View Bazaar branches
Get this repository:
git clone https://git.launchpad.net/ubuntu/+source/tomcat6
Members of Ubuntu Server Dev import team can upload to this repository. Log in for directions.

Branches

Name Last Modified Last Commit
importer/ubuntu/dsc 2018-10-17 18:46:49 UTC 2018-10-17
DSC file for 6.0.39-1ubuntu0.1

Author: Ubuntu Git Importer
Author Date: 2018-10-17 18:46:49 UTC

DSC file for 6.0.39-1ubuntu0.1

ubuntu/trusty-security 2018-10-17 13:43:14 UTC 2018-10-17
Import patches-unapplied version 6.0.39-1ubuntu0.1 to ubuntu/trusty-security

Author: Eduardo dos Santos Barretto
Author Date: 2018-10-11 21:55:25 UTC

Import patches-unapplied version 6.0.39-1ubuntu0.1 to ubuntu/trusty-security

Imported using git-ubuntu import.

Changelog parent: 9a275391aa32a30784e2452e9f971a1fe82e1319

New changelog entries:
  * SECURITY UPDATE: Integer overflow
    - debian/patches/CVE-2014-0075.patch: Fix integer overflow in the
      parseChunkHeader function in
      java/org/apache/coyote/http11/filters/ChunkedInputFilter.java
    - CVE-2014-0075
  * SECURITY UPDATE: Bypass security-manager restrictions and read
    arbitrary files via a crafted web application that provides an XML
    external entity declaration in conjunction with an entity reference.
    - debian/patches/CVE-2014-0096.patch: Properly restrict XSLT
      stylesheets
    - CVE-2014-0096
  * SECURITY UPDATE: Fix integer overflow.
    - debian/patches/CVE-2014-0099.patch: Fix in
      java/org/apache/tomcat/util/buf/Ascii.java
    - CVE-2014-0099
  * SECURITY UPDATE: Read arbitrary files via a crafted web application
    that provides an XML external entity declaration in conjunction with
    an entity reference.
    - debian/patches/CVE-2014-0119-1.patch: fix in SecurityClassLoad.java
      and DefaultServlet.java
    - debian/patches/CVE-2014-0119-2.patch: fix in TldConfig.java
    - debian/patches/CVE-2014-0119-3.patch: fix in multiple files
    - CVE-2014-0119
  * SECURITY UPDATE: Add error flag to allow subsequent attempts at
    reading after an error to fail fast.
    - debian/patches/CVE-2014-0227.patch: fix in ChunkedInputFilter.java
    - CVE-2014-0227
  * SECURITY UPDATE: DoS (thread consumption) via a series of aborted
    upload attempts.
    - debian/patches/CVE-2014-0230.patch: add support for maxSwallowSize
    - CVE-2014-0230
  * SECURITY UPDATE: Bypass a SecurityManager protection mechanism via a
    web application that leverages use of incorrect privileges during EL
    evaluation.
    - debian/patches/CVE-2014-7810-1.patch: fix in BeanELResolver.java
    - debian/patches/CVE-2014-7810-2.patch: fix in PageContextImpl.java
      and SecurityClassLoad.java
    - CVE-2014-7810
  * SECURITY UPDATE: Directory traversal vulnerability in RequestUtil.java
    - debian/patches/CVE-2015-5174.patch: fix in RequestUtil.java
    - CVE-2015-5174
  * SECURITY UPDATE: Remote attackers can determine the existence of a
    directory via a URL that lacks a trailing slash character.
    - debian/patches/CVE-2015-5345-1.patch: fix in multiple files
    - debian/patches/CVE-2015-5345-2.patch: fix in multiple files
    - CVE-2015-5345
  * SECURITY UPDATE: Bypass CSRF protection mechanism by using a token.
    - debian/patches/CVE-2015-5351-1.patch: fix in manager application
    - debian/patches/CVE-2015-5351-2.patch: fix in host-manager
      application
    - CVE-2015-5351
  * SECURITY UPDATE: Bypass intended SecurityManager restrictions and
    read arbitrary HTTP requests, and consequently discover session ID
    values, via a crafted web application.
    - debian/patches/CVE-2016-0706.patch: fix in
      RestrictedServlets.properties
    - CVE-2016-0706
  * SECURITY UPDATE: Bypass intended SecurityManager restrictions and
    execute arbitrary code in a privileged context via a web application
    that places a crafted object in a session.
    - debian/patches/CVE-2016-0714-1.patch: fix in multiple files.
    - debian/patches/CVE-2016-0714-2.patch: fix in multiple files.
    - CVE-2016-0714
  * SECURITY UPDATE: Possible to determine valid user names.
    - debian/patches/CVE-2016-0762.patch: fix in MemoryRealm.java and
      RealmBase.java
    - CVE-2016-0762
  * SECURITY UPDATE: Bypass intended SecurityManager restrictions and
    read or write to arbitrary application data, or cause a denial of
    service (application disruption), via a web application that sets
    a crafted global context.
    - debian/patches/CVE-2016-0763.patch: fix in ResourceLinkFactory.java
    - CVE-2016-0763
  * SECURITY UPDATE: Access to the tomcat account to gain root privileges
    via a symlink attack on the Catalina log file.
    - debian/tomcat6.init: don't follow symlinks when handling the
      catalina.out file.
    - CVE-2016-1240

applied/ubuntu/trusty-devel 2018-10-17 13:43:14 UTC 2018-10-17
Import patches-applied version 6.0.39-1ubuntu0.1 to applied/ubuntu/trusty-sec...

Author: Eduardo dos Santos Barretto
Author Date: 2018-10-11 21:55:25 UTC

Import patches-applied version 6.0.39-1ubuntu0.1 to applied/ubuntu/trusty-security

Imported using git-ubuntu import.

Changelog parent: fbcb77efb5d4799e0b73e2999141dde4994c0acd
Unapplied parent: e256b16a4e440b3c284d2ba1835b4cc99f5eb7a7

New changelog entries:
  * SECURITY UPDATE: Integer overflow
    - debian/patches/CVE-2014-0075.patch: Fix integer overflow in the
      parseChunkHeader function in
      java/org/apache/coyote/http11/filters/ChunkedInputFilter.java
    - CVE-2014-0075
  * SECURITY UPDATE: Bypass security-manager restrictions and read
    arbitrary files via a crafted web application that provides an XML
    external entity declaration in conjunction with an entity reference.
    - debian/patches/CVE-2014-0096.patch: Properly restrict XSLT
      stylesheets
    - CVE-2014-0096
  * SECURITY UPDATE: Fix integer overflow.
    - debian/patches/CVE-2014-0099.patch: Fix in
      java/org/apache/tomcat/util/buf/Ascii.java
    - CVE-2014-0099
  * SECURITY UPDATE: Read arbitrary files via a crafted web application
    that provides an XML external entity declaration in conjunction with
    an entity reference.
    - debian/patches/CVE-2014-0119-1.patch: fix in SecurityClassLoad.java
      and DefaultServlet.java
    - debian/patches/CVE-2014-0119-2.patch: fix in TldConfig.java
    - debian/patches/CVE-2014-0119-3.patch: fix in multiple files
    - CVE-2014-0119
  * SECURITY UPDATE: Add error flag to allow subsequent attempts at
    reading after an error to fail fast.
    - debian/patches/CVE-2014-0227.patch: fix in ChunkedInputFilter.java
    - CVE-2014-0227
  * SECURITY UPDATE: DoS (thread consumption) via a series of aborted
    upload attempts.
    - debian/patches/CVE-2014-0230.patch: add support for maxSwallowSize
    - CVE-2014-0230
  * SECURITY UPDATE: Bypass a SecurityManager protection mechanism via a
    web application that leverages use of incorrect privileges during EL
    evaluation.
    - debian/patches/CVE-2014-7810-1.patch: fix in BeanELResolver.java
    - debian/patches/CVE-2014-7810-2.patch: fix in PageContextImpl.java
      and SecurityClassLoad.java
    - CVE-2014-7810
  * SECURITY UPDATE: Directory traversal vulnerability in RequestUtil.java
    - debian/patches/CVE-2015-5174.patch: fix in RequestUtil.java
    - CVE-2015-5174
  * SECURITY UPDATE: Remote attackers can determine the existence of a
    directory via a URL that lacks a trailing slash character.
    - debian/patches/CVE-2015-5345-1.patch: fix in multiple files
    - debian/patches/CVE-2015-5345-2.patch: fix in multiple files
    - CVE-2015-5345
  * SECURITY UPDATE: Bypass CSRF protection mechanism by using a token.
    - debian/patches/CVE-2015-5351-1.patch: fix in manager application
    - debian/patches/CVE-2015-5351-2.patch: fix in host-manager
      application
    - CVE-2015-5351
  * SECURITY UPDATE: Bypass intended SecurityManager restrictions and
    read arbitrary HTTP requests, and consequently discover session ID
    values, via a crafted web application.
    - debian/patches/CVE-2016-0706.patch: fix in
      RestrictedServlets.properties
    - CVE-2016-0706
  * SECURITY UPDATE: Bypass intended SecurityManager restrictions and
    execute arbitrary code in a privileged context via a web application
    that places a crafted object in a session.
    - debian/patches/CVE-2016-0714-1.patch: fix in multiple files.
    - debian/patches/CVE-2016-0714-2.patch: fix in multiple files.
    - CVE-2016-0714
  * SECURITY UPDATE: Possible to determine valid user names.
    - debian/patches/CVE-2016-0762.patch: fix in MemoryRealm.java and
      RealmBase.java
    - CVE-2016-0762
  * SECURITY UPDATE: Bypass intended SecurityManager restrictions and
    read or write to arbitrary application data, or cause a denial of
    service (application disruption), via a web application that sets
    a crafted global context.
    - debian/patches/CVE-2016-0763.patch: fix in ResourceLinkFactory.java
    - CVE-2016-0763
  * SECURITY UPDATE: Access to the tomcat account to gain root privileges
    via a symlink attack on the Catalina log file.
    - debian/tomcat6.init: don't follow symlinks when handling the
      catalina.out file.
    - CVE-2016-1240

ubuntu/trusty-devel 2018-10-17 13:43:14 UTC 2018-10-17
Import patches-unapplied version 6.0.39-1ubuntu0.1 to ubuntu/trusty-security

Author: Eduardo dos Santos Barretto
Author Date: 2018-10-11 21:55:25 UTC

Import patches-unapplied version 6.0.39-1ubuntu0.1 to ubuntu/trusty-security

Imported using git-ubuntu import.

Changelog parent: 9a275391aa32a30784e2452e9f971a1fe82e1319

New changelog entries:
  * SECURITY UPDATE: Integer overflow
    - debian/patches/CVE-2014-0075.patch: Fix integer overflow in the
      parseChunkHeader function in
      java/org/apache/coyote/http11/filters/ChunkedInputFilter.java
    - CVE-2014-0075
  * SECURITY UPDATE: Bypass security-manager restrictions and read
    arbitrary files via a crafted web application that provides an XML
    external entity declaration in conjunction with an entity reference.
    - debian/patches/CVE-2014-0096.patch: Properly restrict XSLT
      stylesheets
    - CVE-2014-0096
  * SECURITY UPDATE: Fix integer overflow.
    - debian/patches/CVE-2014-0099.patch: Fix in
      java/org/apache/tomcat/util/buf/Ascii.java
    - CVE-2014-0099
  * SECURITY UPDATE: Read arbitrary files via a crafted web application
    that provides an XML external entity declaration in conjunction with
    an entity reference.
    - debian/patches/CVE-2014-0119-1.patch: fix in SecurityClassLoad.java
      and DefaultServlet.java
    - debian/patches/CVE-2014-0119-2.patch: fix in TldConfig.java
    - debian/patches/CVE-2014-0119-3.patch: fix in multiple files
    - CVE-2014-0119
  * SECURITY UPDATE: Add error flag to allow subsequent attempts at
    reading after an error to fail fast.
    - debian/patches/CVE-2014-0227.patch: fix in ChunkedInputFilter.java
    - CVE-2014-0227
  * SECURITY UPDATE: DoS (thread consumption) via a series of aborted
    upload attempts.
    - debian/patches/CVE-2014-0230.patch: add support for maxSwallowSize
    - CVE-2014-0230
  * SECURITY UPDATE: Bypass a SecurityManager protection mechanism via a
    web application that leverages use of incorrect privileges during EL
    evaluation.
    - debian/patches/CVE-2014-7810-1.patch: fix in BeanELResolver.java
    - debian/patches/CVE-2014-7810-2.patch: fix in PageContextImpl.java
      and SecurityClassLoad.java
    - CVE-2014-7810
  * SECURITY UPDATE: Directory traversal vulnerability in RequestUtil.java
    - debian/patches/CVE-2015-5174.patch: fix in RequestUtil.java
    - CVE-2015-5174
  * SECURITY UPDATE: Remote attackers can determine the existence of a
    directory via a URL that lacks a trailing slash character.
    - debian/patches/CVE-2015-5345-1.patch: fix in multiple files
    - debian/patches/CVE-2015-5345-2.patch: fix in multiple files
    - CVE-2015-5345
  * SECURITY UPDATE: Bypass CSRF protection mechanism by using a token.
    - debian/patches/CVE-2015-5351-1.patch: fix in manager application
    - debian/patches/CVE-2015-5351-2.patch: fix in host-manager
      application
    - CVE-2015-5351
  * SECURITY UPDATE: Bypass intended SecurityManager restrictions and
    read arbitrary HTTP requests, and consequently discover session ID
    values, via a crafted web application.
    - debian/patches/CVE-2016-0706.patch: fix in
      RestrictedServlets.properties
    - CVE-2016-0706
  * SECURITY UPDATE: Bypass intended SecurityManager restrictions and
    execute arbitrary code in a privileged context via a web application
    that places a crafted object in a session.
    - debian/patches/CVE-2016-0714-1.patch: fix in multiple files.
    - debian/patches/CVE-2016-0714-2.patch: fix in multiple files.
    - CVE-2016-0714
  * SECURITY UPDATE: Possible to determine valid user names.
    - debian/patches/CVE-2016-0762.patch: fix in MemoryRealm.java and
      RealmBase.java
    - CVE-2016-0762
  * SECURITY UPDATE: Bypass intended SecurityManager restrictions and
    read or write to arbitrary application data, or cause a denial of
    service (application disruption), via a web application that sets
    a crafted global context.
    - debian/patches/CVE-2016-0763.patch: fix in ResourceLinkFactory.java
    - CVE-2016-0763
  * SECURITY UPDATE: Access to the tomcat account to gain root privileges
    via a symlink attack on the Catalina log file.
    - debian/tomcat6.init: don't follow symlinks when handling the
      catalina.out file.
    - CVE-2016-1240

ubuntu/trusty-updates 2018-10-17 13:43:14 UTC 2018-10-17
Import patches-unapplied version 6.0.39-1ubuntu0.1 to ubuntu/trusty-security

Author: Eduardo dos Santos Barretto
Author Date: 2018-10-11 21:55:25 UTC

Import patches-unapplied version 6.0.39-1ubuntu0.1 to ubuntu/trusty-security

Imported using git-ubuntu import.

Changelog parent: 9a275391aa32a30784e2452e9f971a1fe82e1319

New changelog entries:
  * SECURITY UPDATE: Integer overflow
    - debian/patches/CVE-2014-0075.patch: Fix integer overflow in the
      parseChunkHeader function in
      java/org/apache/coyote/http11/filters/ChunkedInputFilter.java
    - CVE-2014-0075
  * SECURITY UPDATE: Bypass security-manager restrictions and read
    arbitrary files via a crafted web application that provides an XML
    external entity declaration in conjunction with an entity reference.
    - debian/patches/CVE-2014-0096.patch: Properly restrict XSLT
      stylesheets
    - CVE-2014-0096
  * SECURITY UPDATE: Fix integer overflow.
    - debian/patches/CVE-2014-0099.patch: Fix in
      java/org/apache/tomcat/util/buf/Ascii.java
    - CVE-2014-0099
  * SECURITY UPDATE: Read arbitrary files via a crafted web application
    that provides an XML external entity declaration in conjunction with
    an entity reference.
    - debian/patches/CVE-2014-0119-1.patch: fix in SecurityClassLoad.java
      and DefaultServlet.java
    - debian/patches/CVE-2014-0119-2.patch: fix in TldConfig.java
    - debian/patches/CVE-2014-0119-3.patch: fix in multiple files
    - CVE-2014-0119
  * SECURITY UPDATE: Add error flag to allow subsequent attempts at
    reading after an error to fail fast.
    - debian/patches/CVE-2014-0227.patch: fix in ChunkedInputFilter.java
    - CVE-2014-0227
  * SECURITY UPDATE: DoS (thread consumption) via a series of aborted
    upload attempts.
    - debian/patches/CVE-2014-0230.patch: add support for maxSwallowSize
    - CVE-2014-0230
  * SECURITY UPDATE: Bypass a SecurityManager protection mechanism via a
    web application that leverages use of incorrect privileges during EL
    evaluation.
    - debian/patches/CVE-2014-7810-1.patch: fix in BeanELResolver.java
    - debian/patches/CVE-2014-7810-2.patch: fix in PageContextImpl.java
      and SecurityClassLoad.java
    - CVE-2014-7810
  * SECURITY UPDATE: Directory traversal vulnerability in RequestUtil.java
    - debian/patches/CVE-2015-5174.patch: fix in RequestUtil.java
    - CVE-2015-5174
  * SECURITY UPDATE: Remote attackers can determine the existence of a
    directory via a URL that lacks a trailing slash character.
    - debian/patches/CVE-2015-5345-1.patch: fix in multiple files
    - debian/patches/CVE-2015-5345-2.patch: fix in multiple files
    - CVE-2015-5345
  * SECURITY UPDATE: Bypass CSRF protection mechanism by using a token.
    - debian/patches/CVE-2015-5351-1.patch: fix in manager application
    - debian/patches/CVE-2015-5351-2.patch: fix in host-manager
      application
    - CVE-2015-5351
  * SECURITY UPDATE: Bypass intended SecurityManager restrictions and
    read arbitrary HTTP requests, and consequently discover session ID
    values, via a crafted web application.
    - debian/patches/CVE-2016-0706.patch: fix in
      RestrictedServlets.properties
    - CVE-2016-0706
  * SECURITY UPDATE: Bypass intended SecurityManager restrictions and
    execute arbitrary code in a privileged context via a web application
    that places a crafted object in a session.
    - debian/patches/CVE-2016-0714-1.patch: fix in multiple files.
    - debian/patches/CVE-2016-0714-2.patch: fix in multiple files.
    - CVE-2016-0714
  * SECURITY UPDATE: Possible to determine valid user names.
    - debian/patches/CVE-2016-0762.patch: fix in MemoryRealm.java and
      RealmBase.java
    - CVE-2016-0762
  * SECURITY UPDATE: Bypass intended SecurityManager restrictions and
    read or write to arbitrary application data, or cause a denial of
    service (application disruption), via a web application that sets
    a crafted global context.
    - debian/patches/CVE-2016-0763.patch: fix in ResourceLinkFactory.java
    - CVE-2016-0763
  * SECURITY UPDATE: Access to the tomcat account to gain root privileges
    via a symlink attack on the Catalina log file.
    - debian/tomcat6.init: don't follow symlinks when handling the
      catalina.out file.
    - CVE-2016-1240

applied/ubuntu/trusty-security 2018-10-17 13:43:14 UTC 2018-10-17
Import patches-applied version 6.0.39-1ubuntu0.1 to applied/ubuntu/trusty-sec...

