BUILDING.txt

@@ -21,7 +21,7 @@
 
 This subproject contains the source code for Tomcat @VERSION_MAJOR_MINOR@, a container that
 implements the Servlet 3.0, JSP 2.2, EL 2.2 and WebSocket 1.1 specifications
-from the Java Community Process <http://www.jcp.org/>.
+from the Java Community Process <https://www.jcp.org/>.
 
 Note: If you just need to run Apache Tomcat, it is not necessary to build
 it. You may simply download a binary distribution. It is cross-platform.
@@ -57,7 +57,7 @@ source distribution, do the following:
       See Apache Commons DBCP project web site for more details on
       available versions of the library and its requirements,
 
-        http://commons.apache.org/dbcp/
+        https://commons.apache.org/dbcp/
 
       If you really want to use a later version of JDK to build Tomcat,
       several workarounds are possible. One of them is to skip building
@@ -88,7 +88,7 @@ source distribution, do the following:
 
  2. Download a binary distribution of Ant from:
 
-        http://ant.apache.org/bindownload.cgi
+        https://ant.apache.org/bindownload.cgi
 
  3. Unpack the binary distribution into a convenient location so that the
     Ant release resides in its own directory (conventionally named
@@ -116,11 +116,11 @@ package.
 
  *  Tomcat SVN repository URL:
 
-        http://svn.apache.org/repos/asf/tomcat/tc@VERSION_MAJOR_MINOR@.x/trunk/
+        https://svn.apache.org/repos/asf/tomcat/tc@VERSION_MAJOR_MINOR@.x/trunk/
 
  *  Source packages can be downloaded from:
 
-        http://tomcat.apache.org/download-@VERSION_MAJOR@0.cgi
+        https://tomcat.apache.org/download-@VERSION_MAJOR@0.cgi
 
 The location where the source has been placed will be further referred as
 ${tomcat.source}.

CONTRIBUTING.md

@@ -4,17 +4,17 @@ Firstly, thanks for your interest in contributing! I hope that this will be a
 pleasant first experience for you, and that you will return to continue
 contributing.
 
-Please visit our [Get Involved page](http://tomcat.apache.org/getinvolved.html)
+Please visit our [Get Involved page](https://tomcat.apache.org/getinvolved.html)
 for more information on how to contribute.
 
 ## Code of Conduct
 
 This project and everyone participating in it is governed by the Apache
 software Foundation's
-[Code of Conduct](http://www.apache.org/foundation/policies/conduct.html). By
+[Code of Conduct](https://www.apache.org/foundation/policies/conduct.html). By
 participating, you are expected to adhere to this code. If you are aware of
 unacceptable behavior, please visit the
-[Reporting Guidelines page](http://www.apache.org/foundation/policies/conduct.html#reporting-guidelines)
+[Reporting Guidelines page](https://www.apache.org/foundation/policies/conduct.html#reporting-guidelines)
 and follow the instructions there.
 
 ## How Can I Contribute?
@@ -25,7 +25,7 @@ for us to fix.
 
 ### Reporting Bugs
 
-Please review our [guide](http://tomcat.apache.org/bugreport.html) on how to
+Please review our [guide](https://tomcat.apache.org/bugreport.html) on how to
 submit a bug report. This page also has links to other resources to assist
 you.
 
@@ -36,7 +36,7 @@ you.
 Unsure where to begin contributing to Tomcat? You can start by taking a look at
 the issues marked 'Beginner', link below. Please note that the Beginner keyword
 is pretty new to the project, so if there aren't any issues in the filter feel
-free to ask on the [dev list](http://tomcat.apache.org/lists.html#tomcat-dev).
+free to ask on the [dev list](https://tomcat.apache.org/lists.html#tomcat-dev).
 
 * [Beginner issues](https://bz.apache.org/bugzilla/buglist.cgi?bug_status=NEW&bug_status=ASSIGNED&bug_status=REOPENED&bug_status=NEEDINFO&keywords=Beginner&keywords_type=allwords&list_id=160824&product=Tomcat%207&product=Tomcat%208&product=Tomcat%209&query_format=advanced) -
 issues which should only require a few lines of code, and a test or two to
@@ -77,14 +77,17 @@ This method works if you want to submit a patch (like you would do for SVN), but
 the difference in using the sources distribution and a VCS is that you have to
 manually generate the patch file by using diff. If this is what you want, you
 can download the sources from the "Source Code Distributions" section of the
-[Download Page](https://tomcat.apache.org/download-90.cgi).
+Download Page. There is one such page for every major Tomcat version:
+- [Tomcat 9](https://tomcat.apache.org/download-90.cgi)
+- [Tomcat 8](https://tomcat.apache.org/download-80.cgi)
+- [Tomcat 7](https://tomcat.apache.org/download-70.cgi)
 
 ###### SVN
 
 If you have chosen to attach a patch to the Bugzilla issue (or email
 one), then you'll need to checkout the SVN version. Instructions for new
 committers to learn how to do this are found
-[here](http://www.apache.org/dev/contributors.html#svnbasics). However, in the
+[here](https://www.apache.org/dev/contributors.html#svnbasics). However, in the
 interest of a fast ramp up, the short version is below. Note that the root of
 the SVN repository is
 [tomcat/trunk](http://svn.apache.org/repos/asf/tomcat/trunk),

NOTICE

@@ -2,7 +2,7 @@ Apache Tomcat
 Copyright 1999-2018 The Apache Software Foundation
 
 This product includes software developed at
-The Apache Software Foundation (http://www.apache.org/).
+The Apache Software Foundation (https://www.apache.org/).
 
