Ubuntu
tomcat6 package

Update to Tomcat 6.0.18

Bug #260016 reported by Thierry Carrez
4
Affects Status Importance Assigned to Milestone
tomcat6 (Ubuntu)
Fix Released
Wishlist
Unassigned

Bug Description

Binary package hint: tomcat6

Tomcat 6.0.18 was released on Jul 31 as a security release to fix CVE-2008-1232, CVE-2008-1947, CVE-2008-2370 and CVE-2008-2938.

There was however significant bugfix work for the (doa) 6.0.17 release. See combined upstream changelog at :
http://tomcat.apache.org/tomcat-6.0-doc/changelog.html

See original description
Thierry Carrez (ttx)
Changed in tomcat6:
assignee: nobody → tcarrez
importance: Undecided → Wishlist
status: New → In Progress
Thierry Carrez (ttx)
description: updated
Revision history for this message
Thierry Carrez (ttx) wrote :

Consolidated interdiff for simplified review

tomcat6 (6.0.18-0ubuntu1) intrepid; urgency=low

  * New upstream version (LP: #260016)
    - Fixes CVE-2008-2938: Directory traversal vulnerability (LP: #256802)
    - Fixes CVE-2008-2370: Information disclosure vulnerability (LP: #256922)
    - Fixes CVE-2008-1232: XSS through sendError vulnerability (LP: #256926)
  * Dropped CVE-2008-1947.patch (fix is shipped in this upstream release)
  * control: Improve short descriptions for the binary packages
  * copyright: Added link to /usr/share/common-licenses/Apache-2.0

Revision history for this message
Thierry Carrez (ttx) wrote :

Full interdiff for the sponsors.

Changed in tomcat6:
assignee: tcarrez → nobody
status: In Progress → Confirmed
Revision history for this message
Thierry Carrez (ttx) wrote :

New consolidated interdiff for simplified review

I added a Depends fix, so here are the new files.

tomcat6 (6.0.18-0ubuntu1) intrepid; urgency=low

  * New upstream version (LP: #260016)
    - Fixes CVE-2008-2938: Directory traversal vulnerability (LP: #256802)
    - Fixes CVE-2008-2370: Information disclosure vulnerability (LP: #256922)
    - Fixes CVE-2008-1232: XSS through sendError vulnerability (LP: #256926)
  * Dropped CVE-2008-1947.patch (fix is shipped in this upstream release)
  * control: Improve short descriptions for the binary packages
  * copyright: Added link to /usr/share/common-licenses/Apache-2.0
  * control: To pull the right JRE, libtomcat6-java now depends on default-jre-headless | java5-runtime-headless

Revision history for this message
Thierry Carrez (ttx) wrote :

New full interdiff for the sponsors.

Revision history for this message
Mathias Gug (mathiaz) wrote :

Why have you switched from java6-runtime-headless to java5-runtime-headless as the virtual package dependency ?

Revision history for this message
Thierry Carrez (ttx) wrote :

According to http://tomcat.apache.org/migration.html : "Tomcat 6.0 requires JRE 5.0". This dependency more accurately describes what is needed to run Tomcat.

However, on a second thought, Tomcat 6 doesn't run with gij (which provides java5-runtime-headless) so I should probably depend on "default-jre-headless | java6-runtime-headless" to make sure to use only compatible JREs.

I'll fix that and post the corresponding full interdiff very soon.

Changed in tomcat6:
assignee: nobody → tcarrez
status: Confirmed → In Progress
Revision history for this message
Thierry Carrez (ttx) wrote :

Fixed full interdiff with java6-runtime-headless rather than java5-

Changed in tomcat6:
assignee: tcarrez → nobody
status: In Progress → Confirmed
Revision history for this message
Thierry Carrez (ttx) wrote :

Full diff.gz, per request.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package tomcat6 - 6.0.18-0ubuntu1

---------------
tomcat6 (6.0.18-0ubuntu1) intrepid; urgency=low

  * New upstream version (LP: #260016)
    - Fixes CVE-2008-2938: Directory traversal vulnerability (LP: #256802)
    - Fixes CVE-2008-2370: Information disclosure vulnerability (LP: #256922)
    - Fixes CVE-2008-1232: XSS through sendError vulnerability (LP: #256926)
  * Dropped CVE-2008-1947.patch (fix is shipped in this upstream release)
  * control: Improve short descriptions for the binary packages
  * copyright: Added link to /usr/share/common-licenses/Apache-2.0
  * control: To pull the right JRE, libtomcat6-java now depends on
    default-jre-headless | java6-runtime-headless

 -- Thierry Carrez <email address hidden> Fri, 22 Aug 2008 09:15:11 +0200

Changed in tomcat6:
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.