Author: Eduardo dos Santos Barretto
Author Date: 2018-10-11 21:55:25 UTC

Import patches-applied version 6.0.39-1ubuntu0.1 to applied/ubuntu/trusty-security

Imported using git-ubuntu import.

Changelog parent: fbcb77efb5d4799e0b73e2999141dde4994c0acd
Unapplied parent: e256b16a4e440b3c284d2ba1835b4cc99f5eb7a7

New changelog entries:
  * SECURITY UPDATE: Integer overflow
    - debian/patches/CVE-2014-0075.patch: Fix integer overflow in the
      parseChunkHeader function in
      java/org/apache/coyote/http11/filters/ChunkedInputFilter.java
    - CVE-2014-0075
  * SECURITY UPDATE: Bypass security-manager restrictions and read
    arbitrary files via a crafted web application that provides an XML
    external entity declaration in conjunction with an entity reference.
    - debian/patches/CVE-2014-0096.patch: Properly restrict XSLT
      stylesheets
    - CVE-2014-0096
  * SECURITY UPDATE: Fix integer overflow.
    - debian/patches/CVE-2014-0099.patch: Fix in
      java/org/apache/tomcat/util/buf/Ascii.java
    - CVE-2014-0099
  * SECURITY UPDATE: Read arbitrary files via a crafted web application
    that provides an XML external entity declaration in conjunction with
    an entity reference.
    - debian/patches/CVE-2014-0119-1.patch: fix in SecurityClassLoad.java
      and DefaultServlet.java
    - debian/patches/CVE-2014-0119-2.patch: fix in TldConfig.java
    - debian/patches/CVE-2014-0119-3.patch: fix in multiple files
    - CVE-2014-0119
  * SECURITY UPDATE: Add error flag to allow subsequent attempts at
    reading after an error to fail fast.
    - debian/patches/CVE-2014-0227.patch: fix in ChunkedInputFilter.java
    - CVE-2014-0227
  * SECURITY UPDATE: DoS (thread consumption) via a series of aborted
    upload attempts.
    - debian/patches/CVE-2014-0230.patch: add support for maxSwallowSize
    - CVE-2014-0230
  * SECURITY UPDATE: Bypass a SecurityManager protection mechanism via a
    web application that leverages use of incorrect privileges during EL
    evaluation.
    - debian/patches/CVE-2014-7810-1.patch: fix in BeanELResolver.java
    - debian/patches/CVE-2014-7810-2.patch: fix in PageContextImpl.java
      and SecurityClassLoad.java
    - CVE-2014-7810
  * SECURITY UPDATE: Directory traversal vulnerability in RequestUtil.java
    - debian/patches/CVE-2015-5174.patch: fix in RequestUtil.java
    - CVE-2015-5174
  * SECURITY UPDATE: Remote attackers can determine the existence of a
    directory via a URL that lacks a trailing slash character.
    - debian/patches/CVE-2015-5345-1.patch: fix in multiple files
    - debian/patches/CVE-2015-5345-2.patch: fix in multiple files
    - CVE-2015-5345
  * SECURITY UPDATE: Bypass CSRF protection mechanism by using a token.
    - debian/patches/CVE-2015-5351-1.patch: fix in manager application
    - debian/patches/CVE-2015-5351-2.patch: fix in host-manager
      application
    - CVE-2015-5351
  * SECURITY UPDATE: Bypass intended SecurityManager restrictions and
    read arbitrary HTTP requests, and consequently discover session ID
    values, via a crafted web application.
    - debian/patches/CVE-2016-0706.patch: fix in
      RestrictedServlets.properties
    - CVE-2016-0706
  * SECURITY UPDATE: Bypass intended SecurityManager restrictions and
    execute arbitrary code in a privileged context via a web application
    that places a crafted object in a session.
    - debian/patches/CVE-2016-0714-1.patch: fix in multiple files.
    - debian/patches/CVE-2016-0714-2.patch: fix in multiple files.
    - CVE-2016-0714
  * SECURITY UPDATE: Possible to determine valid user names.
    - debian/patches/CVE-2016-0762.patch: fix in MemoryRealm.java and
      RealmBase.java
    - CVE-2016-0762
  * SECURITY UPDATE: Bypass intended SecurityManager restrictions and
    read or write to arbitrary application data, or cause a denial of
    service (application disruption), via a web application that sets
    a crafted global context.
    - debian/patches/CVE-2016-0763.patch: fix in ResourceLinkFactory.java
    - CVE-2016-0763
  * SECURITY UPDATE: Access to the tomcat account to gain root privileges
    via a symlink attack on the Catalina log file.
    - debian/tomcat6.init: don't follow symlinks when handling the
      catalina.out file.
    - CVE-2016-1240

applied/ubuntu/trusty-updates 2018-10-17 13:43:14 UTC 2018-10-17
Import patches-applied version 6.0.39-1ubuntu0.1 to applied/ubuntu/trusty-sec...

Author: Eduardo dos Santos Barretto
Author Date: 2018-10-11 21:55:25 UTC

Import patches-applied version 6.0.39-1ubuntu0.1 to applied/ubuntu/trusty-security

Imported using git-ubuntu import.

Changelog parent: fbcb77efb5d4799e0b73e2999141dde4994c0acd
Unapplied parent: e256b16a4e440b3c284d2ba1835b4cc99f5eb7a7

New changelog entries:
  * SECURITY UPDATE: Integer overflow
    - debian/patches/CVE-2014-0075.patch: Fix integer overflow in the
      parseChunkHeader function in
      java/org/apache/coyote/http11/filters/ChunkedInputFilter.java
    - CVE-2014-0075
  * SECURITY UPDATE: Bypass security-manager restrictions and read
    arbitrary files via a crafted web application that provides an XML
    external entity declaration in conjunction with an entity reference.
    - debian/patches/CVE-2014-0096.patch: Properly restrict XSLT
      stylesheets
    - CVE-2014-0096
  * SECURITY UPDATE: Fix integer overflow.
    - debian/patches/CVE-2014-0099.patch: Fix in
      java/org/apache/tomcat/util/buf/Ascii.java
    - CVE-2014-0099
  * SECURITY UPDATE: Read arbitrary files via a crafted web application
    that provides an XML external entity declaration in conjunction with
    an entity reference.
    - debian/patches/CVE-2014-0119-1.patch: fix in SecurityClassLoad.java
      and DefaultServlet.java
    - debian/patches/CVE-2014-0119-2.patch: fix in TldConfig.java
    - debian/patches/CVE-2014-0119-3.patch: fix in multiple files
    - CVE-2014-0119
  * SECURITY UPDATE: Add error flag to allow subsequent attempts at
    reading after an error to fail fast.
    - debian/patches/CVE-2014-0227.patch: fix in ChunkedInputFilter.java
    - CVE-2014-0227
  * SECURITY UPDATE: DoS (thread consumption) via a series of aborted
    upload attempts.
    - debian/patches/CVE-2014-0230.patch: add support for maxSwallowSize
    - CVE-2014-0230
  * SECURITY UPDATE: Bypass a SecurityManager protection mechanism via a
    web application that leverages use of incorrect privileges during EL
    evaluation.
    - debian/patches/CVE-2014-7810-1.patch: fix in BeanELResolver.java
    - debian/patches/CVE-2014-7810-2.patch: fix in PageContextImpl.java
      and SecurityClassLoad.java
    - CVE-2014-7810
  * SECURITY UPDATE: Directory traversal vulnerability in RequestUtil.java
    - debian/patches/CVE-2015-5174.patch: fix in RequestUtil.java
    - CVE-2015-5174
  * SECURITY UPDATE: Remote attackers can determine the existence of a
    directory via a URL that lacks a trailing slash character.
    - debian/patches/CVE-2015-5345-1.patch: fix in multiple files
    - debian/patches/CVE-2015-5345-2.patch: fix in multiple files
    - CVE-2015-5345
  * SECURITY UPDATE: Bypass CSRF protection mechanism by using a token.
    - debian/patches/CVE-2015-5351-1.patch: fix in manager application
    - debian/patches/CVE-2015-5351-2.patch: fix in host-manager
      application
    - CVE-2015-5351
  * SECURITY UPDATE: Bypass intended SecurityManager restrictions and
    read arbitrary HTTP requests, and consequently discover session ID
    values, via a crafted web application.
    - debian/patches/CVE-2016-0706.patch: fix in
      RestrictedServlets.properties
    - CVE-2016-0706
  * SECURITY UPDATE: Bypass intended SecurityManager restrictions and
    execute arbitrary code in a privileged context via a web application
    that places a crafted object in a session.
    - debian/patches/CVE-2016-0714-1.patch: fix in multiple files.
    - debian/patches/CVE-2016-0714-2.patch: fix in multiple files.
    - CVE-2016-0714
  * SECURITY UPDATE: Possible to determine valid user names.
    - debian/patches/CVE-2016-0762.patch: fix in MemoryRealm.java and
      RealmBase.java
    - CVE-2016-0762
  * SECURITY UPDATE: Bypass intended SecurityManager restrictions and
    read or write to arbitrary application data, or cause a denial of
    service (application disruption), via a web application that sets
    a crafted global context.
    - debian/patches/CVE-2016-0763.patch: fix in ResourceLinkFactory.java
    - CVE-2016-0763
  * SECURITY UPDATE: Access to the tomcat account to gain root privileges
    via a symlink attack on the Catalina log file.
    - debian/tomcat6.init: don't follow symlinks when handling the
      catalina.out file.
    - CVE-2016-1240

importer/ubuntu/pristine-tar 2018-03-07 19:07:56 UTC 2018-03-07
pristine-tar data for tomcat6_6.0.45+dfsg.orig.tar.xz

Author: Ubuntu Git Importer
Author Date: 2018-03-07 19:07:56 UTC

pristine-tar data for tomcat6_6.0.45+dfsg.orig.tar.xz

importer/debian/dsc 2018-03-07 18:35:25 UTC 2018-03-07
DSC file for 6.0.45+dfsg-1~deb7u1

Author: Ubuntu Git Importer
Author Date: 2018-03-07 18:35:25 UTC

DSC file for 6.0.45+dfsg-1~deb7u1

importer/debian/pristine-tar 2018-03-07 18:35:00 UTC 2018-03-07
pristine-tar data for tomcat6_6.0.45+dfsg.orig.tar.xz

Author: Ubuntu Git Importer
Author Date: 2018-03-07 18:35:00 UTC

pristine-tar data for tomcat6_6.0.45+dfsg.orig.tar.xz

ubuntu/precise-devel 2017-02-20 18:01:05 UTC 2017-02-20
Import patches-unapplied version 6.0.35-1ubuntu3.11 to ubuntu/precise-security

Author: Marc Deslauriers
Author Date: 2017-02-17 14:04:04 UTC

Import patches-unapplied version 6.0.35-1ubuntu3.11 to ubuntu/precise-security

Imported using git-ubuntu import.

Changelog parent: 858e9091dbe32131e4576f734d9c601c6fd04985

New changelog entries:
  * SECURITY UPDATE: possible DoS via CPU consumption (LP: #1663318)
    - debian/patches/CVE-2017-6056.patch: fix infinite loop in
      java/org/apache/coyote/http11/InternalAprInputBuffer.java,
      java/org/apache/coyote/http11/InternalInputBuffer.java,
      java/org/apache/coyote/http11/InternalNioInputBuffer.java.
    - CVE-2017-6056

ubuntu/precise-updates 2017-02-20 18:01:05 UTC 2017-02-20
Import patches-unapplied version 6.0.35-1ubuntu3.11 to ubuntu/precise-security

Author: Marc Deslauriers
Author Date: 2017-02-17 14:04:04 UTC

Import patches-unapplied version 6.0.35-1ubuntu3.11 to ubuntu/precise-security

Imported using git-ubuntu import.

Changelog parent: 858e9091dbe32131e4576f734d9c601c6fd04985

New changelog entries:
  * SECURITY UPDATE: possible DoS via CPU consumption (LP: #1663318)
    - debian/patches/CVE-2017-6056.patch: fix infinite loop in
      java/org/apache/coyote/http11/InternalAprInputBuffer.java,
      java/org/apache/coyote/http11/InternalInputBuffer.java,
      java/org/apache/coyote/http11/InternalNioInputBuffer.java.
    - CVE-2017-6056

ubuntu/precise-security 2017-02-20 18:01:05 UTC 2017-02-20
Import patches-unapplied version 6.0.35-1ubuntu3.11 to ubuntu/precise-security

Author: Marc Deslauriers
Author Date: 2017-02-17 14:04:04 UTC

Import patches-unapplied version 6.0.35-1ubuntu3.11 to ubuntu/precise-security

Imported using git-ubuntu import.

Changelog parent: 858e9091dbe32131e4576f734d9c601c6fd04985

New changelog entries:
  * SECURITY UPDATE: possible DoS via CPU consumption (LP: #1663318)
    - debian/patches/CVE-2017-6056.patch: fix infinite loop in
      java/org/apache/coyote/http11/InternalAprInputBuffer.java,
      java/org/apache/coyote/http11/InternalInputBuffer.java,
      java/org/apache/coyote/http11/InternalNioInputBuffer.java.
    - CVE-2017-6056

applied/ubuntu/precise-updates 2017-02-20 18:01:05 UTC 2017-02-20
Import patches-applied version 6.0.35-1ubuntu3.11 to applied/ubuntu/precise-s...

Author: Marc Deslauriers
Author Date: 2017-02-17 14:04:04 UTC

Import patches-applied version 6.0.35-1ubuntu3.11 to applied/ubuntu/precise-security

Imported using git-ubuntu import.

Changelog parent: bd60160d70772460bc761c67dbca805ff6ddc738
Unapplied parent: ba5ed4bbe7935bd8029e345b71ca5922f7bc7cd4

New changelog entries:
  * SECURITY UPDATE: possible DoS via CPU consumption (LP: #1663318)
    - debian/patches/CVE-2017-6056.patch: fix infinite loop in
      java/org/apache/coyote/http11/InternalAprInputBuffer.java,
      java/org/apache/coyote/http11/InternalInputBuffer.java,
      java/org/apache/coyote/http11/InternalNioInputBuffer.java.
    - CVE-2017-6056

applied/ubuntu/precise-security 2017-02-20 18:01:05 UTC 2017-02-20
Import patches-applied version 6.0.35-1ubuntu3.11 to applied/ubuntu/precise-s...

Author: Marc Deslauriers
Author Date: 2017-02-17 14:04:04 UTC

Import patches-applied version 6.0.35-1ubuntu3.11 to applied/ubuntu/precise-security

Imported using git-ubuntu import.

Changelog parent: bd60160d70772460bc761c67dbca805ff6ddc738
Unapplied parent: ba5ed4bbe7935bd8029e345b71ca5922f7bc7cd4

New changelog entries:
  * SECURITY UPDATE: possible DoS via CPU consumption (LP: #1663318)
    - debian/patches/CVE-2017-6056.patch: fix infinite loop in
      java/org/apache/coyote/http11/InternalAprInputBuffer.java,
      java/org/apache/coyote/http11/InternalInputBuffer.java,
      java/org/apache/coyote/http11/InternalNioInputBuffer.java.
    - CVE-2017-6056

applied/ubuntu/precise-devel 2017-02-20 18:01:05 UTC 2017-02-20
Import patches-applied version 6.0.35-1ubuntu3.11 to applied/ubuntu/precise-s...

Author: Marc Deslauriers
Author Date: 2017-02-17 14:04:04 UTC

Import patches-applied version 6.0.35-1ubuntu3.11 to applied/ubuntu/precise-security

Imported using git-ubuntu import.

Changelog parent: bd60160d70772460bc761c67dbca805ff6ddc738
Unapplied parent: ba5ed4bbe7935bd8029e345b71ca5922f7bc7cd4

New changelog entries:
  * SECURITY UPDATE: possible DoS via CPU consumption (LP: #1663318)
    - debian/patches/CVE-2017-6056.patch: fix infinite loop in
      java/org/apache/coyote/http11/InternalAprInputBuffer.java,
      java/org/apache/coyote/http11/InternalInputBuffer.java,
      java/org/apache/coyote/http11/InternalNioInputBuffer.java.
    - CVE-2017-6056

debian/wheezy 2016-06-05 05:42:11 UTC 2016-06-05
Import patches-unapplied version 6.0.45+dfsg-1~deb7u1 to debian/wheezy

Author: Markus Koschany
Author Date: 2016-03-16 13:08:48 UTC

Import patches-unapplied version 6.0.45+dfsg-1~deb7u1 to debian/wheezy

Imported using git-ubuntu import.