 The Windows Installer is built with the Nullsoft
 Scriptable Install System (NSIS), which is
@@ -13,7 +13,7 @@ http://nsis.sourceforge.net.
 Java compilation software for JSP pages is provided by the Eclipse
 JDT Core Batch Compiler component, which is open source software.
 The original software and related information is available at
-http://www.eclipse.org/jdt/core/.
+https://www.eclipse.org/jdt/core/.
 
 For the bayeux implementation
 The org.apache.cometd.bayeux API is derivative work originating at the Dojo Foundation

README.md

@@ -6,35 +6,45 @@ The Apache Tomcat® software is an open source implementation of the Java
 Servlet, JavaServer Pages, Java Expression Language and Java WebSocket
 technologies. The Java Servlet, JavaServer Pages, Java Expression Language and
 Java WebSocket specifications are developed under the
-[Java Community Process](http://jcp.org/en/introduction/overview).
+[Java Community Process](https://jcp.org/en/introduction/overview).
 
 The Apache Tomcat software is developed in an open and participatory
 environment and released under the
-[Apache License version 2](http://www.apache.org/licenses/). The Apache Tomcat
+[Apache License version 2](https://www.apache.org/licenses/). The Apache Tomcat
 project is intended to be a collaboration of the best-of-breed developers from
 around the world. We invite you to participate in this open development
 project. To learn more about getting involved,
-[click here](http://tomcat.apache.org/getinvolved.html) or keep reading.
+[click here](https://tomcat.apache.org/getinvolved.html) or keep reading.
 
 Apache Tomcat software powers numerous large-scale, mission-critical web
 applications across a diverse range of industries and organizations. Some of
 these users and their stories are listed on the
-[PoweredBy wiki page](http://wiki.apache.org/tomcat/PoweredBy).
+[PoweredBy wiki page](https://wiki.apache.org/tomcat/PoweredBy).
 
 Apache Tomcat, Tomcat, Apache, the Apache feather, and the Apache Tomcat
 project logo are trademarks of the Apache Software Foundation.
 
-### The Latest Version
+### Get It
 
-The current latest version in this branch (trunk) can be found on the [Tomcat 9.0](https://tomcat.apache.org/download-90.cgi) page.
+For every major Tomcat version there is one download page containing
+links to the latest binary and source code downloads, but also
+links for browsing the download directories and archives:
+- [Tomcat 9](https://tomcat.apache.org/download-90.cgi)
+- [Tomcat 8](https://tomcat.apache.org/download-80.cgi)
+- [Tomcat 7](https://tomcat.apache.org/download-70.cgi)
+
+To facilitate choosing the right major Tomcat version one, we have provided a
+[version overview page](https://tomcat.apache.org/whichversion.html).
 
 ### Documentation
 
 The documentation available as of the date of this release is
 included in the docs webapp which ships with tomcat. You can access that webapp
 by starting tomcat and visiting http://localhost:8080/docs/ in your browser.
-The most up-to-date documentation can be found at
-http://tomcat.apache.org/tomcat-9.0-doc/.
+The most up-to-date documentation for each version can be found at:
+- [Tomcat 9](https://tomcat.apache.org/tomcat-9.0-doc/)
+- [Tomcat 8](https://tomcat.apache.org/tomcat-8.5-doc/)
+- [Tomcat 7](https://tomcat.apache.org/tomcat-7.0-doc/)
 
 ### Installation
 
@@ -47,22 +57,22 @@ Please see [LICENSE](LICENSE) for more info.
 ### Support and Mailing List Information
 
 * Free community support is available through the
-[tomcat-users](http://tomcat.apache.org/lists.html#tomcat-users) email list and
-a dedicated [IRC channel](http://tomcat.apache.org/irc.html) (#tomcat on
+[tomcat-users](https://tomcat.apache.org/lists.html#tomcat-users) email list and
+a dedicated [IRC channel](https://tomcat.apache.org/irc.html) (#tomcat on
 Freenode).
 
 * If you want freely available support for running Apache Tomcat, please see the
-resources page [here](http://tomcat.apache.org/findhelp.html).
+resources page [here](https://tomcat.apache.org/findhelp.html).
 
 * If you want to be informed about new code releases, bug fixes,
 security fixes, general news and information about Apache Tomcat, please
 subscribe to the
-[tomcat-announce](http://tomcat.apache.org/lists.html#tomcat-announce) email
+[tomcat-announce](https://tomcat.apache.org/lists.html#tomcat-announce) email
 list.
 
 * If you have a concrete bug report for Apache Tomcat, please see the
 instructions for reporting a bug
-[here](http://tomcat.apache.org/bugreport.html).
+[here](https://tomcat.apache.org/bugreport.html).
 
