HeroDevs
Visit NES for Apache Tomcat Home Page

Release Notes

Complete Changelog for NES for Apache Tomcat

Apache Tomcat 8.5.x

8.5.103 (NES) - November 3, 2025

Notes

  • This release includes a compatibility fix for a deadlock that can occur when Tomcat is used with Spring Boot 1.5.
  • This release includes both maven packages and binaries. The binary packages for this release are available at https://registry.nes.herodevs.com/bin/org.apache.tomcat/tomcat-release/8.5.100-tomcat-8.5.103/tomcat-nes-v8.5.103.zip.

Bug Fixes

This release patches the following:

  • Improve the locking strategy for StandardServer.services
    • This fixes a potential deadlock that was introduced in Tomcat 8.5.99 that broke compatibility with Spring Boot 1.5. OSS fixed the issue in 9.x but never backported the fix to 8.5. With this release, Tomcat will work with Spring Boot 1.5 again.
  • Fix a couple of issues with QSA/QSD handling and associated tests
  • Add escaping to logging output
  • Explicitly clean up after failed multi-part upload

8.5.102 (NES) - July 23, 2025

Notes

  • This release includes both maven packages and binaries. The binary packages for this release are available at https://registry.nes.herodevs.com/bin/org.apache.tomcat/tomcat-release/8.5.100-tomcat-8.5.102/tomcat-nes-v8.5.102.zip.

Bug Fixes

This release patches the following:

Full Version: 8.5.100-tomcat-8.5.102

8.5.101 (NES) - July 10, 2025

Notes

  • This release originates from the open‑source Apache Tomcat project forked by HeroDevs. It encompasses modifications implemented by HeroDevs to ensure successful framework builds.
  • This release includes both maven packages and binaries. The binary packages for this release are available at https://registry.nes.herodevs.com/bin/org.apache.tomcat/tomcat-release/8.5.100-tomcat-8.5.101/tomcat-nes-v8.5.101.zip.

Bug Fixes

  • Make counting of active streams more robust
  • Add support for re-keying with TLS 1.3
  • Fix inconsistent resource metadata with current GET and PUT/DELETE
  • If the Jakarta Authentication fails with an exception, set a 500 status
  • Fix Uncontrolled Resource Consumption vulnerability in the examples web application provided with Apache Tomcat leads to denial of service.
  • Automate protection for CVE-2024-56337
  • Enhance lifecycle of temporary files used by partial PUT
  • Fix Apache Tomcat Denial of Service via invalid HTTP priority header
  • Fix Apache Tomcat Rewrite rule bypass
  • Refactor CGI servlet to access resources via WebResources and Use WebResource API to differentiate files and directories
  • Fix Allocation of resources for multipart headers with insufficient limits enabled a DoS vulnerability in Apache Commons FileUpload.
  • Fix Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat.
  • Use the full path when calling icacls.exe
  • Expand checks for webAppMount

Full Version: 8.5.100-tomcat-8.5.101

Getting Started
Long-term support and security updates for NES for Apache Tomcat 8.5.x
Previous Article
Published Packages
Available versions of NES Binaries and NES Maven artifacts
Next Article