Changelog parent: 467cbd7632b76c09f7d938e2a0e2b3ca62af5239

New changelog entries:
  * Team upload.
  * The full list of changes between 6.0.35 (the version previously available
    in Wheezy) and 6.0.45 can be seen in the upstream changelog, which is
    available online at http://tomcat.apache.org/tomcat-6.0-doc/changelog.html
  * This update fixes the following security issues:
    - CVE-2014-0033: prevent remote attackers from conducting session
      fixation attacks via crafted URLs.
    - CVE-2014-0119: Fix not properly constraining class loader that accesses
      the XML parser used with an XSLT stylesheet which allowed remote
      attackers to read arbitrary files via crafted web applications.
    - CVE-2014-0099: Fix integer overflow in
      java/org/apache/tomcat/util/buf/Ascii.java.
    - CVE-2014-0096: Properly restrict XSLT stylesheets that allowed remote
      attackers to bypass security-manager restrictions.
    - CVE-2014-0075: Fix integer overflow in the parseChunkHeader function in
      java/org/apache/coyote/http11/filters/ChunkedInputFilter.java.
    - CVE-2013-4590: prevent "Tomcat internals" information leaks.
    - CVE-2013-4322: prevent remote attackers from doing denial of service
      attacks.
    - CVE-2013-4286: reject requests with multiple content-length headers or
      with a content-length header when chunked encoding is being used.
    - Avoid CVE-2013-1571 when generating Javadoc.
  * CVE-2014-0227.patch:
    - Add error flag to allow subsequent attempts at reading after an error to
      fail fast.
  * CVE-2014-0230: Add support for maxSwallowSize.
  * CVE-2014-7810:
    - Fix potential BeanELResolver issue when running under a security manager.
      Some classes may not be accessible but may have accessible interfaces.
  * CVE-2015-5174: Directory traversal vulnerability in RequestUtil.java.
  * CVE-2015-5345: The Mapper component in Apache Tomcat before 6.0.45
    processes redirects before considering security constraints and Filters.
  * CVE-2016-0706: Apache Tomcat before 6.0.45 does not place
    org.apache.catalina.manager.StatusManagerServlet on the
    org/apache/catalina/core/RestrictedServlets.properties list which allows
    remote authenticated users to bypass intended SecurityManager
    restrictions.
  * CVE-2016-0714: The session-persistence implementation in Apache Tomcat
    before 6.0.45 mishandles session attributes, which allows remote
    authenticated users to bypass intended SecurityManager restrictions.
  * CVE-2016-0763: The setGlobalContext method in
    org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat does
    not consider whether ResourceLinkFactory.setGlobalContext callers are
    authorized, which allows remote authenticated users to bypass intended
    SecurityManager restrictions and read or write to arbitrary application
    data, or cause a denial of service (application disruption), via a web
    application that sets a crafted global context.
  * CVE-2015-5351: The Manager and Host Manager applications in
    Apache Tomcat establish sessions and send CSRF tokens for arbitrary new
    requests, which allows remote attackers to bypass a CSRF protection
    mechanism by using a token.
  * Drop the following patches. Applied upstream.
    - 0011-CVE-2012-0022-regression-fix.patch
    - 0012-CVE-2012-3544.patch
    - 0014-CVE-2012-4534.patch
    - 0015-CVE-2012-4431.patch
    - 0016-CVE-2012-3546.patch
    - 0017-CVE-2013-2067.patch
    - cve-2012-2733.patch
    - cve-2012-3439.patch
    - CVE-2014-0227.patch
    - CVE-2014-0230.patch
    - CVE-2014-7810-1.patch
    - CVE-2014-7810-2.patch
    - 0011-Fix-for-NoSuchElementException-when-an-attribute-has.patch

applied/debian/wheezy 2016-06-05 05:42:11 UTC 2016-06-05
Import patches-applied version 6.0.45+dfsg-1~deb7u1 to applied/debian/wheezy

Author: Markus Koschany
Author Date: 2016-03-16 13:08:48 UTC

Import patches-applied version 6.0.45+dfsg-1~deb7u1 to applied/debian/wheezy

Imported using git-ubuntu import.

Changelog parent: 4d391b01ca45250001a30523e7913c89ed2186f6
Unapplied parent: aaece1a3379ac86b12a244c15ab87a92811c9b85

New changelog entries:
  * Team upload.
  * The full list of changes between 6.0.35 (the version previously available
    in Wheezy) and 6.0.45 can be seen in the upstream changelog, which is
    available online at http://tomcat.apache.org/tomcat-6.0-doc/changelog.html
  * This update fixes the following security issues:
    - CVE-2014-0033: prevent remote attackers from conducting session
      fixation attacks via crafted URLs.
    - CVE-2014-0119: Fix not properly constraining class loader that accesses
      the XML parser used with an XSLT stylesheet which allowed remote
      attackers to read arbitrary files via crafted web applications.
    - CVE-2014-0099: Fix integer overflow in
      java/org/apache/tomcat/util/buf/Ascii.java.
    - CVE-2014-0096: Properly restrict XSLT stylesheets that allowed remote
      attackers to bypass security-manager restrictions.
    - CVE-2014-0075: Fix integer overflow in the parseChunkHeader function in
      java/org/apache/coyote/http11/filters/ChunkedInputFilter.java.
    - CVE-2013-4590: prevent "Tomcat internals" information leaks.
    - CVE-2013-4322: prevent remote attackers from doing denial of service
      attacks.
    - CVE-2013-4286: reject requests with multiple content-length headers or
      with a content-length header when chunked encoding is being used.
    - Avoid CVE-2013-1571 when generating Javadoc.
  * CVE-2014-0227.patch:
    - Add error flag to allow subsequent attempts at reading after an error to
      fail fast.
  * CVE-2014-0230: Add support for maxSwallowSize.
  * CVE-2014-7810:
    - Fix potential BeanELResolver issue when running under a security manager.
      Some classes may not be accessible but may have accessible interfaces.
  * CVE-2015-5174: Directory traversal vulnerability in RequestUtil.java.
  * CVE-2015-5345: The Mapper component in Apache Tomcat before 6.0.45
    processes redirects before considering security constraints and Filters.
  * CVE-2016-0706: Apache Tomcat before 6.0.45 does not place
    org.apache.catalina.manager.StatusManagerServlet on the
    org/apache/catalina/core/RestrictedServlets.properties list which allows
    remote authenticated users to bypass intended SecurityManager
    restrictions.
  * CVE-2016-0714: The session-persistence implementation in Apache Tomcat
    before 6.0.45 mishandles session attributes, which allows remote
    authenticated users to bypass intended SecurityManager restrictions.
  * CVE-2016-0763: The setGlobalContext method in
    org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat does
    not consider whether ResourceLinkFactory.setGlobalContext callers are
    authorized, which allows remote authenticated users to bypass intended
    SecurityManager restrictions and read or write to arbitrary application
    data, or cause a denial of service (application disruption), via a web
    application that sets a crafted global context.
  * CVE-2015-5351: The Manager and Host Manager applications in
    Apache Tomcat establish sessions and send CSRF tokens for arbitrary new
    requests, which allows remote attackers to bypass a CSRF protection
    mechanism by using a token.
  * Drop the following patches. Applied upstream.
    - 0011-CVE-2012-0022-regression-fix.patch
    - 0012-CVE-2012-3544.patch
    - 0014-CVE-2012-4534.patch
    - 0015-CVE-2012-4431.patch
    - 0016-CVE-2012-3546.patch
    - 0017-CVE-2013-2067.patch
    - cve-2012-2733.patch
    - cve-2012-3439.patch
    - CVE-2014-0227.patch
    - CVE-2014-0230.patch
    - CVE-2014-7810-1.patch
    - CVE-2014-7810-2.patch
    - 0011-Fix-for-NoSuchElementException-when-an-attribute-has.patch

debian/jessie 2016-06-05 05:00:16 UTC 2016-06-05
Import patches-unapplied version 6.0.45+dfsg-1~deb8u1 to debian/jessie

Author: Markus Koschany
Author Date: 2016-04-01 14:18:25 UTC

Import patches-unapplied version 6.0.45+dfsg-1~deb8u1 to debian/jessie

Imported using git-ubuntu import.

Changelog parent: 11326220cc9a5136e961c0fea16e443789b4e964

New changelog entries:
  * Imported Upstream version 6.0.45+dfsg.
    Fixes all current known security vulnerabilities in the source package.
    Users were not directly affected since we only build the servlet API and
    documentation. This update simplifies upgrades from Wheezy.

applied/debian/jessie 2016-06-05 05:00:16 UTC 2016-06-05
Import patches-applied version 6.0.45+dfsg-1~deb8u1 to applied/debian/jessie

Author: Markus Koschany
Author Date: 2016-04-01 14:18:25 UTC

Import patches-applied version 6.0.45+dfsg-1~deb8u1 to applied/debian/jessie

Imported using git-ubuntu import.

Changelog parent: b233127b18c058889160b9804176d31069c0a120
Unapplied parent: 8fdf86791ec9fe5c90dac221c2e7dcb1d0e45499

New changelog entries:
  * Imported Upstream version 6.0.45+dfsg.
    Fixes all current known security vulnerabilities in the source package.
    Users were not directly affected since we only build the servlet API and
    documentation. This update simplifies upgrades from Wheezy.

debian/stretch 2016-02-27 22:25:46 UTC 2016-02-27
Import patches-unapplied version 6.0.45+dfsg-1 to debian/sid

Author: Markus Koschany
Author Date: 2016-02-27 18:32:00 UTC

Import patches-unapplied version 6.0.45+dfsg-1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: b9ac5ecafc7085602d4e797ecf0008a7a58b3517

New changelog entries:
  * Team upload.
  * Imported Upstream version 6.0.45+dfsg.
    - Remove all prebuilt jar files.
  * Declare compliance with Debian Policy 3.9.7.
  * Vcs-fields: Use https.
  * This update fixes the following security vulnerabilities in the source
    package. Since src:tomcat6 only builds libservlet2.5-java and
    documentation, users are not directly affected.
    - CVE-2015-5174: Directory traversal vulnerability in RequestUtil.java.
    - CVE-2015-5345: The Mapper component in Apache Tomcat before 6.0.45
      processes redirects before considering security constraints and Filters.
    - CVE-2016-0706: Apache Tomcat before 6.0.45 does not place
      org.apache.catalina.manager.StatusManagerServlet on the
      org/apache/catalina/core/RestrictedServlets.properties list which allows
      remote authenticated users to bypass intended SecurityManager
      restrictions.
    - CVE-2016-0714: The session-persistence implementation in Apache Tomcat
      before 6.0.45 mishandles session attributes, which allows remote
      authenticated users to bypass intended SecurityManager restrictions.
    - CVE-2016-0763: The setGlobalContext method in
      org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat does
      not consider whether ResourceLinkFactory.setGlobalContext callers are
      authorized, which allows remote authenticated users to bypass intended
      SecurityManager restrictions and read or write to arbitrary application
      data, or cause a denial of service (application disruption), via a web
      application that sets a crafted global context.
    - CVE-2015-5351: The Manager and Host Manager applications in
      Apache Tomcat establish sessions and send CSRF tokens for arbitrary new
      requests, which allows remote attackers to bypass a CSRF protection
      mechanism by using a token.

applied/ubuntu/devel 2016-02-27 22:25:46 UTC 2016-02-27
Import patches-applied version 6.0.45+dfsg-1 to applied/debian/sid

Author: Markus Koschany
Author Date: 2016-02-27 18:32:00 UTC

Import patches-applied version 6.0.45+dfsg-1 to applied/debian/sid

Imported using git-ubuntu import.

Changelog parent: 46c7f69f26478e966a06e2a803fe8f5d9b296807
Unapplied parent: 596c2ba16f6ae62920ff80d4f59f246f4e11eeb8

New changelog entries:
  * Team upload.
  * Imported Upstream version 6.0.45+dfsg.
    - Remove all prebuilt jar files.
  * Declare compliance with Debian Policy 3.9.7.
  * Vcs-fields: Use https.
  * This update fixes the following security vulnerabilities in the source
    package. Since src:tomcat6 only builds libservlet2.5-java and
    documentation, users are not directly affected.
    - CVE-2015-5174: Directory traversal vulnerability in RequestUtil.java.
    - CVE-2015-5345: The Mapper component in Apache Tomcat before 6.0.45
      processes redirects before considering security constraints and Filters.
    - CVE-2016-0706: Apache Tomcat before 6.0.45 does not place
      org.apache.catalina.manager.StatusManagerServlet on the
      org/apache/catalina/core/RestrictedServlets.properties list which allows
      remote authenticated users to bypass intended SecurityManager
      restrictions.
    - CVE-2016-0714: The session-persistence implementation in Apache Tomcat
      before 6.0.45 mishandles session attributes, which allows remote
      authenticated users to bypass intended SecurityManager restrictions.
    - CVE-2016-0763: The setGlobalContext method in
      org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat does
      not consider whether ResourceLinkFactory.setGlobalContext callers are
      authorized, which allows remote authenticated users to bypass intended
      SecurityManager restrictions and read or write to arbitrary application
      data, or cause a denial of service (application disruption), via a web
      application that sets a crafted global context.
    - CVE-2015-5351: The Manager and Host Manager applications in
      Apache Tomcat establish sessions and send CSRF tokens for arbitrary new
      requests, which allows remote attackers to bypass a CSRF protection
      mechanism by using a token.

ubuntu/yakkety 2016-02-27 22:25:46 UTC 2016-02-27
Import patches-unapplied version 6.0.45+dfsg-1 to debian/sid

Author: Markus Koschany
Author Date: 2016-02-27 18:32:00 UTC

Import patches-unapplied version 6.0.45+dfsg-1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: b9ac5ecafc7085602d4e797ecf0008a7a58b3517

New changelog entries:
  * Team upload.
  * Imported Upstream version 6.0.45+dfsg.
    - Remove all prebuilt jar files.
  * Declare compliance with Debian Policy 3.9.7.
  * Vcs-fields: Use https.
  * This update fixes the following security vulnerabilities in the source
    package. Since src:tomcat6 only builds libservlet2.5-java and
    documentation, users are not directly affected.
    - CVE-2015-5174: Directory traversal vulnerability in RequestUtil.java.
    - CVE-2015-5345: The Mapper component in Apache Tomcat before 6.0.45
      processes redirects before considering security constraints and Filters.
    - CVE-2016-0706: Apache Tomcat before 6.0.45 does not place
      org.apache.catalina.manager.StatusManagerServlet on the
      org/apache/catalina/core/RestrictedServlets.properties list which allows
      remote authenticated users to bypass intended SecurityManager
      restrictions.
    - CVE-2016-0714: The session-persistence implementation in Apache Tomcat
      before 6.0.45 mishandles session attributes, which allows remote
      authenticated users to bypass intended SecurityManager restrictions.
    - CVE-2016-0763: The setGlobalContext method in
      org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat does
      not consider whether ResourceLinkFactory.setGlobalContext callers are
      authorized, which allows remote authenticated users to bypass intended
      SecurityManager restrictions and read or write to arbitrary application
      data, or cause a denial of service (application disruption), via a web
      application that sets a crafted global context.
    - CVE-2015-5351: The Manager and Host Manager applications in
      Apache Tomcat establish sessions and send CSRF tokens for arbitrary new
      requests, which allows remote attackers to bypass a CSRF protection
      mechanism by using a token.

ubuntu/xenial-proposed 2016-02-27 22:25:46 UTC 2016-02-27
Import patches-unapplied version 6.0.45+dfsg-1 to debian/sid

Author: Markus Koschany
Author Date: 2016-02-27 18:32:00 UTC

Import patches-unapplied version 6.0.45+dfsg-1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: b9ac5ecafc7085602d4e797ecf0008a7a58b3517

New changelog entries:
  * Team upload.
  * Imported Upstream version 6.0.45+dfsg.
    - Remove all prebuilt jar files.
  * Declare compliance with Debian Policy 3.9.7.
  * Vcs-fields: Use https.
  * This update fixes the following security vulnerabilities in the source
    package. Since src:tomcat6 only builds libservlet2.5-java and
    documentation, users are not directly affected.
    - CVE-2015-5174: Directory traversal vulnerability in RequestUtil.java.
    - CVE-2015-5345: The Mapper component in Apache Tomcat before 6.0.45
      processes redirects before considering security constraints and Filters.
    - CVE-2016-0706: Apache Tomcat before 6.0.45 does not place
      org.apache.catalina.manager.StatusManagerServlet on the
      org/apache/catalina/core/RestrictedServlets.properties list which allows
      remote authenticated users to bypass intended SecurityManager
      restrictions.
    - CVE-2016-0714: The session-persistence implementation in Apache Tomcat
      before 6.0.45 mishandles session attributes, which allows remote
      authenticated users to bypass intended SecurityManager restrictions.
    - CVE-2016-0763: The setGlobalContext method in
      org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat does
      not consider whether ResourceLinkFactory.setGlobalContext callers are
      authorized, which allows remote authenticated users to bypass intended
      SecurityManager restrictions and read or write to arbitrary application
      data, or cause a denial of service (application disruption), via a web
      application that sets a crafted global context.
    - CVE-2015-5351: The Manager and Host Manager applications in
      Apache Tomcat establish sessions and send CSRF tokens for arbitrary new
      requests, which allows remote attackers to bypass a CSRF protection
      mechanism by using a token.

ubuntu/xenial-devel 2016-02-27 22:25:46 UTC 2016-02-27
Import patches-unapplied version 6.0.45+dfsg-1 to debian/sid

Author: Markus Koschany
Author Date: 2016-02-27 18:32:00 UTC

Import patches-unapplied version 6.0.45+dfsg-1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: b9ac5ecafc7085602d4e797ecf0008a7a58b3517

New changelog entries:
  * Team upload.
  * Imported Upstream version 6.0.45+dfsg.
    - Remove all prebuilt jar files.
  * Declare compliance with Debian Policy 3.9.7.
  * Vcs-fields: Use https.
  * This update fixes the following security vulnerabilities in the source
    package. Since src:tomcat6 only builds libservlet2.5-java and
    documentation, users are not directly affected.
    - CVE-2015-5174: Directory traversal vulnerability in RequestUtil.java.
    - CVE-2015-5345: The Mapper component in Apache Tomcat before 6.0.45
      processes redirects before considering security constraints and Filters.
    - CVE-2016-0706: Apache Tomcat before 6.0.45 does not place
      org.apache.catalina.manager.StatusManagerServlet on the
      org/apache/catalina/core/RestrictedServlets.properties list which allows
      remote authenticated users to bypass intended SecurityManager
      restrictions.
    - CVE-2016-0714: The session-persistence implementation in Apache Tomcat
      before 6.0.45 mishandles session attributes, which allows remote
      authenticated users to bypass intended SecurityManager restrictions.
    - CVE-2016-0763: The setGlobalContext method in
      org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat does
      not consider whether ResourceLinkFactory.setGlobalContext callers are
      authorized, which allows remote authenticated users to bypass intended
      SecurityManager restrictions and read or write to arbitrary application
      data, or cause a denial of service (application disruption), via a web
      application that sets a crafted global context.
    - CVE-2015-5351: The Manager and Host Manager applications in
      Apache Tomcat establish sessions and send CSRF tokens for arbitrary new
      requests, which allows remote attackers to bypass a CSRF protection
      mechanism by using a token.

