause a request to hang.
• Fix a memory leak introduced by the HTTP/2 timeout refactoring in 9.0.23 that could occur when HTTP/2 or WebSocket was used.

Full details of these changes, and all the other changes, are available in the Tomcat 9 changelog.

Download

The Apache Tomcat Project is proud to announce the release of version 8.5.47 of Apache Tomcat. Apache Tomcat 8.5.x replaces 8.0.x and includes new features pulled forward from Tomcat 9.0.x. The minimum Java version and implemented specification versions remain unchanged. The notable changes compared to 8.5.46 include:

• Update to Commons Daemon 1.2.2 to pick up the fix for a regression in Commons Daemon 1.2.0 and 1.2.1 that triggered a crash on startup when running on a Windows OS that had not been fully updated.
• Fix some edge cases with NIO2 and TLS that could cause a request to hang.

Full details of these changes, and all the other changes, are available in the Tomcat 8.5 changelog.

Download

The Apache Tomcat Project is proud to announce the release of version 9.0.26 of Apache Tomcat. The notable changes compared to 9.0.24 include:

• Update to Commons Daemon 1.2.1 to pick up fixes for regressions in Commons Daemon 1.2.0, most notably a failure to start when using a 32-bit JVM on Windows.
• Avoid an NPE when accessing an https port using http.
• Correct the invalid automatic module names for the embedded JARs.
• Fix a potential hang when using HTTP/2 with the asynchronous Servlet API.

Full details of these changes, and all the other changes, are available in the Tomcat 9 changelog.

Download

The Apache Tomcat Project is proud to announce the release of version 8.5.46 of Apache Tomcat. Apache Tomcat 8.5.x replaces 8.0.x and includes new features pulled forward from Tomcat 9.0.x. The minimum Java version and implemented specification versions remain unchanged. The notable changes compared to 8.5.45 include:

• Update to Commons Daemon 1.2.1 to pick up fixes for regressions in Commons Daemon 1.2.0, most notably a failure to start when using a 32-bit JVM on Windows.
• Avoid an NPE when accessing an https port using http.
• Fix a potential hang when using HTTP/2 with the asynchronous Servlet API.

Full details of these changes, and all the other changes, are available in the Tomcat 8.5 changelog.

Download

The Apache Tomcat Project is proud to announce the release of version 8.5.45 of Apache Tomcat. Apache Tomcat 8.5.x replaces 8.0.x and includes new features pulled forward from Tomcat 9.0.x. The minimum Java version and implemented specification versions remain unchanged. The notable changes compared to 8.5.43 include:

• Expand the HTTP/2 excessive overhead protection to cover various forms of abusive client behaviour and close the connection if any such behaviour is detected.
• Security improvements to the Windows installer including a change in the default user from Local System to Local Service.
• Improve handling of invalid requests so that 400 responses are returned to the client rather than 500 responses.

Full details of these changes, and all the other changes, are available in the Tomcat 8.5 changelog.

Download

The Apache Tomcat Project is proud to announce the release of version 9.0.24 of Apache Tomcat. The notable changes compared to 9.0.22 include:

• Expand Graal native image support to include JNDI, JSPs and JULI
• Expand the HTTP/2 excessive overhead protection to cover various forms of abusive client behaviour and close the connection if any such behaviour is detected.
• Security improvements to the Windows installer including a change in the default user from Local System to Local Service.

Full details of these changes, and all the other changes, are available in the Tomcat 9 changelog.

Download

The Apache Tomcat Project is proud to announce the release of version 7.0.96 of Apache Tomcat. This release contains a number of bug fixes and improvements compared to version 7.0.94.

Full details of these changes, and all the other changes, are available in the Tomcat 7 changelog.

Download

The Apache Tomcat Project is proud to announce the release of version 9.0.22 of Apache Tomcat. The notable changes compared to 9.0.21 include:

• Add user buildable optional modules for easier CDI 2 and JAX-RS support. Also include a new documentation page describing how to use it.
• Update to Tomcat Native 1.2.23 including Windows binaries built with OpenSSL 1.1.1c.
• Update to Eclipse Complier for Java 4.12.

Full details of these changes, and all the other changes, are available in the Tomcat 9 changelog.