 ### Contributing
 

RELEASE-NOTES

@@ -234,4 +234,4 @@ software:
 When all else fails:
 ====================
 See the FAQ
-http://tomcat.apache.org/faq/
+https://tomcat.apache.org/faq/

RUNNING.txt

@@ -58,7 +58,7 @@ Running With JRE 6 Or Later
 
 (2.1) Download a binary distribution of Tomcat from:
 
-      http://tomcat.apache.org/
+      https://tomcat.apache.org/
 
 (2.2) Unpack the binary distribution so that it resides in its own
       directory (conventionally named "apache-tomcat-[version]").
@@ -218,7 +218,7 @@ launches Java directly and does not use the script files.
 (4.3) Further information about configuring and running Tomcat can be found in
       the documentation included here, as well as on the Tomcat web site:
 
-      http://tomcat.apache.org/
+      https://tomcat.apache.org/
 
 
 (5) Shut Down Tomcat
@@ -409,32 +409,32 @@ For further reading:
 
     * Documentation for APR/Native library in the Tomcat User's Guide
 
-      http://tomcat.apache.org/tomcat-@VERSION_MAJOR_MINOR@-doc/apr.html
+      https://tomcat.apache.org/tomcat-@VERSION_MAJOR_MINOR@-doc/apr.html
 
     * Documentation for the HTTP and AJP protocol connectors in the Tomcat
       Configuration Reference
 
-      http://tomcat.apache.org/tomcat-@VERSION_MAJOR_MINOR@-doc/config/http.html
+      https://tomcat.apache.org/tomcat-@VERSION_MAJOR_MINOR@-doc/config/http.html
 
-      http://tomcat.apache.org/tomcat-@VERSION_MAJOR_MINOR@-doc/config/ajp.html
+      https://tomcat.apache.org/tomcat-@VERSION_MAJOR_MINOR@-doc/config/ajp.html
 
  - Apache Tomcat Native project home
 
-      http://tomcat.apache.org/native-doc/
+      https://tomcat.apache.org/native-doc/
 
  - Other projects
 
     * OpenSSL
 
-      http://openssl.org/
+      https://www.openssl.org/
 
     * Apache Portable Runtime
 
-      http://apr.apache.org/
+      https://apr.apache.org/
 
     * Apache HTTP Server
 
-      http://httpd.apache.org/
+      https://httpd.apache.org/
 
 To disable Apache Tomcat Native library:
 
@@ -465,17 +465,17 @@ For further reading:
 
  - Apache Commons Daemon project
 
-      http://commons.apache.org/daemon/
+      https://commons.apache.org/daemon/
 
  - Apache Tomcat documentation
 
     * Installing Apache Tomcat
 
-      http://tomcat.apache.org/tomcat-@VERSION_MAJOR_MINOR@-doc/setup.html
+      https://tomcat.apache.org/tomcat-@VERSION_MAJOR_MINOR@-doc/setup.html
 
     * Windows service HOW-TO
 
-      http://tomcat.apache.org/tomcat-@VERSION_MAJOR_MINOR@-doc/windows-service-howto.html
+      https://tomcat.apache.org/tomcat-@VERSION_MAJOR_MINOR@-doc/windows-service-howto.html
 
 The binary files of Apache Commons Daemon in Apache Tomcat distributions
 for Windows are named:

bin/service.bat

@@ -52,19 +52,16 @@ echo Service will try to guess them from the registry.
 goto okJavaHome
 :gotJreHome
 if not exist "%JRE_HOME%\bin\java.exe" goto noJavaHome
-if not exist "%JRE_HOME%\bin\javaw.exe" goto noJavaHome
 goto okJavaHome
 :gotJdkHome
 if not exist "%JAVA_HOME%\bin\javac.exe" goto noJavaHome
 rem Java 9 has a different directory structure
 if exist "%JAVA_HOME%\jre\bin\java.exe" goto preJava9Layout
 if not exist "%JAVA_HOME%\bin\java.exe" goto noJavaHome
-if not exist "%JAVA_HOME%\bin\javaw.exe" goto noJavaHome
 if not "%JRE_HOME%" == "" goto okJavaHome
 set "JRE_HOME=%JAVA_HOME%"
 goto okJavaHome
 :preJava9Layout
-if not exist "%JAVA_HOME%\jre\bin\javaw.exe" goto noJavaHome
 if not "%JRE_HOME%" == "" goto okJavaHome
 set "JRE_HOME=%JAVA_HOME%\jre"
 goto okJavaHome
@@ -163,7 +160,7 @@ set "CLASSPATH=%CATALINA_HOME%\bin\bootstrap.jar;%CATALINA_BASE%\bin\tomcat-juli
 if not "%CATALINA_HOME%" == "%CATALINA_BASE%" set "CLASSPATH=%CLASSPATH%;%CATALINA_HOME%\bin\tomcat-juli.jar"
 
 "%EXECUTABLE%" //IS//%SERVICE_NAME% ^
-    --Description "Apache Tomcat @VERSION@ Server - http://tomcat.apache.org/" ^
+    --Description "Apache Tomcat @VERSION@ Server - https://tomcat.apache.org/" ^
     --DisplayName "%DISPLAYNAME%" ^
     --Install "%EXECUTABLE%" ^
     --LogPath "%CATALINA_BASE%\logs" ^

bin/setclasspath.bat

@@ -36,7 +36,6 @@ goto exit
 rem Check if we have a usable JDK
 if "%JAVA_HOME%" == "" goto noJavaHome
 if not exist "%JAVA_HOME%\bin\java.exe" goto noJavaHome
-if not exist "%JAVA_HOME%\bin\javaw.exe" goto noJavaHome
 if not exist "%JAVA_HOME%\bin\jdb.exe" goto noJavaHome
 if not exist "%JAVA_HOME%\bin\javac.exe" goto noJavaHome
 set "JRE_HOME=%JAVA_HOME%"
@@ -55,7 +54,6 @@ set "JRE_HOME=%JAVA_HOME%"
 :gotJreHome
 rem Check if we have a usable JRE
 if not exist "%JRE_HOME%\bin\java.exe" goto noJreHome
-if not exist "%JRE_HOME%\bin\javaw.exe" goto noJreHome
 goto okJava
 