ubuntu/xenial 2016-02-27 22:25:46 UTC 2016-02-27
Import patches-unapplied version 6.0.45+dfsg-1 to debian/sid

Author: Markus Koschany
Author Date: 2016-02-27 18:32:00 UTC

Import patches-unapplied version 6.0.45+dfsg-1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: b9ac5ecafc7085602d4e797ecf0008a7a58b3517

New changelog entries:
  * Team upload.
  * Imported Upstream version 6.0.45+dfsg.
    - Remove all prebuilt jar files.
  * Declare compliance with Debian Policy 3.9.7.
  * Vcs-fields: Use https.
  * This update fixes the following security vulnerabilities in the source
    package. Since src:tomcat6 only builds libservlet2.5-java and
    documentation, users are not directly affected.
    - CVE-2015-5174: Directory traversal vulnerability in RequestUtil.java.
    - CVE-2015-5345: The Mapper component in Apache Tomcat before 6.0.45
      processes redirects before considering security constraints and Filters.
    - CVE-2016-0706: Apache Tomcat before 6.0.45 does not place
      org.apache.catalina.manager.StatusManagerServlet on the
      org/apache/catalina/core/RestrictedServlets.properties list which allows
      remote authenticated users to bypass intended SecurityManager
      restrictions.
    - CVE-2016-0714: The session-persistence implementation in Apache Tomcat
      before 6.0.45 mishandles session attributes, which allows remote
      authenticated users to bypass intended SecurityManager restrictions.
    - CVE-2016-0763: The setGlobalContext method in
      org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat does
      not consider whether ResourceLinkFactory.setGlobalContext callers are
      authorized, which allows remote authenticated users to bypass intended
      SecurityManager restrictions and read or write to arbitrary application
      data, or cause a denial of service (application disruption), via a web
      application that sets a crafted global context.
    - CVE-2015-5351: The Manager and Host Manager applications in
      Apache Tomcat establish sessions and send CSRF tokens for arbitrary new
      requests, which allows remote attackers to bypass a CSRF protection
      mechanism by using a token.

ubuntu/yakkety-devel 2016-02-27 22:25:46 UTC 2016-02-27
Import patches-unapplied version 6.0.45+dfsg-1 to debian/sid

Author: Markus Koschany
Author Date: 2016-02-27 18:32:00 UTC

Import patches-unapplied version 6.0.45+dfsg-1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: b9ac5ecafc7085602d4e797ecf0008a7a58b3517

New changelog entries:
  * Team upload.
  * Imported Upstream version 6.0.45+dfsg.
    - Remove all prebuilt jar files.
  * Declare compliance with Debian Policy 3.9.7.
  * Vcs-fields: Use https.
  * This update fixes the following security vulnerabilities in the source
    package. Since src:tomcat6 only builds libservlet2.5-java and
    documentation, users are not directly affected.
    - CVE-2015-5174: Directory traversal vulnerability in RequestUtil.java.
    - CVE-2015-5345: The Mapper component in Apache Tomcat before 6.0.45
      processes redirects before considering security constraints and Filters.
    - CVE-2016-0706: Apache Tomcat before 6.0.45 does not place
      org.apache.catalina.manager.StatusManagerServlet on the
      org/apache/catalina/core/RestrictedServlets.properties list which allows
      remote authenticated users to bypass intended SecurityManager
      restrictions.
    - CVE-2016-0714: The session-persistence implementation in Apache Tomcat
      before 6.0.45 mishandles session attributes, which allows remote
      authenticated users to bypass intended SecurityManager restrictions.
    - CVE-2016-0763: The setGlobalContext method in
      org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat does
      not consider whether ResourceLinkFactory.setGlobalContext callers are
      authorized, which allows remote authenticated users to bypass intended
      SecurityManager restrictions and read or write to arbitrary application
      data, or cause a denial of service (application disruption), via a web
      application that sets a crafted global context.
    - CVE-2015-5351: The Manager and Host Manager applications in
      Apache Tomcat establish sessions and send CSRF tokens for arbitrary new
      requests, which allows remote attackers to bypass a CSRF protection
      mechanism by using a token.

applied/debian/stretch 2016-02-27 22:25:46 UTC 2016-02-27
Import patches-applied version 6.0.45+dfsg-1 to applied/debian/sid

Author: Markus Koschany
Author Date: 2016-02-27 18:32:00 UTC

Import patches-applied version 6.0.45+dfsg-1 to applied/debian/sid

Imported using git-ubuntu import.

Changelog parent: 46c7f69f26478e966a06e2a803fe8f5d9b296807
Unapplied parent: 596c2ba16f6ae62920ff80d4f59f246f4e11eeb8

New changelog entries:
  * Team upload.
  * Imported Upstream version 6.0.45+dfsg.
    - Remove all prebuilt jar files.
  * Declare compliance with Debian Policy 3.9.7.
  * Vcs-fields: Use https.
  * This update fixes the following security vulnerabilities in the source
    package. Since src:tomcat6 only builds libservlet2.5-java and
    documentation, users are not directly affected.
    - CVE-2015-5174: Directory traversal vulnerability in RequestUtil.java.
    - CVE-2015-5345: The Mapper component in Apache Tomcat before 6.0.45
      processes redirects before considering security constraints and Filters.
    - CVE-2016-0706: Apache Tomcat before 6.0.45 does not place
      org.apache.catalina.manager.StatusManagerServlet on the
      org/apache/catalina/core/RestrictedServlets.properties list which allows
      remote authenticated users to bypass intended SecurityManager
      restrictions.
    - CVE-2016-0714: The session-persistence implementation in Apache Tomcat
      before 6.0.45 mishandles session attributes, which allows remote
      authenticated users to bypass intended SecurityManager restrictions.
    - CVE-2016-0763: The setGlobalContext method in
      org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat does
      not consider whether ResourceLinkFactory.setGlobalContext callers are
      authorized, which allows remote authenticated users to bypass intended
      SecurityManager restrictions and read or write to arbitrary application
      data, or cause a denial of service (application disruption), via a web
      application that sets a crafted global context.
    - CVE-2015-5351: The Manager and Host Manager applications in
      Apache Tomcat establish sessions and send CSRF tokens for arbitrary new
      requests, which allows remote attackers to bypass a CSRF protection
      mechanism by using a token.

applied/debian/sid 2016-02-27 22:25:46 UTC 2016-02-27
Import patches-applied version 6.0.45+dfsg-1 to applied/debian/sid

Author: Markus Koschany
Author Date: 2016-02-27 18:32:00 UTC

Import patches-applied version 6.0.45+dfsg-1 to applied/debian/sid

Imported using git-ubuntu import.

Changelog parent: 46c7f69f26478e966a06e2a803fe8f5d9b296807
Unapplied parent: 596c2ba16f6ae62920ff80d4f59f246f4e11eeb8

New changelog entries:
  * Team upload.
  * Imported Upstream version 6.0.45+dfsg.
    - Remove all prebuilt jar files.
  * Declare compliance with Debian Policy 3.9.7.
  * Vcs-fields: Use https.
  * This update fixes the following security vulnerabilities in the source
    package. Since src:tomcat6 only builds libservlet2.5-java and
    documentation, users are not directly affected.
    - CVE-2015-5174: Directory traversal vulnerability in RequestUtil.java.
    - CVE-2015-5345: The Mapper component in Apache Tomcat before 6.0.45
      processes redirects before considering security constraints and Filters.
    - CVE-2016-0706: Apache Tomcat before 6.0.45 does not place
      org.apache.catalina.manager.StatusManagerServlet on the
      org/apache/catalina/core/RestrictedServlets.properties list which allows
      remote authenticated users to bypass intended SecurityManager
      restrictions.
    - CVE-2016-0714: The session-persistence implementation in Apache Tomcat
      before 6.0.45 mishandles session attributes, which allows remote
      authenticated users to bypass intended SecurityManager restrictions.
    - CVE-2016-0763: The setGlobalContext method in
      org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat does
      not consider whether ResourceLinkFactory.setGlobalContext callers are
      authorized, which allows remote authenticated users to bypass intended
      SecurityManager restrictions and read or write to arbitrary application
      data, or cause a denial of service (application disruption), via a web
      application that sets a crafted global context.
    - CVE-2015-5351: The Manager and Host Manager applications in
      Apache Tomcat establish sessions and send CSRF tokens for arbitrary new
      requests, which allows remote attackers to bypass a CSRF protection
      mechanism by using a token.

ubuntu/devel 2016-02-27 22:25:46 UTC 2016-02-27
Import patches-unapplied version 6.0.45+dfsg-1 to debian/sid

Author: Markus Koschany
Author Date: 2016-02-27 18:32:00 UTC

Import patches-unapplied version 6.0.45+dfsg-1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: b9ac5ecafc7085602d4e797ecf0008a7a58b3517

New changelog entries:
  * Team upload.
  * Imported Upstream version 6.0.45+dfsg.
    - Remove all prebuilt jar files.
  * Declare compliance with Debian Policy 3.9.7.
  * Vcs-fields: Use https.
  * This update fixes the following security vulnerabilities in the source
    package. Since src:tomcat6 only builds libservlet2.5-java and
    documentation, users are not directly affected.
    - CVE-2015-5174: Directory traversal vulnerability in RequestUtil.java.
    - CVE-2015-5345: The Mapper component in Apache Tomcat before 6.0.45
      processes redirects before considering security constraints and Filters.
    - CVE-2016-0706: Apache Tomcat before 6.0.45 does not place
      org.apache.catalina.manager.StatusManagerServlet on the
      org/apache/catalina/core/RestrictedServlets.properties list which allows
      remote authenticated users to bypass intended SecurityManager
      restrictions.
    - CVE-2016-0714: The session-persistence implementation in Apache Tomcat
      before 6.0.45 mishandles session attributes, which allows remote
      authenticated users to bypass intended SecurityManager restrictions.
    - CVE-2016-0763: The setGlobalContext method in
      org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat does
      not consider whether ResourceLinkFactory.setGlobalContext callers are
      authorized, which allows remote authenticated users to bypass intended
      SecurityManager restrictions and read or write to arbitrary application
      data, or cause a denial of service (application disruption), via a web
      application that sets a crafted global context.
    - CVE-2015-5351: The Manager and Host Manager applications in
      Apache Tomcat establish sessions and send CSRF tokens for arbitrary new
      requests, which allows remote attackers to bypass a CSRF protection
      mechanism by using a token.

debian/sid 2016-02-27 22:25:46 UTC 2016-02-27
Import patches-unapplied version 6.0.45+dfsg-1 to debian/sid

Author: Markus Koschany
Author Date: 2016-02-27 18:32:00 UTC

Import patches-unapplied version 6.0.45+dfsg-1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: b9ac5ecafc7085602d4e797ecf0008a7a58b3517

New changelog entries:
  * Team upload.
  * Imported Upstream version 6.0.45+dfsg.
    - Remove all prebuilt jar files.
  * Declare compliance with Debian Policy 3.9.7.
  * Vcs-fields: Use https.
  * This update fixes the following security vulnerabilities in the source
    package. Since src:tomcat6 only builds libservlet2.5-java and
    documentation, users are not directly affected.
    - CVE-2015-5174: Directory traversal vulnerability in RequestUtil.java.
    - CVE-2015-5345: The Mapper component in Apache Tomcat before 6.0.45
      processes redirects before considering security constraints and Filters.
    - CVE-2016-0706: Apache Tomcat before 6.0.45 does not place
      org.apache.catalina.manager.StatusManagerServlet on the
      org/apache/catalina/core/RestrictedServlets.properties list which allows
      remote authenticated users to bypass intended SecurityManager
      restrictions.
    - CVE-2016-0714: The session-persistence implementation in Apache Tomcat
      before 6.0.45 mishandles session attributes, which allows remote
      authenticated users to bypass intended SecurityManager restrictions.
    - CVE-2016-0763: The setGlobalContext method in
      org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat does
      not consider whether ResourceLinkFactory.setGlobalContext callers are
      authorized, which allows remote authenticated users to bypass intended
      SecurityManager restrictions and read or write to arbitrary application
      data, or cause a denial of service (application disruption), via a web
      application that sets a crafted global context.
    - CVE-2015-5351: The Manager and Host Manager applications in
      Apache Tomcat establish sessions and send CSRF tokens for arbitrary new
      requests, which allows remote attackers to bypass a CSRF protection
      mechanism by using a token.

applied/ubuntu/yakkety-devel 2016-02-27 22:25:46 UTC 2016-02-27
Import patches-applied version 6.0.45+dfsg-1 to applied/debian/sid

Author: Markus Koschany
Author Date: 2016-02-27 18:32:00 UTC

Import patches-applied version 6.0.45+dfsg-1 to applied/debian/sid

Imported using git-ubuntu import.

Changelog parent: 46c7f69f26478e966a06e2a803fe8f5d9b296807
Unapplied parent: 596c2ba16f6ae62920ff80d4f59f246f4e11eeb8

New changelog entries:
  * Team upload.
  * Imported Upstream version 6.0.45+dfsg.
    - Remove all prebuilt jar files.
  * Declare compliance with Debian Policy 3.9.7.
  * Vcs-fields: Use https.
  * This update fixes the following security vulnerabilities in the source
    package. Since src:tomcat6 only builds libservlet2.5-java and
    documentation, users are not directly affected.
    - CVE-2015-5174: Directory traversal vulnerability in RequestUtil.java.
    - CVE-2015-5345: The Mapper component in Apache Tomcat before 6.0.45
      processes redirects before considering security constraints and Filters.
    - CVE-2016-0706: Apache Tomcat before 6.0.45 does not place
      org.apache.catalina.manager.StatusManagerServlet on the
      org/apache/catalina/core/RestrictedServlets.properties list which allows
      remote authenticated users to bypass intended SecurityManager
      restrictions.
    - CVE-2016-0714: The session-persistence implementation in Apache Tomcat
      before 6.0.45 mishandles session attributes, which allows remote
      authenticated users to bypass intended SecurityManager restrictions.
    - CVE-2016-0763: The setGlobalContext method in
      org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat does
      not consider whether ResourceLinkFactory.setGlobalContext callers are
      authorized, which allows remote authenticated users to bypass intended
      SecurityManager restrictions and read or write to arbitrary application
      data, or cause a denial of service (application disruption), via a web
      application that sets a crafted global context.
    - CVE-2015-5351: The Manager and Host Manager applications in
      Apache Tomcat establish sessions and send CSRF tokens for arbitrary new
      requests, which allows remote attackers to bypass a CSRF protection
      mechanism by using a token.

applied/ubuntu/yakkety 2016-02-27 22:25:46 UTC 2016-02-27
Import patches-applied version 6.0.45+dfsg-1 to applied/debian/sid

Author: Markus Koschany
Author Date: 2016-02-27 18:32:00 UTC

Import patches-applied version 6.0.45+dfsg-1 to applied/debian/sid

Imported using git-ubuntu import.

Changelog parent: 46c7f69f26478e966a06e2a803fe8f5d9b296807
Unapplied parent: 596c2ba16f6ae62920ff80d4f59f246f4e11eeb8

New changelog entries:
  * Team upload.
  * Imported Upstream version 6.0.45+dfsg.
    - Remove all prebuilt jar files.
  * Declare compliance with Debian Policy 3.9.7.
  * Vcs-fields: Use https.
  * This update fixes the following security vulnerabilities in the source
    package. Since src:tomcat6 only builds libservlet2.5-java and
    documentation, users are not directly affected.
    - CVE-2015-5174: Directory traversal vulnerability in RequestUtil.java.
    - CVE-2015-5345: The Mapper component in Apache Tomcat before 6.0.45
      processes redirects before considering security constraints and Filters.
    - CVE-2016-0706: Apache Tomcat before 6.0.45 does not place
      org.apache.catalina.manager.StatusManagerServlet on the
      org/apache/catalina/core/RestrictedServlets.properties list which allows
      remote authenticated users to bypass intended SecurityManager
      restrictions.
    - CVE-2016-0714: The session-persistence implementation in Apache Tomcat
      before 6.0.45 mishandles session attributes, which allows remote
      authenticated users to bypass intended SecurityManager restrictions.
    - CVE-2016-0763: The setGlobalContext method in
      org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat does
      not consider whether ResourceLinkFactory.setGlobalContext callers are
      authorized, which allows remote authenticated users to bypass intended
      SecurityManager restrictions and read or write to arbitrary application
      data, or cause a denial of service (application disruption), via a web
      application that sets a crafted global context.
    - CVE-2015-5351: The Manager and Host Manager applications in
      Apache Tomcat establish sessions and send CSRF tokens for arbitrary new
      requests, which allows remote attackers to bypass a CSRF protection
      mechanism by using a token.

applied/ubuntu/xenial-proposed 2016-02-27 22:25:46 UTC 2016-02-27
Import patches-applied version 6.0.45+dfsg-1 to applied/debian/sid

Author: Markus Koschany
Author Date: 2016-02-27 18:32:00 UTC

Import patches-applied version 6.0.45+dfsg-1 to applied/debian/sid

Imported using git-ubuntu import.

Changelog parent: 46c7f69f26478e966a06e2a803fe8f5d9b296807
Unapplied parent: 596c2ba16f6ae62920ff80d4f59f246f4e11eeb8

New changelog entries:
  * Team upload.
  * Imported Upstream version 6.0.45+dfsg.
    - Remove all prebuilt jar files.
  * Declare compliance with Debian Policy 3.9.7.
  * Vcs-fields: Use https.
  * This update fixes the following security vulnerabilities in the source
    package. Since src:tomcat6 only builds libservlet2.5-java and
    documentation, users are not directly affected.
    - CVE-2015-5174: Directory traversal vulnerability in RequestUtil.java.
    - CVE-2015-5345: The Mapper component in Apache Tomcat before 6.0.45
      processes redirects before considering security constraints and Filters.
    - CVE-2016-0706: Apache Tomcat before 6.0.45 does not place
      org.apache.catalina.manager.StatusManagerServlet on the
      org/apache/catalina/core/RestrictedServlets.properties list which allows
      remote authenticated users to bypass intended SecurityManager
      restrictions.
    - CVE-2016-0714: The session-persistence implementation in Apache Tomcat
      before 6.0.45 mishandles session attributes, which allows remote
      authenticated users to bypass intended SecurityManager restrictions.
    - CVE-2016-0763: The setGlobalContext method in
      org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat does
      not consider whether ResourceLinkFactory.setGlobalContext callers are
      authorized, which allows remote authenticated users to bypass intended
      SecurityManager restrictions and read or write to arbitrary application
      data, or cause a denial of service (application disruption), via a web
      application that sets a crafted global context.
    - CVE-2015-5351: The Manager and Host Manager applications in
      Apache Tomcat establish sessions and send CSRF tokens for arbitrary new
      requests, which allows remote attackers to bypass a CSRF protection
      mechanism by using a token.

applied/ubuntu/xenial-devel 2016-02-27 22:25:46 UTC 2016-02-27
Import patches-applied version 6.0.45+dfsg-1 to applied/debian/sid

Author: Markus Koschany
Author Date: 2016-02-27 18:32:00 UTC

Import patches-applied version 6.0.45+dfsg-1 to applied/debian/sid

Imported using git-ubuntu import.