Download

The Apache Tomcat Project is proud to announce the release of version 8.5.43 of Apache Tomcat. Apache Tomcat 8.5.x replaces 8.0.x and includes new features pulled forward from Tomcat 9.0.x. The minimum Java version and implemented specification versions remain unchanged. The notable changes compared to 8.5.42 include:

• Add the ability for a UserDatabase to monitor the backing XML file for changes and reload the source file if a change in the last modified time is detected. This is enabled by default meaning that changes to $CATALINA_BASE/conf/tomcat-users.xml will now take effect a short time after the file is saved.
• Update to Tomcat Native 1.2.23 including Windows binaries built with OpenSSL 1.1.1c.

Full details of these changes, and all the other changes, are available in the Tomcat 8.5 changelog.

Download

The Apache Tomcat Project is proud to announce the release of version 9.0.21 of Apache Tomcat. The notable changes compared to 9.0.20 include:

• Fix various concurrency and stability issues for HTTP/2.
• Add support for same-site cookie attribute. Patch provided by John Kelly.
• Add an option to sort directory listings provided by the Default Servlet.

Full details of these changes, and all the other changes, are available in the Tomcat 9 changelog.

Download

The Apache Tomcat Project is proud to announce the release of version 8.5.42 of Apache Tomcat. Apache Tomcat 8.5.x replaces 8.0.x and includes new features pulled forward from Tomcat 9.0.x. The minimum Java version and implemented specification versions remain unchanged. The notable changes compared to 8.5.41 include:

• Fix various concurrency and stability issues for HTTP/2.
• Add support for same-site cookie attribute. Patch provided by John Kelly.
• Add an option to sort directory listings provided by the Default Servlet.

Full details of these changes, and all the other changes, are available in the Tomcat 8.5 changelog.

Download

The Apache Tomcat Project is proud to announce the release of version 9.0.20 of Apache Tomcat. The notable changes compared to 9.0.19 include:

• The useAsyncIO boolean attribute on the Connector element value now defaults to true.
• Stack traces written by the OneLineFormatter are fully indented. The entire stack trace is now indented by an additional TAB character.
• Various HTTP/2 improvements and stability fixes.

Full details of these changes, and all the other changes, are available in the Tomcat 9 changelog.

Download

The Apache Tomcat Project is proud to announce the release of version 8.5.41 of Apache Tomcat. Apache Tomcat 8.5.x replaces 8.0.x and includes new features pulled forward from Tomcat 9.0.x. The minimum Java version and implemented specification versions remain unchanged. The notable changes compared to 8.5.40 include:

• Stack traces written by the OneLineFormatter are fully indented. The entire stack trace is now indented by an additional TAB character.
• Avoid OutOfMemoryErrors and ArrayIndexOutOfBoundsExceptions when accessing large files via the default servlet when resource caching has been disabled.
• When running on newer JREs that don't support SSLv2Hello, don't warn that it is not available unless explicitly configured.

Full details of these changes, and all the other changes, are available in the Tomcat 8.5 changelog.

Download

As part of the EU-FOSSA 2 project, there will be a Tomcat Hackathon in Brussels, Belgium on 4-5 May 2019.

The outline of the schedule is:

• general update on the status of the project
• hacking
• wrap-up

with the majority of the time spent hacking.

We are currently collating potential tasks on the wiki.

The EU-FOSSA 2 project is providing accommodation (on the basis of 2 people sharing - you can request a single room if you want to pay the difference) and might be able to help with transport costs.

Space is limited so we are asking anyone who would like to attend this hackathon and contribute to the development of Tomcat to register yourself.

Time is fairly tight so if you are interested please let us know ASAP.

We hope to see you in Brussels.

The Apache Tomcat Project is proud to announce the release of version 9.0.19 of Apache Tomcat. The notable changes compared to 9.0.17 include:

• Fix for CVE-2019-0232, an RCE vulnerability on Windows
• Add support for Java 11 to the JSP compiler. Java 12 and 13 are also now supported if used with a ECJ version with support for those Java versions
• Various NIO2 stability improvements

Full details of these changes, and all the other changes, are available in the Tomcat 9 changelog.

Download

The Apache Tomcat Project is proud to announce the release of version 8.5.40 of Apache Tomcat. Apache Tomcat 8.5.x replaces 8.0.x and includes new features pulled forward from Tomcat 9.0.x. The minimum Java version and implemented specification versions remain unchanged. The notable changes compared to 8.5.39 include:

• Fix for CVE-2019-0232, an RCE vulnerability on Windows
• Add support for Java 11 to the JSP compiler. Java 12 and 13 are also now supported if used with a ECJ version with support for those Java versions
• Various NIO2 stability improvements

Full details of these changes, and all the other changes, are available in the Tomcat 8.5 changelog.