 :noJreHome

build.properties.default

@@ -25,7 +25,7 @@
 # ----- Version Control Flags -----
 version.major=7
 version.minor=0
-version.build=88
+version.build=90
 version.patch=0
 version.suffix=
 
@@ -69,8 +69,8 @@ compile.source=1.6
 compile.target=1.6
 compile.debug=true
 
-base-apache.loc.1=http://www.apache.org/dyn/closer.lua?action=download&filename=
-base-apache.loc.2=http://archive.apache.org/dist
+base-apache.loc.1=https://www.apache.org/dyn/closer.lua?action=download&filename=
+base-apache.loc.2=https://archive.apache.org/dist
 base-commons.loc.1=${base-apache.loc.1}/commons
 base-commons.loc.2=${base-apache.loc.2}/commons
 base-tomcat.loc.1=${base-apache.loc.1}/tomcat
@@ -90,6 +90,9 @@ base-maven.loc=https://repo.maven.apache.org/maven2
 # - logkit
 # - servletapi
 commons-logging.version=1.1.3
+commons-logging-src.checksum.enabled=true
+commons-logging-src.checksum.algorithm=MD5|SHA-1
+commons-logging-src.checksum.value=e8e197d628436490886d17cffa108fe3|95f0805de0be927c42f5f6eb14b643cb37e7caad
 commons-logging.home=${base.path}/commons-logging-${commons-logging.version}
 commons-logging-src.loc.1=${base-commons.loc.1}/logging/source/commons-logging-${commons-logging.version}-src.tar.gz
 commons-logging-src.loc.2=${base-commons.loc.2}/logging/source/commons-logging-${commons-logging.version}-src.tar.gz
@@ -97,36 +100,54 @@ commons-logging-src.tar.gz=${commons-logging.home}/commons-logging-${commons-log
 
 # ----- Avalon Framework (required by commons logging) -----
 avalon-framework.version=4.1.5
+avalon-framework.checksum.enabled=true
+avalon-framework.checksum.algorithm=MD5|SHA-1
+avalon-framework.checksum.value=71a0db38cac8809aeea73645064bae1a|3532aaf90b552ed1e1e1e29392b77b3b1980d8a8
 avalon-framework.home=${base.path}/avalon-framework-${avalon-framework.version}
 avalon-framework.loc=${base-maven.loc}/avalon-framework/avalon-framework/${avalon-framework.version}/avalon-framework-${avalon-framework.version}.jar
 avalon-framework.jar=${avalon-framework.home}/avalon-framework-${avalon-framework.version}.jar
 
 # ----- log4j (required by commons logging) -----
 log4j.version=1.2.17
+log4j.checksum.enabled=true
+log4j.checksum.algorithm=MD5|SHA-1
+log4j.checksum.value=04a41f0a068986f0f73485cf507c0f40|5af35056b4d257e4b64b9e8069c0746e8b08629f
 log4j.home=${base.path}/log4j-${log4j.version}
 log4j.loc=${base-maven.loc}/log4j/log4j/${log4j.version}/log4j-${log4j.version}.jar
 log4j.jar=${log4j.home}/log4j-${log4j.version}.jar
 
 # ----- logkit (required by commons logging) -----
 logkit.version=1.0.1
+logkit.checksum.enabled=true
+logkit.checksum.algorithm=MD5|SHA-1
+logkit.checksum.value=32240100a5c15d53f00392fae4b0aab7|aaf5649b523c5ffc925e746074979150bb74bfdc
 logkit.home=${base.path}/logkit-${logkit.version}
 logkit.loc=${base-maven.loc}/logkit/logkit/${logkit.version}/logkit-${logkit.version}.jar
 logkit.jar=${logkit.home}/logkit-${logkit.version}.jar
 
 # ----- servletapi (required by commons logging) -----
 servletapi.version=2.3
+servletapi.checksum.enabled=true
+servletapi.checksum.algorithm=MD5|SHA-1
+servletapi.checksum.value=c097f777c6fd453277c6891b3bb4dc09|0137a24e9f62973f01f16dd23fc1b5a9964fd9ef
 servletapi.home=${base.path}/servletapi-${servletapi.version}
 servletapi.loc=${base-maven.loc}/servletapi/servletapi/${servletapi.version}/servletapi-${servletapi.version}.jar
 servletapi.jar=${servletapi.home}/servletapi-${servletapi.version}.jar
 
 # ----- Webservices - JAX RPC -----
 jaxrpc-lib.version=1.1-rc4
+jaxrpc-lib.checksum.enabled=true
+jaxrpc-lib.checksum.algorithm=MD5|SHA-1
+jaxrpc-lib.checksum.value=4bebba22a4cdb9f68e16c45129770333|fe9371d33dc3e1646d4d13bde19614283eb998b1
 jaxrpc-lib.home=${base.path}/jaxrpc-${jaxrpc-lib.version}
 jaxrpc-lib.loc=${base-maven.loc}/geronimo-spec/geronimo-spec-jaxrpc/${jaxrpc-lib.version}/geronimo-spec-jaxrpc-${jaxrpc-lib.version}.jar
 jaxrpc-lib.jar=${jaxrpc-lib.home}/geronimo-spec-jaxrpc-${jaxrpc-lib.version}.jar
 
