Line 563: long seed = System.currentTimeMillis(); ... Line 567: long update = ((byte) entropy[i]) << ((i % 8) * 8); Line 568: seed ^= update; The byte-cast in Line 567 should be replaced by a long-cast. With the byte-cast of entropy[i] the long update becomes a 32-bit int, so the 32 most significant bits of the seed will not be updated by the XOR in Line 568.
For reference, a short discussion on the dev list: http://markmail.org/thread/r7kvsx3epauzw5qq
Created attachment 28894 [details] 2012-06-05_tc6_53050_ManagerBase.patch Patch to be proposed for Tomcat 6.0
Created attachment 28895 [details] 2012-06-05_tc55_53050_ManagerBase.patch Patch to be proposed for Tomcat 5.5
Proposed for 6.0 and 5.5.
Fixed in 6.0 with r1353112 and will be in 6.0.36. I am reassigning this issue from 6.0.24 to 5.5.
This was fixed some time ago in 5.5.x (r1359751) and will be included in 5.5.36 onwards.