Changelog parent: 46c7f69f26478e966a06e2a803fe8f5d9b296807
Unapplied parent: 596c2ba16f6ae62920ff80d4f59f246f4e11eeb8

New changelog entries:
  * Team upload.
  * Imported Upstream version 6.0.45+dfsg.
    - Remove all prebuilt jar files.
  * Declare compliance with Debian Policy 3.9.7.
  * Vcs-fields: Use https.
  * This update fixes the following security vulnerabilities in the source
    package. Since src:tomcat6 only builds libservlet2.5-java and
    documentation, users are not directly affected.
    - CVE-2015-5174: Directory traversal vulnerability in RequestUtil.java.
    - CVE-2015-5345: The Mapper component in Apache Tomcat before 6.0.45
      processes redirects before considering security constraints and Filters.
    - CVE-2016-0706: Apache Tomcat before 6.0.45 does not place
      org.apache.catalina.manager.StatusManagerServlet on the
      org/apache/catalina/core/RestrictedServlets.properties list which allows
      remote authenticated users to bypass intended SecurityManager
      restrictions.
    - CVE-2016-0714: The session-persistence implementation in Apache Tomcat
      before 6.0.45 mishandles session attributes, which allows remote
      authenticated users to bypass intended SecurityManager restrictions.
    - CVE-2016-0763: The setGlobalContext method in
      org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat does
      not consider whether ResourceLinkFactory.setGlobalContext callers are
      authorized, which allows remote authenticated users to bypass intended
      SecurityManager restrictions and read or write to arbitrary application
      data, or cause a denial of service (application disruption), via a web
      application that sets a crafted global context.
    - CVE-2015-5351: The Manager and Host Manager applications in
      Apache Tomcat establish sessions and send CSRF tokens for arbitrary new
      requests, which allows remote attackers to bypass a CSRF protection
      mechanism by using a token.

applied/ubuntu/xenial 2016-02-27 22:25:46 UTC 2016-02-27
Import patches-applied version 6.0.45+dfsg-1 to applied/debian/sid

Author: Markus Koschany
Author Date: 2016-02-27 18:32:00 UTC

Import patches-applied version 6.0.45+dfsg-1 to applied/debian/sid

Imported using git-ubuntu import.

Changelog parent: 46c7f69f26478e966a06e2a803fe8f5d9b296807
Unapplied parent: 596c2ba16f6ae62920ff80d4f59f246f4e11eeb8

New changelog entries:
  * Team upload.
  * Imported Upstream version 6.0.45+dfsg.
    - Remove all prebuilt jar files.
  * Declare compliance with Debian Policy 3.9.7.
  * Vcs-fields: Use https.
  * This update fixes the following security vulnerabilities in the source
    package. Since src:tomcat6 only builds libservlet2.5-java and
    documentation, users are not directly affected.
    - CVE-2015-5174: Directory traversal vulnerability in RequestUtil.java.
    - CVE-2015-5345: The Mapper component in Apache Tomcat before 6.0.45
      processes redirects before considering security constraints and Filters.
    - CVE-2016-0706: Apache Tomcat before 6.0.45 does not place
      org.apache.catalina.manager.StatusManagerServlet on the
      org/apache/catalina/core/RestrictedServlets.properties list which allows
      remote authenticated users to bypass intended SecurityManager
      restrictions.
    - CVE-2016-0714: The session-persistence implementation in Apache Tomcat
      before 6.0.45 mishandles session attributes, which allows remote
      authenticated users to bypass intended SecurityManager restrictions.
    - CVE-2016-0763: The setGlobalContext method in
      org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat does
      not consider whether ResourceLinkFactory.setGlobalContext callers are
      authorized, which allows remote authenticated users to bypass intended
      SecurityManager restrictions and read or write to arbitrary application
      data, or cause a denial of service (application disruption), via a web
      application that sets a crafted global context.
    - CVE-2015-5351: The Manager and Host Manager applications in
      Apache Tomcat establish sessions and send CSRF tokens for arbitrary new
      requests, which allows remote attackers to bypass a CSRF protection
      mechanism by using a token.

applied/ubuntu/wily 2015-05-06 16:18:47 UTC 2015-05-06
Import patches-applied version 6.0.41-4 to applied/debian/sid

Author: Emmanuel Bourg
Author Date: 2015-05-06 07:35:37 UTC

Import patches-applied version 6.0.41-4 to applied/debian/sid

Imported using git-ubuntu import.

Changelog parent: b233127b18c058889160b9804176d31069c0a120
Unapplied parent: 6fd8ff422ce132532af53789af24a323b8c6f670

New changelog entries:
  * Removed the timstamp from the Javadoc of the Servlet API
    to make the build reproducible

ubuntu/wily-devel 2015-05-06 16:18:47 UTC 2015-05-06
Import patches-unapplied version 6.0.41-4 to debian/sid

Author: Emmanuel Bourg
Author Date: 2015-05-06 07:35:37 UTC

Import patches-unapplied version 6.0.41-4 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 11326220cc9a5136e961c0fea16e443789b4e964

New changelog entries:
  * Removed the timstamp from the Javadoc of the Servlet API
    to make the build reproducible

ubuntu/wily-proposed 2015-05-06 16:18:47 UTC 2015-05-06
Import patches-unapplied version 6.0.41-4 to debian/sid

Author: Emmanuel Bourg
Author Date: 2015-05-06 07:35:37 UTC

Import patches-unapplied version 6.0.41-4 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 11326220cc9a5136e961c0fea16e443789b4e964

New changelog entries:
  * Removed the timstamp from the Javadoc of the Servlet API
    to make the build reproducible

ubuntu/wily 2015-05-06 16:18:47 UTC 2015-05-06
Import patches-unapplied version 6.0.41-4 to debian/sid

Author: Emmanuel Bourg
Author Date: 2015-05-06 07:35:37 UTC

Import patches-unapplied version 6.0.41-4 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 11326220cc9a5136e961c0fea16e443789b4e964

New changelog entries:
  * Removed the timstamp from the Javadoc of the Servlet API
    to make the build reproducible

applied/ubuntu/wily-proposed 2015-05-06 16:18:47 UTC 2015-05-06
Import patches-applied version 6.0.41-4 to applied/debian/sid

Author: Emmanuel Bourg
Author Date: 2015-05-06 07:35:37 UTC

Import patches-applied version 6.0.41-4 to applied/debian/sid

Imported using git-ubuntu import.

Changelog parent: b233127b18c058889160b9804176d31069c0a120
Unapplied parent: 6fd8ff422ce132532af53789af24a323b8c6f670

New changelog entries:
  * Removed the timstamp from the Javadoc of the Servlet API
    to make the build reproducible

applied/ubuntu/wily-devel 2015-05-06 16:18:47 UTC 2015-05-06
Import patches-applied version 6.0.41-4 to applied/debian/sid

Author: Emmanuel Bourg
Author Date: 2015-05-06 07:35:37 UTC

Import patches-applied version 6.0.41-4 to applied/debian/sid

Imported using git-ubuntu import.

Changelog parent: b233127b18c058889160b9804176d31069c0a120
Unapplied parent: 6fd8ff422ce132532af53789af24a323b8c6f670

New changelog entries:
  * Removed the timstamp from the Javadoc of the Servlet API
    to make the build reproducible

ubuntu/vivid-devel 2014-10-22 16:25:55 UTC 2014-10-22
Import patches-unapplied version 6.0.41-3 to debian/sid

Author: Emmanuel Bourg
Author Date: 2014-10-22 07:48:54 UTC

Import patches-unapplied version 6.0.41-3 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 070174a4696026951975f053a9b5d0955115ed43

New changelog entries:
  * Build only the libservlet2.5-java and libservlet2.5-java-doc packages.
    Tomcat 6 will not be supported in Jessie, but the Servlet API is still
    useful as a build dependency for other packages.
  * Standards-Version updated to 3.9.6 (no changes)

ubuntu/vivid-proposed 2014-10-22 16:25:55 UTC 2014-10-22
Import patches-unapplied version 6.0.41-3 to debian/sid

Author: Emmanuel Bourg
Author Date: 2014-10-22 07:48:54 UTC

Import patches-unapplied version 6.0.41-3 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 070174a4696026951975f053a9b5d0955115ed43

New changelog entries:
  * Build only the libservlet2.5-java and libservlet2.5-java-doc packages.
    Tomcat 6 will not be supported in Jessie, but the Servlet API is still
    useful as a build dependency for other packages.
  * Standards-Version updated to 3.9.6 (no changes)

applied/ubuntu/vivid-proposed 2014-10-22 16:25:55 UTC 2014-10-22
Import patches-applied version 6.0.41-3 to applied/debian/sid

Author: Emmanuel Bourg
Author Date: 2014-10-22 07:48:54 UTC

Import patches-applied version 6.0.41-3 to applied/debian/sid

Imported using git-ubuntu import.

Changelog parent: 23cb85544a46f636b05f507bfb4491b88e9495f6
Unapplied parent: f919c6713dcfdfd808feff887f5db5616d475c9b

New changelog entries:
  * Build only the libservlet2.5-java and libservlet2.5-java-doc packages.
    Tomcat 6 will not be supported in Jessie, but the Servlet API is still
    useful as a build dependency for other packages.
  * Standards-Version updated to 3.9.6 (no changes)

applied/ubuntu/vivid-devel 2014-10-22 16:25:55 UTC 2014-10-22
Import patches-applied version 6.0.41-3 to applied/debian/sid

Author: Emmanuel Bourg
Author Date: 2014-10-22 07:48:54 UTC

Import patches-applied version 6.0.41-3 to applied/debian/sid

Imported using git-ubuntu import.

Changelog parent: 23cb85544a46f636b05f507bfb4491b88e9495f6
Unapplied parent: f919c6713dcfdfd808feff887f5db5616d475c9b

New changelog entries:
  * Build only the libservlet2.5-java and libservlet2.5-java-doc packages.
    Tomcat 6 will not be supported in Jessie, but the Servlet API is still
    useful as a build dependency for other packages.
  * Standards-Version updated to 3.9.6 (no changes)

ubuntu/lucid-updates 2014-07-30 17:20:23 UTC 2014-07-30
Import patches-unapplied version 6.0.24-2ubuntu1.16 to ubuntu/lucid-security

Author: Marc Deslauriers
Author Date: 2014-07-24 19:49:36 UTC

Import patches-unapplied version 6.0.24-2ubuntu1.16 to ubuntu/lucid-security

Imported using git-ubuntu import.

Changelog parent: 3018a565b3eb61ab2c02a8cea069e40a2bc651af

New changelog entries:
  * SECURITY UPDATE: denial of service via malformed chunk size
    - debian/patches/CVE-2014-0075.patch: fix overflow in
      java/org/apache/coyote/http11/filters/ChunkedInputFilter.java.
    - CVE-2014-0075
  * SECURITY UPDATE: file disclosure via XXE issue
    - debian/patches/CVE-2014-0096.patch: change globalXsltFile to be a
      relative path in conf/web.xml,
      java/org/apache/catalina/servlets/DefaultServlet.java,
      java/org/apache/catalina/servlets/LocalStrings.properties,
      webapps/docs/default-servlet.xml.
    - CVE-2014-0096
  * SECURITY UPDATE: HTTP request smuggling attack via crafted
    Content-Length HTTP header
    - debian/patches/CVE-2014-0099.patch: correctly handle long values in
      java/org/apache/tomcat/util/buf/Ascii.java.
    - CVE-2014-0099

applied/ubuntu/lucid-devel 2014-07-30 17:20:23 UTC 2014-07-30
Import patches-applied version 6.0.24-2ubuntu1.16 to applied/ubuntu/lucid-sec...

Author: Marc Deslauriers
Author Date: 2014-07-24 19:49:36 UTC

Import patches-applied version 6.0.24-2ubuntu1.16 to applied/ubuntu/lucid-security

Imported using git-ubuntu import.

Changelog parent: 7b44c4012ad6c95255c3b9b3604f8e16f34568ba
Unapplied parent: 246162f2ae9f2bcf6067712ab5387d136e65a1f6

New changelog entries:
  * SECURITY UPDATE: denial of service via malformed chunk size
    - debian/patches/CVE-2014-0075.patch: fix overflow in
      java/org/apache/coyote/http11/filters/ChunkedInputFilter.java.
    - CVE-2014-0075
  * SECURITY UPDATE: file disclosure via XXE issue
    - debian/patches/CVE-2014-0096.patch: change globalXsltFile to be a
      relative path in conf/web.xml,
      java/org/apache/catalina/servlets/DefaultServlet.java,
      java/org/apache/catalina/servlets/LocalStrings.properties,
      webapps/docs/default-servlet.xml.
    - CVE-2014-0096
  * SECURITY UPDATE: HTTP request smuggling attack via crafted
    Content-Length HTTP header
    - debian/patches/CVE-2014-0099.patch: correctly handle long values in
      java/org/apache/tomcat/util/buf/Ascii.java.
    - CVE-2014-0099

ubuntu/lucid-security 2014-07-30 17:20:23 UTC 2014-07-30
Import patches-unapplied version 6.0.24-2ubuntu1.16 to ubuntu/lucid-security

Author: Marc Deslauriers
Author Date: 2014-07-24 19:49:36 UTC

Import patches-unapplied version 6.0.24-2ubuntu1.16 to ubuntu/lucid-security

Imported using git-ubuntu import.

Changelog parent: 3018a565b3eb61ab2c02a8cea069e40a2bc651af

New changelog entries:
  * SECURITY UPDATE: denial of service via malformed chunk size
    - debian/patches/CVE-2014-0075.patch: fix overflow in
      java/org/apache/coyote/http11/filters/ChunkedInputFilter.java.
    - CVE-2014-0075
  * SECURITY UPDATE: file disclosure via XXE issue
    - debian/patches/CVE-2014-0096.patch: change globalXsltFile to be a
      relative path in conf/web.xml,
      java/org/apache/catalina/servlets/DefaultServlet.java,
      java/org/apache/catalina/servlets/LocalStrings.properties,
      webapps/docs/default-servlet.xml.
    - CVE-2014-0096
  * SECURITY UPDATE: HTTP request smuggling attack via crafted
    Content-Length HTTP header
    - debian/patches/CVE-2014-0099.patch: correctly handle long values in
      java/org/apache/tomcat/util/buf/Ascii.java.
    - CVE-2014-0099

applied/ubuntu/lucid-security 2014-07-30 17:20:23 UTC 2014-07-30
Import patches-applied version 6.0.24-2ubuntu1.16 to applied/ubuntu/lucid-sec...

Author: Marc Deslauriers
Author Date: 2014-07-24 19:49:36 UTC

Import patches-applied version 6.0.24-2ubuntu1.16 to applied/ubuntu/lucid-security

Imported using git-ubuntu import.

Changelog parent: 7b44c4012ad6c95255c3b9b3604f8e16f34568ba
Unapplied parent: 246162f2ae9f2bcf6067712ab5387d136e65a1f6

New changelog entries:
  * SECURITY UPDATE: denial of service via malformed chunk size
    - debian/patches/CVE-2014-0075.patch: fix overflow in
      java/org/apache/coyote/http11/filters/ChunkedInputFilter.java.
    - CVE-2014-0075
  * SECURITY UPDATE: file disclosure via XXE issue
    - debian/patches/CVE-2014-0096.patch: change globalXsltFile to be a
      relative path in conf/web.xml,
      java/org/apache/catalina/servlets/DefaultServlet.java,
      java/org/apache/catalina/servlets/LocalStrings.properties,
      webapps/docs/default-servlet.xml.
    - CVE-2014-0096
  * SECURITY UPDATE: HTTP request smuggling attack via crafted
    Content-Length HTTP header
    - debian/patches/CVE-2014-0099.patch: correctly handle long values in
      java/org/apache/tomcat/util/buf/Ascii.java.
    - CVE-2014-0099

applied/ubuntu/lucid-updates 2014-07-30 17:20:23 UTC 2014-07-30
Import patches-applied version 6.0.24-2ubuntu1.16 to applied/ubuntu/lucid-sec...

Author: Marc Deslauriers
Author Date: 2014-07-24 19:49:36 UTC

Import patches-applied version 6.0.24-2ubuntu1.16 to applied/ubuntu/lucid-security

Imported using git-ubuntu import.

Changelog parent: 7b44c4012ad6c95255c3b9b3604f8e16f34568ba
Unapplied parent: 246162f2ae9f2bcf6067712ab5387d136e65a1f6

New changelog entries:
  * SECURITY UPDATE: denial of service via malformed chunk size
    - debian/patches/CVE-2014-0075.patch: fix overflow in
      java/org/apache/coyote/http11/filters/ChunkedInputFilter.java.
    - CVE-2014-0075
  * SECURITY UPDATE: file disclosure via XXE issue
    - debian/patches/CVE-2014-0096.patch: change globalXsltFile to be a
      relative path in conf/web.xml,
      java/org/apache/catalina/servlets/DefaultServlet.java,
      java/org/apache/catalina/servlets/LocalStrings.properties,
      webapps/docs/default-servlet.xml.
    - CVE-2014-0096
  * SECURITY UPDATE: HTTP request smuggling attack via crafted
    Content-Length HTTP header
    - debian/patches/CVE-2014-0099.patch: correctly handle long values in
      java/org/apache/tomcat/util/buf/Ascii.java.
    - CVE-2014-0099

ubuntu/lucid-devel 2014-07-30 17:20:23 UTC 2014-07-30
Import patches-unapplied version 6.0.24-2ubuntu1.16 to ubuntu/lucid-security

Author: Marc Deslauriers
Author Date: 2014-07-24 19:49:36 UTC

Import patches-unapplied version 6.0.24-2ubuntu1.16 to ubuntu/lucid-security

Imported using git-ubuntu import.