 # ----- Webservices - WSDL4J -----
 wsdl4j-lib.version=1.6.2
+wsdl4j-lib.checksum.enabled=true
+wsdl4j-lib.checksum.algorithm=MD5|SHA-1
+wsdl4j-lib.checksum.value=2608a8ea3f07b0c08de8a7d3d0d3fc09|dec1669fb6801b7328e01ad72fc9e10b69ea06c1
 wsdl4j-lib.home=${base.path}/wsdl4j-${wsdl4j-lib.version}
 wsdl4j-lib.loc=${base-maven.loc}/wsdl4j/wsdl4j/${wsdl4j-lib.version}/wsdl4j-${wsdl4j-lib.version}.jar
 wsdl4j-lib.jar=${wsdl4j-lib.home}/wsdl4j-${wsdl4j-lib.version}.jar
@@ -135,6 +156,9 @@ wsdl4j-lib.jar=${wsdl4j-lib.home}/wsdl4j-${wsdl4j-lib.version}.jar
 # See https://wiki.apache.org/tomcat/JDTCoreBatchCompiler before updating
 jdt.version=4.4.2
 jdt.release=R-4.4.2-201502041700
+jdt.checksum.enabled=true
+jdt.checksum.algorithm=SHA-512
+jdt.checksum.value=ba79ccc8cf3a3340f2181ebe04eb0606954ba393c1e0182b3adf4ebcda045c3ee7846958ee2266d19209c9ec74aa8db042a0b3bec9fce4f47c387562ff1e4f00
 jdt.home=${base.path}/ecj-${jdt.version}
 jdt.jar=${jdt.home}/ecj-${jdt.version}.jar
 # The download will be moved to the archive area eventually. We are taking care of that in advance.
@@ -142,7 +166,13 @@ jdt.loc.1=http://archive.eclipse.org/eclipse/downloads/drops4/${jdt.release}/ecj
 jdt.loc.2=http://download.eclipse.org/eclipse/downloads/drops4/${jdt.release}/ecj-${jdt.version}.jar
 
 # ----- Tomcat native library -----
-tomcat-native.version=1.2.16
+tomcat-native.version=1.2.17
+tomcat-native.src.checksum.enabled=true
+tomcat-native.src.checksum.algorithm=SHA-512
+tomcat-native.src.checksum.value=8fa946855fd14525ec0abe7b09975bbd34d6127352e90730a8afb77e16cd91715417e812a40017fee65939a9ce95faf39a9193222f441cda0ad2eb7f690e77b9
+tomcat-native.win.checksum.enabled=true
+tomcat-native.win.checksum.algorithm=SHA-512
+tomcat-native.win.checksum.value=2955209b39707949b080f13c09edcad08a13faf5545f7890e2ac493ccbc66d09e152a39b4fa6ac40fe3de6b209b305608db3db8dcf24dda94567b417f55a5f49
 tomcat-native.home=${base.path}/tomcat-native-${tomcat-native.version}
 tomcat-native.tar.gz=${tomcat-native.home}/tomcat-native.tar.gz
 tomcat-native.loc.1=${base-tomcat.loc.1}/tomcat-connectors/native/${tomcat-native.version}/source/tomcat-native-${tomcat-native.version}-src.tar.gz
@@ -152,18 +182,27 @@ tomcat-native.win.2=${base-tomcat.loc.2}/tomcat-connectors/native/${tomcat-nativ
 
 # ----- Commons DBCP, version 1.1 or later -----
 commons-dbcp.version=1.4
+commons-dbcp-src.checksum.enabled=true
+commons-dbcp-src.checksum.algorithm=SHA-256
+commons-dbcp-src.checksum.value=f5f10846e79fc71121fe7402c61d71575506b01b59e719e974ebc4d99e6df283
 commons-dbcp.home=${base.path}/commons-dbcp-${commons-dbcp.version}-src
 commons-dbcp-src.loc.1=${base-commons.loc.1}/dbcp/source/commons-dbcp-${commons-dbcp.version}-src.tar.gz
 commons-dbcp-src.loc.2=${base-commons.loc.2}/dbcp/source/commons-dbcp-${commons-dbcp.version}-src.tar.gz
 
 # ----- Commons Pool, version 1.1 or later -----
 commons-pool.version=1.5.7
+commons-pool-src.checksum.enabled=true
+commons-pool-src.checksum.algorithm=MD5|SHA-1
+commons-pool-src.checksum.value=fcec4e996efda82ec8643dd2aeb63c7c|58a3f48601b70f7a7db1da47907d53b43949d0a4
 commons-pool.home=${base.path}/commons-pool-${commons-pool.version}-src
 commons-pool-src.loc.1=${base-commons.loc.1}/pool/source/commons-pool-${commons-pool.version}-src.tar.gz
 commons-pool-src.loc.2=${base-commons.loc.2}/pool/source/commons-pool-${commons-pool.version}-src.tar.gz
 
 # ----- NSIS, version 3.0 or later -----
 nsis.version=3.03
+nsis.checksum.enabled=true
+nsis.checksum.algorithm=MD5|SHA-1
+nsis.checksum.value=d4919dc089ec256a7264e97ada299b64|ea69aa8d538916c9e8630dfd0106b063f7bb5d46
 nsis.home=${base.path}/nsis-${nsis.version}
 nsis.exe=${nsis.home}/makensis.exe
 nsis.arch.dir=x86-unicode/
@@ -176,6 +215,20 @@ nsis.loc=${base-sf.loc}/nsis/nsis-${nsis.version}.zip
 
