Branches for Quantal

Author: Tony Mancill
Revision Date: 2012-08-06 21:29:11 UTC

* Apply patch to README.Debian to explain setting the HTTPOnly flag
  in cookies by default; CVE-2010-4312. (Closes: #608286)
  - Thank you to Thijs Kinkhorst for the patch.
* Use ucf and a template for /etc/logrotate.d/tomcat6 file to avoid
  updating the shipped conffile. (Closes: #687818)

Author: Jamie Strandboge
Revision Date: 2013-05-28 15:11:06 UTC

[ Christian Kuersteiner ]
* SECURITY UPDATE: denial of service via large header data
  - debian/patches/0012-CVE-2012-2733.patch: improve size logic in
    java/org/apache/coyote/http11/InternalNioInputBuffer.java.
  - CVE-2012-2733
  - LP: #1166649
* SECURITY UPDATE: security-constraint bypass with FORM auth
  - debian/patches/CVE-2012-3546.patch: remove unneeded code in
    java/org/apache/catalina/realm/RealmBase.java.
  - CVE-2012-3546
* SECURITY UPDATE: CSRF bypass via request with no session identifier
  - debian/patches/CVE-2012-4431.patch: check for session identifier in
    java/org/apache/catalina/filters/CsrfPreventionFilter.java.
  - CVE-2012-4431
* SECURITY UPDATE: denial of service with NIO connector
  - debian/patches/CVE-2012-4534.patch: properly handle connection breaks
    in java/org/apache/tomcat/util/net/NioEndpoint.java.
  - CVE-2012-4534

[ Jamie Strandboge ]
* SECURITY UPDATE: multiple HTTP Digest Access Authentication flaws
  - debian/patches/0013-CVE-2012-588x.patch: disable caching of an
    authenticated user in the session by default, track server rather
    than client nonces, better handling of stale nonce values in
    java/org/apache/catalina/authenticator/DigestAuthenticator.java.
    Patch from Marc Deslauriers.
  - CVE-2012-3439
  - CVE-2012-5885
  - CVE-2012-5886
  - CVE-2012-5887
* SECURITY UPDATE: denial of service via chunked transfer encoding
  - debian/patches/CVE-2012-3544.patch: properly parse CRLF in requests
    in java/org/apache/coyote/http11/filters/ChunkedInputFilter.java.
    Patch from Marc Deslauriers.
  - CVE-2012-3544
* SECURITY UPDATE: FORM authentication request injection
  - debian/patches/CVE-2013-2067.patch: properly change session ID
    in java/org/apache/catalina/authenticator/FormAuthenticator.java.
    Patch from Marc Deslauriers.
  - CVE-2013-2067

Author: Jamie Strandboge
Revision Date: 2013-05-28 15:11:06 UTC

[ Christian Kuersteiner ]
* SECURITY UPDATE: denial of service via large header data
  - debian/patches/0012-CVE-2012-2733.patch: improve size logic in
    java/org/apache/coyote/http11/InternalNioInputBuffer.java.
  - CVE-2012-2733
  - LP: #1166649
* SECURITY UPDATE: security-constraint bypass with FORM auth
  - debian/patches/CVE-2012-3546.patch: remove unneeded code in
    java/org/apache/catalina/realm/RealmBase.java.
  - CVE-2012-3546
* SECURITY UPDATE: CSRF bypass via request with no session identifier
  - debian/patches/CVE-2012-4431.patch: check for session identifier in
    java/org/apache/catalina/filters/CsrfPreventionFilter.java.
  - CVE-2012-4431
* SECURITY UPDATE: denial of service with NIO connector
  - debian/patches/CVE-2012-4534.patch: properly handle connection breaks
    in java/org/apache/tomcat/util/net/NioEndpoint.java.
  - CVE-2012-4534

[ Jamie Strandboge ]
* SECURITY UPDATE: multiple HTTP Digest Access Authentication flaws
  - debian/patches/0013-CVE-2012-588x.patch: disable caching of an
    authenticated user in the session by default, track server rather
    than client nonces, better handling of stale nonce values in
    java/org/apache/catalina/authenticator/DigestAuthenticator.java.
    Patch from Marc Deslauriers.
  - CVE-2012-3439
  - CVE-2012-5885
  - CVE-2012-5886
  - CVE-2012-5887
* SECURITY UPDATE: denial of service via chunked transfer encoding
  - debian/patches/CVE-2012-3544.patch: properly parse CRLF in requests
    in java/org/apache/coyote/http11/filters/ChunkedInputFilter.java.
    Patch from Marc Deslauriers.
  - CVE-2012-3544
* SECURITY UPDATE: FORM authentication request injection
  - debian/patches/CVE-2013-2067.patch: properly change session ID
    in java/org/apache/catalina/authenticator/FormAuthenticator.java.
    Patch from Marc Deslauriers.
  - CVE-2013-2067