The JSP and Servlet which are part of the sample application are not updated in the war file. The sample.war file still contains the old files. So this security hole still exists in the latest tomcat distribution.
Thanks for the report. This has been fixed in svn for 5.5.x and 6.0.x and will be included in the next release of both.