 # ----- Commons Daemon, version 1.1.0 or later -----
 commons-daemon.version=1.1.0
+
+# checksum for commons-daemon-1.1.0-bin.tar.gz
+commons-daemon.bin.checksum.enabled=true
+commons-daemon.bin.checksum.algorithm=SHA-512
+commons-daemon.bin.checksum.value=43c33e52e0be11e73370083500592ee9df0431c3166dbc7ed95794cabb462ac2a140e3eb4bbe2a0b99882bb93d9244ff534f13e4933c13e7a31a37e58e0c8e1d
+
+# checksums for commons-daemon-1.1.0-native-src.tar.gz, commons-daemon-1.1.0-bin-windows.zip
+commons-daemon.native.src.checksum.enabled=true
+commons-daemon.native.src.checksum.algorithm=SHA-512
+commons-daemon.native.src.checksum.value=3443f1c95a4b267c4387a9ac7c79315422a51e896c0bcea48fbe959bc301094770aa8065b2388a84760a3e07e5d1753c2b351336fb2d3a8c996ee14d32088f6e
+commons-daemon.native.win.checksum.enabled=true
+commons-daemon.native.win.checksum.algorithm=SHA-512
+commons-daemon.native.win.checksum.value=10cda04d9a44286cb67107fdb9d20958013f075cad4accba048801f3677765c334dc16f6901e1d2e4a9df5a2c702797370de63393568df6fceb9e7902421f9ea
+
 commons-daemon.home=${base.path}/commons-daemon-${commons-daemon.version}
 commons-daemon.jar=${commons-daemon.home}/commons-daemon-${commons-daemon.version}.jar
 commons-daemon.native.win.home=${commons-daemon.home}/windows
@@ -191,30 +244,45 @@ commons-daemon.native.win.loc.2=${base-commons.loc.2}/daemon/binaries/windows/co
 
 # ----- JUnit Unit Test Suite, version 4.11 or later -----
 junit.version=4.11
+junit.checksum.enabled=true
+junit.checksum.algorithm=MD5|SHA-1
+junit.checksum.value=3c42be5ea7cbf3635716abbb429cb90d|4e031bb61df09069aeb2bffb4019e7a5034a4ee0
 junit.home=${base.path}/junit-${junit.version}
 junit.jar=${junit.home}/junit-${junit.version}.jar
 junit.loc=${base-maven.loc}/junit/junit/${junit.version}/junit-${junit.version}.jar
 
 # ----- Hamcrest Library, used by JUnit, version 1.3 or later ----
 hamcrest.version=1.3
+hamcrest.checksum.enabled=true
+hamcrest.checksum.algorithm=MD5|SHA-1
+hamcrest.checksum.value=6393363b47ddcbba82321110c3e07519|42a25dc3219429f0e5d060061f71acb49bf010a0
 hamcrest.home=${base.path}/hamcrest-${hamcrest.version}
 hamcrest.jar=${hamcrest.home}/hamcrest-core-${hamcrest.version}.jar
 hamcrest.loc=${base-maven.loc}/org/hamcrest/hamcrest-core/${hamcrest.version}/hamcrest-core-${hamcrest.version}.jar
 
 # ----- EasyMock, version 3.2 or later -----
 easymock.version=3.2
+easymock.checksum.enabled=true
+easymock.checksum.algorithm=MD5|SHA-1
+easymock.checksum.value=2d914151580d6749ba0921be7eda705a|9794114433b4788b5d6498164311ecb3a25ff262
 easymock.home=${base.path}/easymock-${easymock.version}
 easymock.loc=${base-sf.loc}/easymock/easymock-${easymock.version}.zip
 easymock.jar=${easymock.home}/easymock-${easymock.version}.jar
 
 # ----- cglib, used by EasyMock, version 2.2 or later -----
 cglib.version=2.2.3
+cglib.checksum.enabled=true
+cglib.checksum.algorithm=MD5|SHA-1
+cglib.checksum.value=694815351007f966c14ea093ec838323|6a4af5d9112066a5baf235fd55d5876969bc813c
 cglib.home=${base.path}/cglib-${cglib.version}
 cglib.loc=${base-sf.loc}/cglib/cglib-nodep-${cglib.version}.jar
 cglib.jar=${cglib.home}/cglib-nodep-${cglib.version}.jar
 
 # ----- objenesis, used by EasyMock, version 1.2 or later -----
 objenesis.version=1.2
+objenesis.checksum.enabled=true
+objenesis.checksum.algorithm=SHA-1
+objenesis.checksum.value=2359e04aca6f4f171f92ff77489d1669043dd536
 objenesis.home=${base.path}/objenesis-${objenesis.version}
 objenesis.loc=https://bintray.com/easymock/distributions/download_file?file_path=objenesis-${objenesis.version}-bin.zip
 objenesis.jar=${objenesis.home}/objenesis-${objenesis.version}.jar
@@ -222,6 +290,9 @@ objenesis.jar=${objenesis.home}/objenesis-${objenesis.version}.jar
 # ----- Checkstyle, version 6.0 or later -----
 # Limited to 6.1.1 since that is the latest release that supports Java 6
 checkstyle.version=6.1.1
+checkstyle.checksum.enabled=true
+checkstyle.checksum.algorithm=MD5|SHA-1
+checkstyle.checksum.value=bfbbd909c0b9c6724434421a202e0912|aeb92ff49b80c958fd29f5e8f349f8b5fd4342bd
 checkstyle.home=${base.path}/checkstyle-${checkstyle.version}
 checkstyle.loc=${base-sf.loc}/checkstyle/checkstyle/${checkstyle.version}/checkstyle-${checkstyle.version}-all.jar
 checkstyle.jar=${checkstyle.home}/checkstyle-${checkstyle.version}-all.jar
@@ -238,6 +309,9 @@ dojo-js.jar=${dojo-js.home}/dojo/dojo.js
 