Changelog parent: 3018a565b3eb61ab2c02a8cea069e40a2bc651af

New changelog entries:
  * SECURITY UPDATE: denial of service via malformed chunk size
    - debian/patches/CVE-2014-0075.patch: fix overflow in
      java/org/apache/coyote/http11/filters/ChunkedInputFilter.java.
    - CVE-2014-0075
  * SECURITY UPDATE: file disclosure via XXE issue
    - debian/patches/CVE-2014-0096.patch: change globalXsltFile to be a
      relative path in conf/web.xml,
      java/org/apache/catalina/servlets/DefaultServlet.java,
      java/org/apache/catalina/servlets/LocalStrings.properties,
      webapps/docs/default-servlet.xml.
    - CVE-2014-0096
  * SECURITY UPDATE: HTTP request smuggling attack via crafted
    Content-Length HTTP header
    - debian/patches/CVE-2014-0099.patch: correctly handle long values in
      java/org/apache/tomcat/util/buf/Ascii.java.
    - CVE-2014-0099

ubuntu/utopic-proposed 2014-05-24 10:25:18 UTC 2014-05-24
Import patches-unapplied version 6.0.41-1 to debian/sid

Author: Emmanuel Bourg
Author Date: 2014-05-22 08:03:04 UTC

Import patches-unapplied version 6.0.41-1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 9a275391aa32a30784e2452e9f971a1fe82e1319

New changelog entries:
  * New upstream release.
    - Refreshed the patches

applied/ubuntu/vivid 2014-05-24 10:25:18 UTC 2014-05-24
Import patches-applied version 6.0.41-1 to applied/debian/sid

Author: Emmanuel Bourg
Author Date: 2014-05-22 08:03:04 UTC

Import patches-applied version 6.0.41-1 to applied/debian/sid

Imported using git-ubuntu import.

Changelog parent: fbcb77efb5d4799e0b73e2999141dde4994c0acd
Unapplied parent: 8ca3e645804101fda47873ab09e246d65c562511

New changelog entries:
  * New upstream release.
    - Refreshed the patches

applied/ubuntu/utopic-proposed 2014-05-24 10:25:18 UTC 2014-05-24
Import patches-applied version 6.0.41-1 to applied/debian/sid

Author: Emmanuel Bourg
Author Date: 2014-05-22 08:03:04 UTC

Import patches-applied version 6.0.41-1 to applied/debian/sid

Imported using git-ubuntu import.

Changelog parent: fbcb77efb5d4799e0b73e2999141dde4994c0acd
Unapplied parent: 8ca3e645804101fda47873ab09e246d65c562511

New changelog entries:
  * New upstream release.
    - Refreshed the patches

applied/ubuntu/utopic-devel 2014-05-24 10:25:18 UTC 2014-05-24
Import patches-applied version 6.0.41-1 to applied/debian/sid

Author: Emmanuel Bourg
Author Date: 2014-05-22 08:03:04 UTC

Import patches-applied version 6.0.41-1 to applied/debian/sid

Imported using git-ubuntu import.

Changelog parent: fbcb77efb5d4799e0b73e2999141dde4994c0acd
Unapplied parent: 8ca3e645804101fda47873ab09e246d65c562511

New changelog entries:
  * New upstream release.
    - Refreshed the patches

applied/ubuntu/utopic 2014-05-24 10:25:18 UTC 2014-05-24
Import patches-applied version 6.0.41-1 to applied/debian/sid

Author: Emmanuel Bourg
Author Date: 2014-05-22 08:03:04 UTC

Import patches-applied version 6.0.41-1 to applied/debian/sid

Imported using git-ubuntu import.

Changelog parent: fbcb77efb5d4799e0b73e2999141dde4994c0acd
Unapplied parent: 8ca3e645804101fda47873ab09e246d65c562511

New changelog entries:
  * New upstream release.
    - Refreshed the patches

ubuntu/utopic 2014-05-24 10:25:18 UTC 2014-05-24
Import patches-unapplied version 6.0.41-1 to debian/sid

Author: Emmanuel Bourg
Author Date: 2014-05-22 08:03:04 UTC

Import patches-unapplied version 6.0.41-1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 9a275391aa32a30784e2452e9f971a1fe82e1319

New changelog entries:
  * New upstream release.
    - Refreshed the patches

ubuntu/utopic-devel 2014-05-24 10:25:18 UTC 2014-05-24
Import patches-unapplied version 6.0.41-1 to debian/sid

Author: Emmanuel Bourg
Author Date: 2014-05-22 08:03:04 UTC

Import patches-unapplied version 6.0.41-1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 9a275391aa32a30784e2452e9f971a1fe82e1319

New changelog entries:
  * New upstream release.
    - Refreshed the patches

ubuntu/vivid 2014-05-24 10:25:18 UTC 2014-05-24
Import patches-unapplied version 6.0.41-1 to debian/sid

Author: Emmanuel Bourg
Author Date: 2014-05-22 08:03:04 UTC

Import patches-unapplied version 6.0.41-1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 9a275391aa32a30784e2452e9f971a1fe82e1319

New changelog entries:
  * New upstream release.
    - Refreshed the patches

ubuntu/trusty 2014-02-20 10:16:34 UTC 2014-02-20
Import patches-unapplied version 6.0.39-1 to debian/sid

Author: Emmanuel Bourg
Author Date: 2014-02-16 23:02:00 UTC

Import patches-unapplied version 6.0.39-1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: ce537e10f2c2627c2b41ca1b64be98cf61cd2d93

New changelog entries:
  * Team upload.
  * New upstream release.
    - Refreshed the patches
  * Standards-Version updated to 3.9.5 (no changes)
  * Switch to debhelper level 9
  * Use XZ compression for the upstream tarball
  * Use canonical URL for the Vcs-Git field

applied/ubuntu/trusty 2014-02-20 10:16:34 UTC 2014-02-20
Import patches-applied version 6.0.39-1 to applied/debian/sid

Author: Emmanuel Bourg
Author Date: 2014-02-16 23:02:00 UTC

Import patches-applied version 6.0.39-1 to applied/debian/sid

Imported using git-ubuntu import.

Changelog parent: 49f38310091a7d6886ba63ff404a03111c1f2c79
Unapplied parent: 163b14181425cb63a64476926a29e95c5f462253

New changelog entries:
  * Team upload.
  * New upstream release.
    - Refreshed the patches
  * Standards-Version updated to 3.9.5 (no changes)
  * Switch to debhelper level 9
  * Use XZ compression for the upstream tarball
  * Use canonical URL for the Vcs-Git field

applied/ubuntu/trusty-proposed 2014-02-20 10:16:34 UTC 2014-02-20
Import patches-applied version 6.0.39-1 to applied/debian/sid

Author: Emmanuel Bourg
Author Date: 2014-02-16 23:02:00 UTC

Import patches-applied version 6.0.39-1 to applied/debian/sid

Imported using git-ubuntu import.

Changelog parent: 49f38310091a7d6886ba63ff404a03111c1f2c79
Unapplied parent: 163b14181425cb63a64476926a29e95c5f462253

New changelog entries:
  * Team upload.
  * New upstream release.
    - Refreshed the patches
  * Standards-Version updated to 3.9.5 (no changes)
  * Switch to debhelper level 9
  * Use XZ compression for the upstream tarball
  * Use canonical URL for the Vcs-Git field

ubuntu/trusty-proposed 2014-02-20 10:16:34 UTC 2014-02-20
Import patches-unapplied version 6.0.39-1 to debian/sid

Author: Emmanuel Bourg
Author Date: 2014-02-16 23:02:00 UTC

Import patches-unapplied version 6.0.39-1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: ce537e10f2c2627c2b41ca1b64be98cf61cd2d93

New changelog entries:
  * Team upload.
  * New upstream release.
    - Refreshed the patches
  * Standards-Version updated to 3.9.5 (no changes)
  * Switch to debhelper level 9
  * Use XZ compression for the upstream tarball
  * Use canonical URL for the Vcs-Git field

debian/squeeze 2013-10-19 16:49:14 UTC 2013-10-19
Import patches-unapplied version 6.0.35-1+squeeze4 to debian/squeeze

Author: Moritz Muehlenhoff
Author Date: 2013-07-19 15:29:35 UTC

Import patches-unapplied version 6.0.35-1+squeeze4 to debian/squeeze

Imported using git-ubuntu import.

Changelog parent: 0223a0ebfe2139aade9522645ee4b29ccde99474

New changelog entries:
  * Correct target distribution
  * CVE-2012-2733, CVE-2012-3544, CVE-2012-3546, CVE-2012-4431
    CVE-2012-4534, CVE-2012-5885, CVE-2012-5886, CVE-2012-5887
    CVE-2013-2067

applied/debian/squeeze 2013-10-19 16:49:14 UTC 2013-10-19
Import patches-applied version 6.0.35-1+squeeze4 to applied/debian/squeeze

Author: Moritz Muehlenhoff
Author Date: 2013-07-19 15:29:35 UTC

Import patches-applied version 6.0.35-1+squeeze4 to applied/debian/squeeze

Imported using git-ubuntu import.

Changelog parent: c099f1bda8b11837b04ddd73e581ee8cffb17dcd
Unapplied parent: 43468f5952bcd0d954a29ebd42595e68a256ad92

New changelog entries:
  * Correct target distribution
  * CVE-2012-2733, CVE-2012-3544, CVE-2012-3546, CVE-2012-4431
    CVE-2012-4534, CVE-2012-5885, CVE-2012-5886, CVE-2012-5887
    CVE-2013-2067

ubuntu/saucy 2013-08-04 10:17:55 UTC 2013-08-04
Import patches-unapplied version 6.0.37-1 to debian/sid

Author: Tony Mancill
Author Date: 2013-08-04 04:50:20 UTC

Import patches-unapplied version 6.0.37-1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 12f003fbf61503009ca78e513a97d70ed34dc9df

New changelog entries:
  * New upstream release.
    - Drop patches for CVE-2012-4534, CVE-2012-4431, CVE-2012-3546,
      CVE-2012-2733, CVE-2012-3439
    - Drop 0011-CVE-02012-0022-regression-fix.patch
    - Drop 0017-eclipse-compiler-update.patch
  * Freshened remaining patches.

applied/ubuntu/saucy 2013-08-04 10:17:55 UTC 2013-08-04
Import patches-applied version 6.0.37-1 to applied/debian/sid

Author: Tony Mancill
Author Date: 2013-08-04 04:50:20 UTC

Import patches-applied version 6.0.37-1 to applied/debian/sid

Imported using git-ubuntu import.

Changelog parent: c0e5d0ac216c90e9aebeab703ff5024dab19342e
Unapplied parent: 50b4905032ab37f67d7f87ebebbd2032d3439dbd

New changelog entries:
  * New upstream release.
    - Drop patches for CVE-2012-4534, CVE-2012-4431, CVE-2012-3546,
      CVE-2012-2733, CVE-2012-3439
    - Drop 0011-CVE-02012-0022-regression-fix.patch
    - Drop 0017-eclipse-compiler-update.patch
  * Freshened remaining patches.

applied/ubuntu/saucy-devel 2013-08-04 10:17:55 UTC 2013-08-04
Import patches-applied version 6.0.37-1 to applied/debian/sid

Author: Tony Mancill
Author Date: 2013-08-04 04:50:20 UTC

Import patches-applied version 6.0.37-1 to applied/debian/sid

Imported using git-ubuntu import.

Changelog parent: c0e5d0ac216c90e9aebeab703ff5024dab19342e
Unapplied parent: 50b4905032ab37f67d7f87ebebbd2032d3439dbd

New changelog entries:
  * New upstream release.
    - Drop patches for CVE-2012-4534, CVE-2012-4431, CVE-2012-3546,
      CVE-2012-2733, CVE-2012-3439
    - Drop 0011-CVE-02012-0022-regression-fix.patch
    - Drop 0017-eclipse-compiler-update.patch
  * Freshened remaining patches.

ubuntu/saucy-devel 2013-08-04 10:17:55 UTC 2013-08-04
Import patches-unapplied version 6.0.37-1 to debian/sid

Author: Tony Mancill
Author Date: 2013-08-04 04:50:20 UTC

Import patches-unapplied version 6.0.37-1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 12f003fbf61503009ca78e513a97d70ed34dc9df

New changelog entries:
  * New upstream release.
    - Drop patches for CVE-2012-4534, CVE-2012-4431, CVE-2012-3546,
      CVE-2012-2733, CVE-2012-3439
    - Drop 0011-CVE-02012-0022-regression-fix.patch
    - Drop 0017-eclipse-compiler-update.patch
  * Freshened remaining patches.

applied/ubuntu/saucy-proposed 2013-08-04 10:17:55 UTC 2013-08-04
Import patches-applied version 6.0.37-1 to applied/debian/sid

Author: Tony Mancill
Author Date: 2013-08-04 04:50:20 UTC

Import patches-applied version 6.0.37-1 to applied/debian/sid

Imported using git-ubuntu import.

Changelog parent: c0e5d0ac216c90e9aebeab703ff5024dab19342e
Unapplied parent: 50b4905032ab37f67d7f87ebebbd2032d3439dbd

New changelog entries:
  * New upstream release.
    - Drop patches for CVE-2012-4534, CVE-2012-4431, CVE-2012-3546,
      CVE-2012-2733, CVE-2012-3439
    - Drop 0011-CVE-02012-0022-regression-fix.patch
    - Drop 0017-eclipse-compiler-update.patch
  * Freshened remaining patches.

ubuntu/saucy-proposed 2013-08-04 10:17:55 UTC 2013-08-04
Import patches-unapplied version 6.0.37-1 to debian/sid

Author: Tony Mancill
Author Date: 2013-08-04 04:50:20 UTC

Import patches-unapplied version 6.0.37-1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 12f003fbf61503009ca78e513a97d70ed34dc9df

New changelog entries:
  * New upstream release.
    - Drop patches for CVE-2012-4534, CVE-2012-4431, CVE-2012-3546,
      CVE-2012-2733, CVE-2012-3439
    - Drop 0011-CVE-02012-0022-regression-fix.patch
    - Drop 0017-eclipse-compiler-update.patch
  * Freshened remaining patches.

applied/ubuntu/quantal-security 2013-05-29 00:33:22 UTC 2013-05-29
Import patches-applied version 6.0.35-5ubuntu0.1 to applied/ubuntu/quantal-se...

Author: Jamie Strandboge
Author Date: 2013-05-28 20:11:06 UTC

Import patches-applied version 6.0.35-5ubuntu0.1 to applied/ubuntu/quantal-security

Imported using git-ubuntu import.

Changelog parent: a06cdca1c46f878e165ce84de75a625f73c1d4cf
Unapplied parent: fdfd7907ee0c37c38d5f2702868a290d624eb1f3

New changelog entries:
  [ Christian Kuersteiner ]
  * SECURITY UPDATE: denial of service via large header data
    - debian/patches/0012-CVE-2012-2733.patch: improve size logic in
      java/org/apache/coyote/http11/InternalNioInputBuffer.java.
    - CVE-2012-2733
    - LP: #1166649
  * SECURITY UPDATE: security-constraint bypass with FORM auth
    - debian/patches/CVE-2012-3546.patch: remove unneeded code in
      java/org/apache/catalina/realm/RealmBase.java.
    - CVE-2012-3546
  * SECURITY UPDATE: CSRF bypass via request with no session identifier
    - debian/patches/CVE-2012-4431.patch: check for session identifier in
      java/org/apache/catalina/filters/CsrfPreventionFilter.java.
    - CVE-2012-4431
  * SECURITY UPDATE: denial of service with NIO connector
    - debian/patches/CVE-2012-4534.patch: properly handle connection breaks
      in java/org/apache/tomcat/util/net/NioEndpoint.java.
    - CVE-2012-4534
  [ Jamie Strandboge ]
  * SECURITY UPDATE: multiple HTTP Digest Access Authentication flaws
    - debian/patches/0013-CVE-2012-588x.patch: disable caching of an
      authenticated user in the session by default, track server rather
      than client nonces, better handling of stale nonce values in
      java/org/apache/catalina/authenticator/DigestAuthenticator.java.
      Patch from Marc Deslauriers.
    - CVE-2012-3439
    - CVE-2012-5885
    - CVE-2012-5886
    - CVE-2012-5887
  * SECURITY UPDATE: denial of service via chunked transfer encoding
    - debian/patches/CVE-2012-3544.patch: properly parse CRLF in requests
      in java/org/apache/coyote/http11/filters/ChunkedInputFilter.java.
      Patch from Marc Deslauriers.
    - CVE-2012-3544
  * SECURITY UPDATE: FORM authentication request injection
    - debian/patches/CVE-2013-2067.patch: properly change session ID
      in java/org/apache/catalina/authenticator/FormAuthenticator.java.
      Patch from Marc Deslauriers.
    - CVE-2013-2067

applied/ubuntu/quantal-updates 2013-05-29 00:33:22 UTC 2013-05-29
Import patches-applied version 6.0.35-5ubuntu0.1 to applied/ubuntu/quantal-se...

Author: Jamie Strandboge
Author Date: 2013-05-28 20:11:06 UTC

Import patches-applied version 6.0.35-5ubuntu0.1 to applied/ubuntu/quantal-security

Imported using git-ubuntu import.

Changelog parent: a06cdca1c46f878e165ce84de75a625f73c1d4cf
Unapplied parent: fdfd7907ee0c37c38d5f2702868a290d624eb1f3

New changelog entries:
  [ Christian Kuersteiner ]
  * SECURITY UPDATE: denial of service via large header data
    - debian/patches/0012-CVE-2012-2733.patch: improve size logic in
      java/org/apache/coyote/http11/InternalNioInputBuffer.java.
    - CVE-2012-2733
    - LP: #1166649
  * SECURITY UPDATE: security-constraint bypass with FORM auth
    - debian/patches/CVE-2012-3546.patch: remove unneeded code in
      java/org/apache/catalina/realm/RealmBase.java.
    - CVE-2012-3546
  * SECURITY UPDATE: CSRF bypass via request with no session identifier
    - debian/patches/CVE-2012-4431.patch: check for session identifier in
      java/org/apache/catalina/filters/CsrfPreventionFilter.java.
    - CVE-2012-4431
  * SECURITY UPDATE: denial of service with NIO connector
    - debian/patches/CVE-2012-4534.patch: properly handle connection breaks
      in java/org/apache/tomcat/util/net/NioEndpoint.java.
    - CVE-2012-4534
  [ Jamie Strandboge ]
  * SECURITY UPDATE: multiple HTTP Digest Access Authentication flaws
    - debian/patches/0013-CVE-2012-588x.patch: disable caching of an
      authenticated user in the session by default, track server rather
      than client nonces, better handling of stale nonce values in
      java/org/apache/catalina/authenticator/DigestAuthenticator.java.
      Patch from Marc Deslauriers.
    - CVE-2012-3439
    - CVE-2012-5885
    - CVE-2012-5886
    - CVE-2012-5887
  * SECURITY UPDATE: denial of service via chunked transfer encoding
    - debian/patches/CVE-2012-3544.patch: properly parse CRLF in requests
      in java/org/apache/coyote/http11/filters/ChunkedInputFilter.java.
      Patch from Marc Deslauriers.
    - CVE-2012-3544
  * SECURITY UPDATE: FORM authentication request injection
    - debian/patches/CVE-2013-2067.patch: properly change session ID
      in java/org/apache/catalina/authenticator/FormAuthenticator.java.
      Patch from Marc Deslauriers.
    - CVE-2013-2067

applied/ubuntu/quantal-devel 2013-05-29 00:33:22 UTC 2013-05-29
Import patches-applied version 6.0.35-5ubuntu0.1 to applied/ubuntu/quantal-se...