Download

The Apache Tomcat Project is proud to announce the release of version 7.0.94 of Apache Tomcat. This release contains a number of bug fixes and improvements compared to version 7.0.93.

• Fix for CVE-2019-0232, an RCE vulnerability on Windows
• Add support for Java 11 to the JSP compiler. Java 12 and 13 are also now supported if used with a ECJ version with support for those Java versions
• Update Tomcat's packaged-renamed copy of Apache Commons DBCP to the latest DBCP 1.4.x and Pool 1.6.x source (as of 2019-03-15) to pick up various bug fixes

Full details of these changes, and all the other changes, are available in the Tomcat 7 changelog.

Download

The Apache Tomcat Project is proud to announce the release of version 8.5.39 of Apache Tomcat. Apache Tomcat 8.5.x replaces 8.0.x and includes new features pulled forward from Tomcat 9.0.x. The minimum Java version and implemented specification versions remain unchanged. The notable changes compared to 8.5.38 include:

• The APR/Native connector now supports both OpenSSL and JSSE TLS configuration syntax (NIO and NIO2 already support this)
• Various improvements to NIO2
• Various fixes for HTTP/2 push requests
• Refactor error handling so that errors that occur early in request processing are handled by the application's error handling where the application can be identified

Full details of these changes, and all the other changes, are available in the Tomcat 8.5 changelog.

Download

The Apache Tomcat Project is proud to announce the release of version 9.0.17 of Apache Tomcat. The notable changes compared to 9.0.16 include:

• The APR/Native connector now supports both OpenSSL and JSSE TLS configuration syntax (NIO and NIO2 already support this)
• Various improvements to NIO2
• Various fixes for HTTP/2 push requests

Full details of these changes, and all the other changes, are available in the Tomcat 9 changelog.

Download

The Apache Tomcat Project is proud to announce the release of version 7.0.93 of Apache Tomcat. This release contains a number of bug fixes and improvements compared to version 7.0.92.

• Update the packaged version of the Tomcat Native Library to 1.2.21 to pick up the latest Windows binaries built with APR 1.6.5 and OpenSSL 1.1.1a and to pick up the memory leak fixes when using NIO/NIO2 with OpenSSL.

Full details of these changes, and all the other changes, are available in the Tomcat 7 changelog.

Download

The Apache Tomcat Project is proud to announce the release of version 9.0.16 of Apache Tomcat. The notable changes compared to 9.0.14 include:

• Update the packaged version of the Tomcat Native Library to 1.2.21 to pick up the memory leak fixes when using NIO/NIO2 with OpenSSL.
• Remove extras (JMX remote listener and web services object factories) and merge them back into the core build.
• Correct a regression in the fix for 53737 that did not correctly scan the web application directory structure for JSPs.
• Improve HTTP/2 timeout handling

Full details of these changes, and all the other changes, are available in the Tomcat 9 changelog.

Warning: There is a known regression in catalina.sh script. In configurations that use a PID file (configured via CATALINA_PID environment variable) a wrong PID value may be written, or the file is not created at all. See bug 63041 (and 53930). The workaround is to use catalina.sh file from Tomcat 9.0.13.

Download

The Apache Tomcat Project is proud to announce the release of version 8.5.38 of Apache Tomcat. Apache Tomcat 8.5.x replaces 8.0.x and includes new features pulled forward from Tomcat 9.0.x. The minimum Java version and implemented specification versions remain unchanged. The notable changes compared to 8.5.37 include:

• Update the packaged version of the Tomcat Native Library to 1.2.21 to pick up the memory leak fixes when using NIO/NIO2 with OpenSSL.
• Correct a regression in the fix for 53737 that did not correctly scan the web application directory structure for JSPs.
• Improve HTTP/2 timeout handling

Full details of these changes, and all the other changes, are available in the Tomcat 8.5 changelog.

Warning: There is a known regression in catalina.sh script. In configurations that use a PID file (configured via CATALINA_PID environment variable) a wrong PID value may be written, or the file is not created at all. See bug 63041 (and 53930). The workaround is to use catalina.sh file from Tomcat 8.5.35.

Download

The Apache Tomcat Project is proud to announce the release of version 1.2.21 of Tomcat Native. The notable changes since 1.2.19 include:

• Fixed memory leaks when using NIO/NIO2 with OpenSSL for TLS.

Download | ChangeLog for 1.2.21