 # ----- Cobertura code coverage tool -----
 cobertura.version=2.0.3
+cobertura.checksum.enabled=true
+cobertura.checksum.algorithm=MD5|SHA-1
+cobertura.checksum.value=63a8c5b3f5c1226fcc52cc9c9ea2a812|705d23e5a8815aff3bc4adafd7f3001b578b5acf
 cobertura.home=${base.path}/cobertura-${cobertura.version}
 cobertura.jar=${cobertura.home}/cobertura-${cobertura.version}.jar
 cobertura.lib=${cobertura.home}/lib

debian/changelog

+tomcat7 (7.0.56-3+really7.0.90-1) jessie-security; urgency=high
+
+  * Non-maintainer upload by the LTS team.
+  * New upstream version 7.0.90.
+    Fix CVE-2018-8034:
+    The host name verification when using TLS with the WebSocket client was
+    missing. It is now enabled by default.
+  * Rebase 0017-use-jdbc-pool-default.patch.
+
+ -- Markus Koschany <apo@debian.org>  Mon, 30 Jul 2018 02:31:58 +0200
+
 tomcat7 (7.0.56-3+really7.0.88-2) jessie-security; urgency=high
 
   * Non-maintainer upload by the LTS team.

debian/patches/0017-use-jdbc-pool-default.patch

 From: Markus Koschany <apo@debian.org>
-Date: Sat, 19 May 2018 19:06:40 +0200
+Date: Mon, 30 Jul 2018 02:40:55 +0200
 Subject: 0017-use-jdbc-pool-default
 
 ---
@@ -9,7 +9,7 @@ Subject: 0017-use-jdbc-pool-default
  3 files changed, 3 insertions(+), 3 deletions(-)
 
 diff --git a/java/org/apache/naming/factory/Constants.java b/java/org/apache/naming/factory/Constants.java
-index 653a3e9..b867a3b 100644
+index bdfa627..7bbdbc1 100644
 --- a/java/org/apache/naming/factory/Constants.java
 +++ b/java/org/apache/naming/factory/Constants.java
 @@ -38,7 +38,7 @@ public final class Constants {
@@ -22,20 +22,20 @@ index 653a3e9..b867a3b 100644
      public static final String OPENEJB_EJB_FACTORY = Package + ".OpenEjbFactory";
  
 diff --git a/webapps/docs/config/systemprops.xml b/webapps/docs/config/systemprops.xml
-index 377cf51..73c80c5 100644
+index dcc0a48..9fe0ad0 100644
 --- a/webapps/docs/config/systemprops.xml
 +++ b/webapps/docs/config/systemprops.xml
-@@ -644,7 +644,7 @@
+@@ -645,7 +645,7 @@
      <property name="javax.sql.DataSource.Factory">
        <p>The class name of the factory to use to create resources of type
        <code>javax.sql.DataSource</code>. If not specified the default of
 -      <code>org.apache.tomcat.dbcp.dbcp.BasicDataSourceFactory</code> is used
 +      <code>org.apache.tomcat.jdbc.pool.DataSourceFactory</code> is used
        which is a package renamed (to avoid conflicts) copy of
-       <a href="http://commons.apache.org/dbcp">Apache Commons DBCP</a>.</p>
+       <a href="https://commons.apache.org/dbcp">Apache Commons DBCP</a>.</p>
      </property>
 diff --git a/webapps/docs/jndi-resources-howto.xml b/webapps/docs/jndi-resources-howto.xml
-index 02ab6df..1f6c102 100644
+index a2bca20..ea3f706 100644
 --- a/webapps/docs/jndi-resources-howto.xml
 +++ b/webapps/docs/jndi-resources-howto.xml
 @@ -760,7 +760,7 @@ conn.close();]]></source>

debian/patches/series

@@ -10,10 +10,10 @@
 0004-split-deploy-webapps-target-from-deploy-target.patch
 0009-Use-java.security.policy-file-in-catalina.sh.patch
 0010-debianize-build-xml.patch
-0017-use-jdbc-pool-default.patch
 0018-fix-manager-webapp.patch
 0019-add-distribution-to-error-page.patch
 0024-disable-unit-tests-depending-on-network-access.patch
 0025-standard-taglibs-compatibility.patch
 0026-add-asm-to-test-classpath.patch
 0027-TestFileHandlerNonRotatable.patch
+0017-use-jdbc-pool-default.patch

debian/rules

@@ -42,7 +42,7 @@ ANT_ARGS := -Dcompile.debug=true \
 	-Deasymock.jar=/usr/share/java/easymock.jar \
 	-Dcglib.jar=/usr/share/java/cglib3.jar \
 	-Dobjenesis.jar=/usr/share/java/objenesis.jar \
-	-Dversion="7.0.88" \
+	-Dversion="7.0.90" \
     -Dversion.major="$(T_VER_MAJOR)" \
     -Dversion.minor="$(T_VER_MINOR)" \
     -Dversion.build="$(T_VER_BUILD)" \

java/javax/el/ExpressionFactory.java

@@ -159,7 +159,7 @@ public abstract class ExpressionFactory {
     public static ExpressionFactory newInstance(Properties properties) {
         ExpressionFactory result = null;
         
-        ClassLoader tccl = Thread.currentThread().getContextClassLoader();
+        ClassLoader tccl = Util.getContextClassLoader();
 