Author: Jamie Strandboge
Author Date: 2013-05-28 20:11:06 UTC

Import patches-applied version 6.0.35-5ubuntu0.1 to applied/ubuntu/quantal-security

Imported using git-ubuntu import.

Changelog parent: a06cdca1c46f878e165ce84de75a625f73c1d4cf
Unapplied parent: fdfd7907ee0c37c38d5f2702868a290d624eb1f3

New changelog entries:
  [ Christian Kuersteiner ]
  * SECURITY UPDATE: denial of service via large header data
    - debian/patches/0012-CVE-2012-2733.patch: improve size logic in
      java/org/apache/coyote/http11/InternalNioInputBuffer.java.
    - CVE-2012-2733
    - LP: #1166649
  * SECURITY UPDATE: security-constraint bypass with FORM auth
    - debian/patches/CVE-2012-3546.patch: remove unneeded code in
      java/org/apache/catalina/realm/RealmBase.java.
    - CVE-2012-3546
  * SECURITY UPDATE: CSRF bypass via request with no session identifier
    - debian/patches/CVE-2012-4431.patch: check for session identifier in
      java/org/apache/catalina/filters/CsrfPreventionFilter.java.
    - CVE-2012-4431
  * SECURITY UPDATE: denial of service with NIO connector
    - debian/patches/CVE-2012-4534.patch: properly handle connection breaks
      in java/org/apache/tomcat/util/net/NioEndpoint.java.
    - CVE-2012-4534
  [ Jamie Strandboge ]
  * SECURITY UPDATE: multiple HTTP Digest Access Authentication flaws
    - debian/patches/0013-CVE-2012-588x.patch: disable caching of an
      authenticated user in the session by default, track server rather
      than client nonces, better handling of stale nonce values in
      java/org/apache/catalina/authenticator/DigestAuthenticator.java.
      Patch from Marc Deslauriers.
    - CVE-2012-3439
    - CVE-2012-5885
    - CVE-2012-5886
    - CVE-2012-5887
  * SECURITY UPDATE: denial of service via chunked transfer encoding
    - debian/patches/CVE-2012-3544.patch: properly parse CRLF in requests
      in java/org/apache/coyote/http11/filters/ChunkedInputFilter.java.
      Patch from Marc Deslauriers.
    - CVE-2012-3544
  * SECURITY UPDATE: FORM authentication request injection
    - debian/patches/CVE-2013-2067.patch: properly change session ID
      in java/org/apache/catalina/authenticator/FormAuthenticator.java.
      Patch from Marc Deslauriers.
    - CVE-2013-2067

ubuntu/quantal-updates 2013-05-29 00:33:22 UTC 2013-05-29
Import patches-unapplied version 6.0.35-5ubuntu0.1 to ubuntu/quantal-security

Author: Jamie Strandboge
Author Date: 2013-05-28 20:11:06 UTC

Import patches-unapplied version 6.0.35-5ubuntu0.1 to ubuntu/quantal-security

Imported using git-ubuntu import.

Changelog parent: 32ca89b725ef4f08aa0e63a3b2f166179ee6ae79

New changelog entries:
  [ Christian Kuersteiner ]
  * SECURITY UPDATE: denial of service via large header data
    - debian/patches/0012-CVE-2012-2733.patch: improve size logic in
      java/org/apache/coyote/http11/InternalNioInputBuffer.java.
    - CVE-2012-2733
    - LP: #1166649
  * SECURITY UPDATE: security-constraint bypass with FORM auth
    - debian/patches/CVE-2012-3546.patch: remove unneeded code in
      java/org/apache/catalina/realm/RealmBase.java.
    - CVE-2012-3546
  * SECURITY UPDATE: CSRF bypass via request with no session identifier
    - debian/patches/CVE-2012-4431.patch: check for session identifier in
      java/org/apache/catalina/filters/CsrfPreventionFilter.java.
    - CVE-2012-4431
  * SECURITY UPDATE: denial of service with NIO connector
    - debian/patches/CVE-2012-4534.patch: properly handle connection breaks
      in java/org/apache/tomcat/util/net/NioEndpoint.java.
    - CVE-2012-4534
  [ Jamie Strandboge ]
  * SECURITY UPDATE: multiple HTTP Digest Access Authentication flaws
    - debian/patches/0013-CVE-2012-588x.patch: disable caching of an
      authenticated user in the session by default, track server rather
      than client nonces, better handling of stale nonce values in
      java/org/apache/catalina/authenticator/DigestAuthenticator.java.
      Patch from Marc Deslauriers.
    - CVE-2012-3439
    - CVE-2012-5885
    - CVE-2012-5886
    - CVE-2012-5887
  * SECURITY UPDATE: denial of service via chunked transfer encoding
    - debian/patches/CVE-2012-3544.patch: properly parse CRLF in requests
      in java/org/apache/coyote/http11/filters/ChunkedInputFilter.java.
      Patch from Marc Deslauriers.
    - CVE-2012-3544
  * SECURITY UPDATE: FORM authentication request injection
    - debian/patches/CVE-2013-2067.patch: properly change session ID
      in java/org/apache/catalina/authenticator/FormAuthenticator.java.
      Patch from Marc Deslauriers.
    - CVE-2013-2067

ubuntu/quantal-security 2013-05-29 00:33:22 UTC 2013-05-29
Import patches-unapplied version 6.0.35-5ubuntu0.1 to ubuntu/quantal-security

Author: Jamie Strandboge
Author Date: 2013-05-28 20:11:06 UTC

Import patches-unapplied version 6.0.35-5ubuntu0.1 to ubuntu/quantal-security

Imported using git-ubuntu import.

Changelog parent: 32ca89b725ef4f08aa0e63a3b2f166179ee6ae79

New changelog entries:
  [ Christian Kuersteiner ]
  * SECURITY UPDATE: denial of service via large header data
    - debian/patches/0012-CVE-2012-2733.patch: improve size logic in
      java/org/apache/coyote/http11/InternalNioInputBuffer.java.
    - CVE-2012-2733
    - LP: #1166649
  * SECURITY UPDATE: security-constraint bypass with FORM auth
    - debian/patches/CVE-2012-3546.patch: remove unneeded code in
      java/org/apache/catalina/realm/RealmBase.java.
    - CVE-2012-3546
  * SECURITY UPDATE: CSRF bypass via request with no session identifier
    - debian/patches/CVE-2012-4431.patch: check for session identifier in
      java/org/apache/catalina/filters/CsrfPreventionFilter.java.
    - CVE-2012-4431
  * SECURITY UPDATE: denial of service with NIO connector
    - debian/patches/CVE-2012-4534.patch: properly handle connection breaks
      in java/org/apache/tomcat/util/net/NioEndpoint.java.
    - CVE-2012-4534
  [ Jamie Strandboge ]
  * SECURITY UPDATE: multiple HTTP Digest Access Authentication flaws
    - debian/patches/0013-CVE-2012-588x.patch: disable caching of an
      authenticated user in the session by default, track server rather
      than client nonces, better handling of stale nonce values in
      java/org/apache/catalina/authenticator/DigestAuthenticator.java.
      Patch from Marc Deslauriers.
    - CVE-2012-3439
    - CVE-2012-5885
    - CVE-2012-5886
    - CVE-2012-5887
  * SECURITY UPDATE: denial of service via chunked transfer encoding
    - debian/patches/CVE-2012-3544.patch: properly parse CRLF in requests
      in java/org/apache/coyote/http11/filters/ChunkedInputFilter.java.
      Patch from Marc Deslauriers.
    - CVE-2012-3544
  * SECURITY UPDATE: FORM authentication request injection
    - debian/patches/CVE-2013-2067.patch: properly change session ID
      in java/org/apache/catalina/authenticator/FormAuthenticator.java.
      Patch from Marc Deslauriers.
    - CVE-2013-2067

ubuntu/quantal-devel 2013-05-29 00:33:22 UTC 2013-05-29
Import patches-unapplied version 6.0.35-5ubuntu0.1 to ubuntu/quantal-security

Author: Jamie Strandboge
Author Date: 2013-05-28 20:11:06 UTC

Import patches-unapplied version 6.0.35-5ubuntu0.1 to ubuntu/quantal-security

Imported using git-ubuntu import.

Changelog parent: 32ca89b725ef4f08aa0e63a3b2f166179ee6ae79

New changelog entries:
  [ Christian Kuersteiner ]
  * SECURITY UPDATE: denial of service via large header data
    - debian/patches/0012-CVE-2012-2733.patch: improve size logic in
      java/org/apache/coyote/http11/InternalNioInputBuffer.java.
    - CVE-2012-2733
    - LP: #1166649
  * SECURITY UPDATE: security-constraint bypass with FORM auth
    - debian/patches/CVE-2012-3546.patch: remove unneeded code in
      java/org/apache/catalina/realm/RealmBase.java.
    - CVE-2012-3546
  * SECURITY UPDATE: CSRF bypass via request with no session identifier
    - debian/patches/CVE-2012-4431.patch: check for session identifier in
      java/org/apache/catalina/filters/CsrfPreventionFilter.java.
    - CVE-2012-4431
  * SECURITY UPDATE: denial of service with NIO connector
    - debian/patches/CVE-2012-4534.patch: properly handle connection breaks
      in java/org/apache/tomcat/util/net/NioEndpoint.java.
    - CVE-2012-4534
  [ Jamie Strandboge ]
  * SECURITY UPDATE: multiple HTTP Digest Access Authentication flaws
    - debian/patches/0013-CVE-2012-588x.patch: disable caching of an
      authenticated user in the session by default, track server rather
      than client nonces, better handling of stale nonce values in
      java/org/apache/catalina/authenticator/DigestAuthenticator.java.
      Patch from Marc Deslauriers.
    - CVE-2012-3439
    - CVE-2012-5885
    - CVE-2012-5886
    - CVE-2012-5887
  * SECURITY UPDATE: denial of service via chunked transfer encoding
    - debian/patches/CVE-2012-3544.patch: properly parse CRLF in requests
      in java/org/apache/coyote/http11/filters/ChunkedInputFilter.java.
      Patch from Marc Deslauriers.
    - CVE-2012-3544
  * SECURITY UPDATE: FORM authentication request injection
    - debian/patches/CVE-2013-2067.patch: properly change session ID
      in java/org/apache/catalina/authenticator/FormAuthenticator.java.
      Patch from Marc Deslauriers.
    - CVE-2013-2067

applied/ubuntu/oneiric-security 2013-01-14 14:03:12 UTC 2013-01-14
Import patches-applied version 6.0.32-5ubuntu1.4 to applied/ubuntu/oneiric-se...

Author: Marc Deslauriers
Author Date: 2013-01-10 15:00:07 UTC

Import patches-applied version 6.0.32-5ubuntu1.4 to applied/ubuntu/oneiric-security

Imported using git-ubuntu import.

Changelog parent: 0581d9a3b765b085886df725a2469c45c6e5d6b0
Unapplied parent: 05e5a72f089a8cb8bc2b65440918c22849d9fe70

New changelog entries:
  * SECURITY UPDATE: security-constraint bypass with FORM auth
    - debian/patches/CVE-2012-3546.patch: remove unneeded code in
      java/org/apache/catalina/realm/RealmBase.java.
    - CVE-2012-3546
  * SECURITY UPDATE: CSRF bypass via request with no session identifier
    - debian/patches/CVE-2012-4431.patch: check for session identifier in
      java/org/apache/catalina/filters/CsrfPreventionFilter.java.
    - CVE-2012-4431
  * SECURITY UPDATE: denial of service with NIO connector
    - debian/patches/CVE-2012-4534.patch: properly handle connection breaks
      in java/org/apache/tomcat/util/net/NioEndpoint.java.
    - CVE-2012-4534

applied/ubuntu/oneiric-devel 2013-01-14 14:03:12 UTC 2013-01-14
Import patches-applied version 6.0.32-5ubuntu1.4 to applied/ubuntu/oneiric-se...

Author: Marc Deslauriers
Author Date: 2013-01-10 15:00:07 UTC

Import patches-applied version 6.0.32-5ubuntu1.4 to applied/ubuntu/oneiric-security

Imported using git-ubuntu import.

Changelog parent: 0581d9a3b765b085886df725a2469c45c6e5d6b0
Unapplied parent: 05e5a72f089a8cb8bc2b65440918c22849d9fe70

New changelog entries:
  * SECURITY UPDATE: security-constraint bypass with FORM auth
    - debian/patches/CVE-2012-3546.patch: remove unneeded code in
      java/org/apache/catalina/realm/RealmBase.java.
    - CVE-2012-3546
  * SECURITY UPDATE: CSRF bypass via request with no session identifier
    - debian/patches/CVE-2012-4431.patch: check for session identifier in
      java/org/apache/catalina/filters/CsrfPreventionFilter.java.
    - CVE-2012-4431
  * SECURITY UPDATE: denial of service with NIO connector
    - debian/patches/CVE-2012-4534.patch: properly handle connection breaks
      in java/org/apache/tomcat/util/net/NioEndpoint.java.
    - CVE-2012-4534

ubuntu/oneiric-devel 2013-01-14 14:03:12 UTC 2013-01-14
Import patches-unapplied version 6.0.32-5ubuntu1.4 to ubuntu/oneiric-security

Author: Marc Deslauriers
Author Date: 2013-01-10 15:00:07 UTC

Import patches-unapplied version 6.0.32-5ubuntu1.4 to ubuntu/oneiric-security

Imported using git-ubuntu import.

Changelog parent: 2882574aaa0acbb1a86a0b18bc690368ce407808

New changelog entries:
  * SECURITY UPDATE: security-constraint bypass with FORM auth
    - debian/patches/CVE-2012-3546.patch: remove unneeded code in
      java/org/apache/catalina/realm/RealmBase.java.
    - CVE-2012-3546
  * SECURITY UPDATE: CSRF bypass via request with no session identifier
    - debian/patches/CVE-2012-4431.patch: check for session identifier in
      java/org/apache/catalina/filters/CsrfPreventionFilter.java.
    - CVE-2012-4431
  * SECURITY UPDATE: denial of service with NIO connector
    - debian/patches/CVE-2012-4534.patch: properly handle connection breaks
      in java/org/apache/tomcat/util/net/NioEndpoint.java.
    - CVE-2012-4534

ubuntu/oneiric-security 2013-01-14 14:03:12 UTC 2013-01-14
Import patches-unapplied version 6.0.32-5ubuntu1.4 to ubuntu/oneiric-security

Author: Marc Deslauriers
Author Date: 2013-01-10 15:00:07 UTC

Import patches-unapplied version 6.0.32-5ubuntu1.4 to ubuntu/oneiric-security

Imported using git-ubuntu import.

Changelog parent: 2882574aaa0acbb1a86a0b18bc690368ce407808

New changelog entries:
  * SECURITY UPDATE: security-constraint bypass with FORM auth
    - debian/patches/CVE-2012-3546.patch: remove unneeded code in
      java/org/apache/catalina/realm/RealmBase.java.
    - CVE-2012-3546
  * SECURITY UPDATE: CSRF bypass via request with no session identifier
    - debian/patches/CVE-2012-4431.patch: check for session identifier in
      java/org/apache/catalina/filters/CsrfPreventionFilter.java.
    - CVE-2012-4431
  * SECURITY UPDATE: denial of service with NIO connector
    - debian/patches/CVE-2012-4534.patch: properly handle connection breaks
      in java/org/apache/tomcat/util/net/NioEndpoint.java.
    - CVE-2012-4534

ubuntu/oneiric-updates 2013-01-14 14:03:12 UTC 2013-01-14
Import patches-unapplied version 6.0.32-5ubuntu1.4 to ubuntu/oneiric-security

Author: Marc Deslauriers
Author Date: 2013-01-10 15:00:07 UTC

Import patches-unapplied version 6.0.32-5ubuntu1.4 to ubuntu/oneiric-security

Imported using git-ubuntu import.

Changelog parent: 2882574aaa0acbb1a86a0b18bc690368ce407808

New changelog entries:
  * SECURITY UPDATE: security-constraint bypass with FORM auth
    - debian/patches/CVE-2012-3546.patch: remove unneeded code in
      java/org/apache/catalina/realm/RealmBase.java.
    - CVE-2012-3546
  * SECURITY UPDATE: CSRF bypass via request with no session identifier
    - debian/patches/CVE-2012-4431.patch: check for session identifier in
      java/org/apache/catalina/filters/CsrfPreventionFilter.java.
    - CVE-2012-4431
  * SECURITY UPDATE: denial of service with NIO connector
    - debian/patches/CVE-2012-4534.patch: properly handle connection breaks
      in java/org/apache/tomcat/util/net/NioEndpoint.java.
    - CVE-2012-4534

applied/ubuntu/oneiric-updates 2013-01-14 14:03:12 UTC 2013-01-14
Import patches-applied version 6.0.32-5ubuntu1.4 to applied/ubuntu/oneiric-se...

Author: Marc Deslauriers
Author Date: 2013-01-10 15:00:07 UTC

Import patches-applied version 6.0.32-5ubuntu1.4 to applied/ubuntu/oneiric-security

Imported using git-ubuntu import.

