Sat. Jul 11th, 2020

Apache Tomcat 9.0.37 releases

3 min read

Apache Tomcat is an open-source implementation of Java Servlets, JavaServer Pages, Java Expression Language, and Java WebSocket technology. Designed to provide users with the original Java environment to run Web applications.

The Apache Tomcat software is developed in an open and participatory environment and released under the Apache License version 2. The Apache Tomcat project is intended to be a collaboration of the best-of-breed developers from around the world. We invite you to participate in this open development project. To learn more about getting involved, click here.

Apache Tomcat software powers numerous large-scale, mission-critical web applications across a diverse range of industries and organizations. Some of these users and their stories are listed on the PoweredBy wiki page.

Apache Tomcat 9.0.37 includes fixes and other enhancements and changes.


  • Add:  Remove the error message on start if is missing and add an explicit error message on application deployment when the sole feature that depends on it (anti-resource locking) is configured and can’t be used. (markt)
  • Update:  Implement a significant portion of the TLS environment variables for the rewrite valve. (remm)
  • Fix:  64506: Correct a potential race condition in the resource cache implementation that could lead to NullPointerExceptions during class loading. (markt)
  • Add:  Add application/wasm to the media types recognised by Tomcat. Based on a PR by Thiago Henrique Hüpner. (markt)
  • Fix:  Fix a bug in HttpServlet so that a 405 response is returned for an HTTP/2 request if the mapped servlet does implement the requested method rather than the more general 400 response. (markt)
  • Add:  Add generated classes using Tomcat embedded as an optional replacement for the Catalina configuration files. (remm)
  • Fix:  64541: Refactor the DTD used to validate mbeans-descriptors.xml files to avoid issues when XML entity expansion is limited or disabled. (markt)


  • Add:  Include a Connection: close HTTP header when committing a response and it is known that the maxSwallowSize limit is going to be exceeded. (markt)
  • Fix:  64509: Correctly parse RFC 2109 version 1 cookies that use a comma as a separater between cookies when using the RFC 6265 cookie processor. Based on a patch by W J Carpenter. (markt)
  • Fix:  Fix the utility code that converted IPv6 addresses to a canonical form to correctly handle input addresses that ended with a pair of colons. Based on a patch by syarramsetty-skyhook. (markt)
  • Fix:  Correctly parse RFC 2109 version 1 cookies that have additional linear white space around cookie attrubute names and values when using the RFC 6265 cookie processor. (markt)
  • Fix:  Once an HTTP/2 stream has been closed, ensure that the code that cleans up references that are no longer required is called. (markt)
  • Fix:  Reduce the memory footprint of closed HTTP/2 streams. (markt)
  • Fix:  Ensure that the HTTP/1.1 processor is correctly recycled when a direct connection to h2c is made. (markt)


  • Fix:  64560: Refactor the replication of a changed session ID for a replicated session so that the list of changes associated with the session is not reset when the session ID changes. (markt)


  • Fix:  64563: Add additional validation of payload length for WebSocket messages. (markt)
  • Fix:  Correct the calculation of payload length when four or more bytes are required to represent the payload length. (markt)


  • Fix:  64498: Fix incorrect version format in OSGi manifests. Patch provided by Raymond Augé. (markt)
  • Fix:  64501: Refactor the handling of the deprecated LOGGING_CONFIG environment variable to avoid using a POSIX shell feature that is not available by default on Solaris 10. (markt)
  • Fix:  64513: Remove bndlib from dependencies as it is not required. Pull request provided by Raymond Augé. (markt)
  • Fix:  64515: Bnd files don’t need to be filtered (save some work). Pull request provided by Raymond Augé. (markt)
  • Update:  Update the OWB module to Apache OpenWebBeans 2.0.17. (remm)
  • Fix:  64514: Fixes some missing class dependency issus in bootstrap to address packaging/dependency concerns for JPMS and OSGi. Pull request provided by Raymond Augé. (markt)
  • Fix:  64521: Avoid moving i18n translations into classes dir since they are packaged into separate jars. Pull request provided by Raymond Augé. (markt)
  • Fix:  64522: Package jars in effective dependency order. Pull request provided by Raymond Augé. (markt)
  • Fix:  Store common build details in a shared build-defaults.bnd. Pull request provided by Raymond Augé. (markt)
  • Fix:  64532: Update to bnd 5.1.1. Pull request provided by Raymond Augé. (markt)
  • Fix:  64540: Switch from bndwrap task to bnd task, begin generating a better manifest and make sure the resulting jar contents are correct. Pull request provided by Raymond Augé. (markt)
  • Fix:  64544: Add built libs to the bnd classpath for introspection. Pull request provided by Raymond Augé. (markt)
  • Add:  Improve the quality and expand the coverage of the French translations provided with Apache Tomcat. (remm)