         CacheValue cacheValue;
         Class<?> clazz;

java/javax/el/Util.java

@@ -21,6 +21,8 @@ import java.lang.reflect.Array;
 import java.lang.reflect.Constructor;
 import java.lang.reflect.Method;
 import java.lang.reflect.Modifier;
+import java.security.AccessController;
+import java.security.PrivilegedAction;
 import java.text.MessageFormat;
 import java.util.ArrayList;
 import java.util.HashMap;
@@ -90,7 +92,8 @@ class Util {
      */
     static ExpressionFactory getExpressionFactory() {
 
-        ClassLoader tccl = Thread.currentThread().getContextClassLoader();
+        ClassLoader tccl = getContextClassLoader();
+
         CacheValue cacheValue = null;
         ExpressionFactory factory = null;
 
@@ -640,6 +643,19 @@ class Util {
     }
 
 
+    static ClassLoader getContextClassLoader() {
+        ClassLoader tccl;
+        if (System.getSecurityManager() != null) {
+            PrivilegedAction<ClassLoader> pa = new PrivilegedGetTccl();
+            tccl = AccessController.doPrivileged(pa);
+        } else {
+            tccl = Thread.currentThread().getContextClassLoader();
+        }
+
+        return tccl;
+    }
+
+
     private abstract static class Wrapper {
 
         public static List<Wrapper> wrap(Method[] methods, String name) {
@@ -790,4 +806,12 @@ class Util {
             }
         }
     }
+
+
+    private static class PrivilegedGetTccl implements PrivilegedAction<ClassLoader> {
+        @Override
+        public ClassLoader run() {
+            return Thread.currentThread().getContextClassLoader();
+        }
+    }
 }

java/org/apache/catalina/ant/jmx/package.html

@@ -20,8 +20,8 @@
 <em>Ant (version 1.6 or later)</em> that can be used to interact with the
 Remote JMX JSR 160 RMI Adaptor to get/set attributes, invoke MBean operations
 and query for Mbeans inside a running instance of Tomcat.  For more information, see
-<a href="http://tomcat.apache.org/tomcat-7.0-doc/monitoring.html">
-http://tomcat.apache.org/tomcat-7.0-doc/monitoring.html</a>.</p>
+<a href="https://tomcat.apache.org/tomcat-7.0-doc/monitoring.html">
+https://tomcat.apache.org/tomcat-7.0-doc/monitoring.html</a>.</p>
 
 <p>Each task element can open a new jmx connection or reference an
 existing one. The following attribute are exists in every tasks:</p>

java/org/apache/catalina/ant/package.html

@@ -20,8 +20,8 @@
 <em>Ant (version 1.6.x or later)</em> that can be used to interact with the
 Manager application to deploy, undeploy, list, reload, start and stop web applications 
 from a running instance of Tomcat.  For more information, see
-<a href="http://tomcat.apache.org/tomcat-7.0-doc/manager-howto.html">
-http://tomcat.apache.org/tomcat-7.0-doc/manager-howto.html</a>.</p>
+<a href="https://tomcat.apache.org/tomcat-7.0-doc/manager-howto.html">
+https://tomcat.apache.org/tomcat-7.0-doc/manager-howto.html</a>.</p>
 
 <p>The attributes of each task element correspond
 exactly to the request parameters that are included with an HTTP request

java/org/apache/catalina/authenticator/AuthenticatorBase.java

@@ -22,9 +22,7 @@ package org.apache.catalina.authenticator;
 import java.io.IOException;
 import java.security.Principal;
 import java.security.cert.X509Certificate;
-import java.text.SimpleDateFormat;
 import java.util.Date;
-import java.util.Locale;
 
 import javax.servlet.ServletException;
 import javax.servlet.http.Cookie;
@@ -45,7 +43,7 @@ import org.apache.catalina.connector.Response;
 import org.apache.catalina.deploy.LoginConfig;
 import org.apache.catalina.deploy.SecurityConstraint;
 import org.apache.catalina.realm.GenericPrincipal;
-import org.apache.catalina.util.DateTool;
+import org.apache.catalina.util.ConcurrentDateFormat;
 import org.apache.catalina.util.SessionIdGeneratorBase;
 import org.apache.catalina.util.StandardSessionIdGenerator;
 import org.apache.catalina.valves.ValveBase;
@@ -79,7 +77,7 @@ import org.apache.tomcat.util.res.StringManager;
 public abstract class AuthenticatorBase extends ValveBase
         implements Authenticator {
 
-    private static final Log log = LogFactory.getLog(AuthenticatorBase.class);
+    private final Log log = LogFactory.getLog(AuthenticatorBase.class); // must not be static
 
 
     //------------------------------------------------------ Constructor
@@ -199,9 +197,7 @@ public abstract class AuthenticatorBase extends ValveBase
     /**
      * "Expires" header always set to Date(1), so generate once only
      */
-    private static final String DATE_ONE =
-        (new SimpleDateFormat(DateTool.HTTP_RESPONSE_DATE_HEADER,
-                              Locale.US)).format(new Date(1));
+    private static final String DATE_ONE = ConcurrentDateFormat.formatRfc1123(new Date(1));
 
 
     // ------------------------------------------------------------- Properties

java/org/apache/catalina/authenticator/DigestAuthenticator.java

@@ -54,7 +54,7 @@ import org.apache.tomcat.util.security.MD5Encoder;
 
 public class DigestAuthenticator extends AuthenticatorBase {
 
-    private static final Log log = LogFactory.getLog(DigestAuthenticator.class);
+    private final Log log = LogFactory.getLog(DigestAuthenticator.class); // must not be static
 
 
     // -------------------------------------------------------------- Constants