Update the JMX descriptors to more accurately reflect the properties and methods of the underlying objects, taking particular care about which attributes should be read-only and which read-write. Then add additional functionality as necessary to enable a complete Tomcat instance to be configured entirely via JMX (ie start with a Server with no config and create everything via JMX).
Update the security pages etc to include svn revisions for each fix, update the release notes to include the CVE reference with the fix, update the svn logs to include the CVE reference. This will require a lot of cross-checking to ensure that the correct CVEs and svn references are added, particularly for the older vulnerabilities. This would include the 5.5.x, 6.0.x and 7.0.x code-bases.
Provide a JSR196 implementation
Create Connector that supports the SPDY protocol (Seehttp://dev.chromium.org/spdy/spdy-whitepaper