Changelog parent: 0581d9a3b765b085886df725a2469c45c6e5d6b0
Unapplied parent: 05e5a72f089a8cb8bc2b65440918c22849d9fe70

New changelog entries:
  * SECURITY UPDATE: security-constraint bypass with FORM auth
    - debian/patches/CVE-2012-3546.patch: remove unneeded code in
      java/org/apache/catalina/realm/RealmBase.java.
    - CVE-2012-3546
  * SECURITY UPDATE: CSRF bypass via request with no session identifier
    - debian/patches/CVE-2012-4431.patch: check for session identifier in
      java/org/apache/catalina/filters/CsrfPreventionFilter.java.
    - CVE-2012-4431
  * SECURITY UPDATE: denial of service with NIO connector
    - debian/patches/CVE-2012-4534.patch: properly handle connection breaks
      in java/org/apache/tomcat/util/net/NioEndpoint.java.
    - CVE-2012-4534

applied/ubuntu/raring-devel 2012-12-08 10:16:06 UTC 2012-12-08
Import patches-applied version 6.0.35-6 to applied/debian/sid

Author: Tony Mancill
Author Date: 2012-12-07 05:10:11 UTC

Import patches-applied version 6.0.35-6 to applied/debian/sid

Imported using git-ubuntu import.

Changelog parent: e08121315f0f64ad6f8479bd6989d93031cb39fb
Unapplied parent: 5240b51d7cabda73daf5c6e9ef6246d9ce282e03

New changelog entries:
  * Acknowledge NMU: 6.0.35-5+nmu1 (Closes: #692440)
    - Thank you to Michael Gilbert.
  * Add patches for the following security issues: (Closes: #695250)
    - CVE-2012-4534, CVE-2012-4431, CVE-2012-3546

ubuntu/raring-proposed 2012-12-08 10:16:06 UTC 2012-12-08
Import patches-unapplied version 6.0.35-6 to debian/sid

Author: Tony Mancill
Author Date: 2012-12-07 05:10:11 UTC

Import patches-unapplied version 6.0.35-6 to debian/sid

Imported using git-ubuntu import.

Changelog parent: d00c9f1ebacb01aed9d8eb19f1c3bc0805a88de3

New changelog entries:
  * Acknowledge NMU: 6.0.35-5+nmu1 (Closes: #692440)
    - Thank you to Michael Gilbert.
  * Add patches for the following security issues: (Closes: #695250)
    - CVE-2012-4534, CVE-2012-4431, CVE-2012-3546

applied/ubuntu/raring 2012-12-08 10:16:06 UTC 2012-12-08
Import patches-applied version 6.0.35-6 to applied/debian/sid

Author: Tony Mancill
Author Date: 2012-12-07 05:10:11 UTC

Import patches-applied version 6.0.35-6 to applied/debian/sid

Imported using git-ubuntu import.

Changelog parent: e08121315f0f64ad6f8479bd6989d93031cb39fb
Unapplied parent: 5240b51d7cabda73daf5c6e9ef6246d9ce282e03

New changelog entries:
  * Acknowledge NMU: 6.0.35-5+nmu1 (Closes: #692440)
    - Thank you to Michael Gilbert.
  * Add patches for the following security issues: (Closes: #695250)
    - CVE-2012-4534, CVE-2012-4431, CVE-2012-3546

applied/ubuntu/raring-proposed 2012-12-08 10:16:06 UTC 2012-12-08
Import patches-applied version 6.0.35-6 to applied/debian/sid

Author: Tony Mancill
Author Date: 2012-12-07 05:10:11 UTC

Import patches-applied version 6.0.35-6 to applied/debian/sid

Imported using git-ubuntu import.

Changelog parent: e08121315f0f64ad6f8479bd6989d93031cb39fb
Unapplied parent: 5240b51d7cabda73daf5c6e9ef6246d9ce282e03

New changelog entries:
  * Acknowledge NMU: 6.0.35-5+nmu1 (Closes: #692440)
    - Thank you to Michael Gilbert.
  * Add patches for the following security issues: (Closes: #695250)
    - CVE-2012-4534, CVE-2012-4431, CVE-2012-3546

ubuntu/raring 2012-12-08 10:16:06 UTC 2012-12-08
Import patches-unapplied version 6.0.35-6 to debian/sid

Author: Tony Mancill
Author Date: 2012-12-07 05:10:11 UTC

Import patches-unapplied version 6.0.35-6 to debian/sid

Imported using git-ubuntu import.

Changelog parent: d00c9f1ebacb01aed9d8eb19f1c3bc0805a88de3

New changelog entries:
  * Acknowledge NMU: 6.0.35-5+nmu1 (Closes: #692440)
    - Thank you to Michael Gilbert.
  * Add patches for the following security issues: (Closes: #695250)
    - CVE-2012-4534, CVE-2012-4431, CVE-2012-3546

ubuntu/raring-devel 2012-12-08 10:16:06 UTC 2012-12-08
Import patches-unapplied version 6.0.35-6 to debian/sid

Author: Tony Mancill
Author Date: 2012-12-07 05:10:11 UTC

Import patches-unapplied version 6.0.35-6 to debian/sid

Imported using git-ubuntu import.

Changelog parent: d00c9f1ebacb01aed9d8eb19f1c3bc0805a88de3

New changelog entries:
  * Acknowledge NMU: 6.0.35-5+nmu1 (Closes: #692440)
    - Thank you to Michael Gilbert.
  * Add patches for the following security issues: (Closes: #695250)
    - CVE-2012-4534, CVE-2012-4431, CVE-2012-3546

ubuntu/quantal 2012-09-25 10:24:06 UTC 2012-09-25
Import patches-unapplied version 6.0.35-5 to debian/sid

Author: Tony Mancill
Author Date: 2012-08-07 04:29:11 UTC

Import patches-unapplied version 6.0.35-5 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 861aade8a99ecb61218e96ec98133a5776526071

New changelog entries:
  * Apply patch to README.Debian to explain setting the HTTPOnly flag
    in cookies by default; CVE-2010-4312. (Closes: #608286)
    - Thank you to Thijs Kinkhorst for the patch.
  * Use ucf and a template for /etc/logrotate.d/tomcat6 file to avoid
    updating the shipped conffile. (Closes: #687818)

applied/ubuntu/quantal 2012-09-25 10:24:06 UTC 2012-09-25
Import patches-applied version 6.0.35-5 to applied/debian/sid

Author: Tony Mancill
Author Date: 2012-08-07 04:29:11 UTC

Import patches-applied version 6.0.35-5 to applied/debian/sid

Imported using git-ubuntu import.

Changelog parent: ac262bdd7548309b95bd284c42ef1c96b92f8945
Unapplied parent: 32fb7bec2c9c43cbddd9c17f676733325825d3e3

New changelog entries:
  * Apply patch to README.Debian to explain setting the HTTPOnly flag
    in cookies by default; CVE-2010-4312. (Closes: #608286)
    - Thank you to Thijs Kinkhorst for the patch.
  * Use ucf and a template for /etc/logrotate.d/tomcat6 file to avoid
    updating the shipped conffile. (Closes: #687818)

applied/ubuntu/precise 2012-04-11 11:03:52 UTC 2012-04-11
Import patches-applied version 6.0.35-1ubuntu3 to applied/ubuntu/precise

Author: James Page
Author Date: 2012-04-11 09:29:11 UTC

Import patches-applied version 6.0.35-1ubuntu3 to applied/ubuntu/precise

Imported using git-ubuntu import.

Changelog parent: 77d02ec46bcd0f58a948a7994c2a6c7e509b04bc
Unapplied parent: ec205384c5339efc303569cba61d1d016627b09b

New changelog entries:
  * Handle creation of user instances with pathnames containing spaces
    (LP: #977498):
    - d/tomcat6-instance-create: Quote access to files and directories
      so that spaces can be used when creating user instances.

ubuntu/precise 2012-04-11 11:03:52 UTC 2012-04-11
Import patches-unapplied version 6.0.35-1ubuntu3 to ubuntu/precise

Author: James Page
Author Date: 2012-04-11 09:29:11 UTC

Import patches-unapplied version 6.0.35-1ubuntu3 to ubuntu/precise

Imported using git-ubuntu import.

Changelog parent: b6a15e5996ea89a8a96de604f18df080c96d1feb

New changelog entries:
  * Handle creation of user instances with pathnames containing spaces
    (LP: #977498):
    - d/tomcat6-instance-create: Quote access to files and directories
      so that spaces can be used when creating user instances.

ubuntu/natty-security 2012-01-26 16:34:39 UTC 2012-01-26
Import patches-unapplied version 6.0.28-10ubuntu2.3 to ubuntu/natty-proposed

Author: Marc Deslauriers
Author Date: 2012-01-25 18:42:23 UTC

Import patches-unapplied version 6.0.28-10ubuntu2.3 to ubuntu/natty-proposed

Imported using git-ubuntu import.

Changelog parent: d6e04c0d430782b052e3f7772ca95caacaa0531d

New changelog entries:
  * SECURITY UPDATE: denial of service via hash collision and incorrect
    handling of large numbers of parameters and parameter values
    (LP: #909828)
    - debian/patches/0019-CVE-2012-0022.patch: refactor parameter handling
      code in conf/web.xml,
      java/org/apache/catalina/connector/Connector.java,
      java/org/apache/catalina/connector/mbeans-descriptors.xml,
      java/org/apache/catalina/connector/Request.java,
      java/org/apache/catalina/filters/FailedRequestFilter.java,
      java/org/apache/catalina/Globals.java,
      java/org/apache/coyote/Request.java,
      java/org/apache/tomcat/util/buf/B2CConverter.java,
      java/org/apache/tomcat/util/buf/ByteChunk.java,
      java/org/apache/tomcat/util/buf/MessageBytes.java,
      java/org/apache/tomcat/util/buf/StringCache.java,
      java/org/apache/tomcat/util/http/LocalStrings.properties,
      java/org/apache/tomcat/util/http/Parameters.java,
      webapps/docs/config/ajp.xml,
      webapps/docs/config/http.xml.
    - CVE-2011-4858
    - CVE-2012-0022

applied/ubuntu/maverick-security 2012-01-26 16:34:39 UTC 2012-01-26
Import patches-applied version 6.0.28-2ubuntu1.6 to applied/ubuntu/maverick-p...

Author: Marc Deslauriers
Author Date: 2012-01-25 19:09:00 UTC

Import patches-applied version 6.0.28-2ubuntu1.6 to applied/ubuntu/maverick-proposed

Imported using git-ubuntu import.

Changelog parent: 8872e0d58b433ea408335b570016bd9f3dfa7e58
Unapplied parent: 80bb0513861036d0a321b9d349272c0d62e1e259

New changelog entries:
  * SECURITY UPDATE: denial of service via hash collision and incorrect
    handling of large numbers of parameters and parameter values
    (LP: #909828)
    - debian/patches/0019-CVE-2012-0022.patch: refactor parameter handling
      code in conf/web.xml,
      java/org/apache/catalina/connector/Connector.java,
      java/org/apache/catalina/connector/mbeans-descriptors.xml,
      java/org/apache/catalina/connector/Request.java,
      java/org/apache/catalina/filters/FailedRequestFilter.java,
      java/org/apache/catalina/Globals.java,
      java/org/apache/coyote/Request.java,
      java/org/apache/tomcat/util/buf/B2CConverter.java,
      java/org/apache/tomcat/util/buf/ByteChunk.java,
      java/org/apache/tomcat/util/buf/MessageBytes.java,
      java/org/apache/tomcat/util/buf/StringCache.java,
      java/org/apache/tomcat/util/http/LocalStrings.properties,
      java/org/apache/tomcat/util/http/Parameters.java,
      webapps/docs/config/ajp.xml,
      webapps/docs/config/http.xml.
    - CVE-2011-4858
    - CVE-2012-0022

applied/ubuntu/maverick-updates 2012-01-26 16:34:39 UTC 2012-01-26
Import patches-applied version 6.0.28-2ubuntu1.6 to applied/ubuntu/maverick-p...

Author: Marc Deslauriers
Author Date: 2012-01-25 19:09:00 UTC

Import patches-applied version 6.0.28-2ubuntu1.6 to applied/ubuntu/maverick-proposed

Imported using git-ubuntu import.

Changelog parent: 8872e0d58b433ea408335b570016bd9f3dfa7e58
Unapplied parent: 80bb0513861036d0a321b9d349272c0d62e1e259

New changelog entries:
  * SECURITY UPDATE: denial of service via hash collision and incorrect
    handling of large numbers of parameters and parameter values
    (LP: #909828)
    - debian/patches/0019-CVE-2012-0022.patch: refactor parameter handling
      code in conf/web.xml,
      java/org/apache/catalina/connector/Connector.java,
      java/org/apache/catalina/connector/mbeans-descriptors.xml,
      java/org/apache/catalina/connector/Request.java,
      java/org/apache/catalina/filters/FailedRequestFilter.java,
      java/org/apache/catalina/Globals.java,
      java/org/apache/coyote/Request.java,
      java/org/apache/tomcat/util/buf/B2CConverter.java,
      java/org/apache/tomcat/util/buf/ByteChunk.java,
      java/org/apache/tomcat/util/buf/MessageBytes.java,
      java/org/apache/tomcat/util/buf/StringCache.java,
      java/org/apache/tomcat/util/http/LocalStrings.properties,
      java/org/apache/tomcat/util/http/Parameters.java,
      webapps/docs/config/ajp.xml,
      webapps/docs/config/http.xml.
    - CVE-2011-4858
    - CVE-2012-0022

applied/ubuntu/maverick-proposed 2012-01-26 16:34:39 UTC 2012-01-26
Import patches-applied version 6.0.28-2ubuntu1.6 to applied/ubuntu/maverick-p...

Author: Marc Deslauriers
Author Date: 2012-01-25 19:09:00 UTC

Import patches-applied version 6.0.28-2ubuntu1.6 to applied/ubuntu/maverick-proposed

Imported using git-ubuntu import.

Changelog parent: 8872e0d58b433ea408335b570016bd9f3dfa7e58
Unapplied parent: 80bb0513861036d0a321b9d349272c0d62e1e259

New changelog entries:
  * SECURITY UPDATE: denial of service via hash collision and incorrect
    handling of large numbers of parameters and parameter values
    (LP: #909828)
    - debian/patches/0019-CVE-2012-0022.patch: refactor parameter handling
      code in conf/web.xml,
      java/org/apache/catalina/connector/Connector.java,
      java/org/apache/catalina/connector/mbeans-descriptors.xml,
      java/org/apache/catalina/connector/Request.java,
      java/org/apache/catalina/filters/FailedRequestFilter.java,
      java/org/apache/catalina/Globals.java,
      java/org/apache/coyote/Request.java,
      java/org/apache/tomcat/util/buf/B2CConverter.java,
      java/org/apache/tomcat/util/buf/ByteChunk.java,
      java/org/apache/tomcat/util/buf/MessageBytes.java,
      java/org/apache/tomcat/util/buf/StringCache.java,
      java/org/apache/tomcat/util/http/LocalStrings.properties,
      java/org/apache/tomcat/util/http/Parameters.java,
      webapps/docs/config/ajp.xml,
      webapps/docs/config/http.xml.
    - CVE-2011-4858
    - CVE-2012-0022

applied/ubuntu/natty-devel 2012-01-26 16:34:39 UTC 2012-01-26
Import patches-applied version 6.0.28-10ubuntu2.3 to applied/ubuntu/natty-pro...

Author: Marc Deslauriers
Author Date: 2012-01-25 18:42:23 UTC

Import patches-applied version 6.0.28-10ubuntu2.3 to applied/ubuntu/natty-proposed

Imported using git-ubuntu import.

Changelog parent: 7fe876485b21469a46c53793cdfe5db73beb5c49
Unapplied parent: fca4c0455289503b132d688c863ad4218cd16064

New changelog entries:
  * SECURITY UPDATE: denial of service via hash collision and incorrect
    handling of large numbers of parameters and parameter values
    (LP: #909828)
    - debian/patches/0019-CVE-2012-0022.patch: refactor parameter handling
      code in conf/web.xml,
      java/org/apache/catalina/connector/Connector.java,
      java/org/apache/catalina/connector/mbeans-descriptors.xml,
      java/org/apache/catalina/connector/Request.java,
      java/org/apache/catalina/filters/FailedRequestFilter.java,
      java/org/apache/catalina/Globals.java,
      java/org/apache/coyote/Request.java,
      java/org/apache/tomcat/util/buf/B2CConverter.java,
      java/org/apache/tomcat/util/buf/ByteChunk.java,
      java/org/apache/tomcat/util/buf/MessageBytes.java,
      java/org/apache/tomcat/util/buf/StringCache.java,
      java/org/apache/tomcat/util/http/LocalStrings.properties,
      java/org/apache/tomcat/util/http/Parameters.java,
      webapps/docs/config/ajp.xml,
      webapps/docs/config/http.xml.
    - CVE-2011-4858
    - CVE-2012-0022

applied/ubuntu/maverick-devel 2012-01-26 16:34:39 UTC 2012-01-26
Import patches-applied version 6.0.28-2ubuntu1.6 to applied/ubuntu/maverick-p...

Author: Marc Deslauriers
Author Date: 2012-01-25 19:09:00 UTC

Import patches-applied version 6.0.28-2ubuntu1.6 to applied/ubuntu/maverick-proposed

Imported using git-ubuntu import.

Changelog parent: 8872e0d58b433ea408335b570016bd9f3dfa7e58
Unapplied parent: 80bb0513861036d0a321b9d349272c0d62e1e259

New changelog entries:
  * SECURITY UPDATE: denial of service via hash collision and incorrect
    handling of large numbers of parameters and parameter values
    (LP: #909828)
    - debian/patches/0019-CVE-2012-0022.patch: refactor parameter handling
      code in conf/web.xml,
      java/org/apache/catalina/connector/Connector.java,
      java/org/apache/catalina/connector/mbeans-descriptors.xml,
      java/org/apache/catalina/connector/Request.java,
      java/org/apache/catalina/filters/FailedRequestFilter.java,
      java/org/apache/catalina/Globals.java,
      java/org/apache/coyote/Request.java,
      java/org/apache/tomcat/util/buf/B2CConverter.java,
      java/org/apache/tomcat/util/buf/ByteChunk.java,
      java/org/apache/tomcat/util/buf/MessageBytes.java,
      java/org/apache/tomcat/util/buf/StringCache.java,
      java/org/apache/tomcat/util/http/LocalStrings.properties,
      java/org/apache/tomcat/util/http/Parameters.java,
      webapps/docs/config/ajp.xml,
      webapps/docs/config/http.xml.
    - CVE-2011-4858
    - CVE-2012-0022

1100 of 154 results

Other repositories

Name Last Modified
lp:ubuntu/+source/tomcat6 2018-10-17
11 of 1 result
You can't create new repositories for tomcat6 in Ubuntu.