| Version | Change log |
| Apache Tomcat 11.0.13 Oct 14, 2025 |
Fix copy/paste refactoring errors in 11.0.12 that meant DELETE requests received via the AJP connector were processed as OPTIONS requests and PROPFIND requests were processed as TRACE. Add CIDR support to the RemoteIp[Filter|Valve] and deprecate the RemoteAddr[Filter|Valve] in favour of the RemoteCIDR[Filter|Valve] Log warnings when the SSO configuration does not comply with the documentation. |
| Apache Tomcat 11.0.12 Oct 7, 2025 |
The notable changes in this release are: Add specific certificate selection code for TLS 1.3 supporting post quantum cryptography. Certificates defined with type MLDSA will be selected depending on the TLS client hello. Add groups attribute on SSLHostConfig allowing to restrict which groups can be enabled on the SSL engine. Store HTTP/1.1 request headers using the original case for the header name rather than forcing it to lower case. |
| Apache Tomcat 11.0.11 Oct 6, 2025 |
Correct a regression in the fix for 69781 that broke FileStore Change the digest used to calculate strong ETags (if enabled) for the default Servlet from SHA-1 to SHA-256 Add hybrid PQC support to OpenSSL-based connectors |
| Apache Tomcat 11.0.6 Apr 9, 2025 |
Remove the requirement that an MD5 implementation must be provided by JRE. Improve the handling of %nn URL encoding in the RewriteValve Various improvements to the JsonErrorReportValve |
| Apache Tomcat 11.0.5 Mar 6, 2025 |
Improve the checks for exposure to and protection against CVE-2024-56337 so that reflection is not used unless required. The checks for whether the file system is case sensitive or not have been removed. Use Transfer-Encoding for compression rather than Content-Encoding if the client submits a TE header containing gzip. Add makensis as an option for building the Installer for Windows on non-Windows platforms. |
| Apache Tomcat 11.0.4 Feb 17, 2025 |
The notable changes in this release are: Allow readOnly attribute configuration on the Resources element and allow configuration of the readOnly attribute value of the main resources. The attribute value will also be used by the default and WebDAV Servlets. Correct a regression in the fix for bug 69382 that broke JSP include actions if both the page attribute and the body contained parameters. Pull request #803 provided by Chenjp. Expand the options for handling encoded '/' and '' characters in URLs both in the Connector and when using a RequestDispatcher. |
| Apache Tomcat 11.0.3 Feb 10, 2025 |
The notable changes in this release are: Allow readOnly attribute configuration on the Resources element and allow configuration of the readOnly attribute value of the main resources. The attribute value will also be used by the default and WebDAV Servlets. Correct a regression in the fix for bug 69382 that broke JSP include actions if both the page attribute and the body contained parameters. Pull request #803 provided by Chenjp. Expand the options for handling encoded '/' and '' characters in URLs both in the Connector and when using a RequestDispatcher. |
| Apache Tomcat 11.0.2 Dec 9, 2024 |
Add strong ETag support for the WebDAV and default servlet, which can be enabled by using the useStrongETags init parameter with a value set to true. The ETag generated will be a SHA-1 checksum of the resource content. Add support for RateLimit header fields for HTTP (RFC draft) in the RateLimitFilter. Based on pull request #775 provided by Chenjp. Update Tomcat's fork of Commons DBCP to 2.13.0. |
| Apache Tomcat 11.0.1 Nov 11, 2024 |
Fix a regression caused by the improvement 69333 which caused the tag release to be called when using tag pooling, and to be skipped when not using it. Patch submitted by Michal Sobkiewicz. Further WebDAV fixes and improvements. |
| Apache Tomcat 11.0.0 Nov 9, 2024 |
Multiple fixes and improvements for WebDAV Improvements to the recently adding request/response recycling for HTTP/2 Improve the stability of Tomcat Native during GC |
