Ubuntu
tomcat10 package

Merge ~levihackerman-102/ubuntu/+source/tomcat10:merge-lp2131133-resolute into ubuntu/+source/tomcat10:debian/sid

  1. Git
  2. lp:~levihackerman-102/ubuntu/+source/tomcat10
  3. merge-lp2131133-resolute
  4. Merge into debian/sid
Proposed by Anshul Singh
Status: Needs review
Proposed branch: ~levihackerman-102/ubuntu/+source/tomcat10:merge-lp2131133-resolute
Merge into: ubuntu/+source/tomcat10:debian/sid
Diff against target: 89 lines (+48/-1)
4 files modified
debian/changelog (+19/-0)
debian/control (+2/-1)
debian/patches/CVE-2025-46701.patch (+26/-0)
debian/patches/series (+1/-0)
Reviewer Review Type Date Requested Status
Nick Rosbrook (community) Needs Fixing
git-ubuntu import Pending
Review via email: mp+495660@code.launchpad.net
To post a comment you must log in.
Revision history for this message
Anshul Singh (levihackerman-102) wrote :

Here's the passing ppa build:

https://launchpad.net/~levihackerman-102/+archive/ubuntu/merges/+build/31482097

Reply
Revision history for this message
Nick Rosbrook (enr0n) wrote :

See inline comments. I don't think this needs a merge at all, and should be a sync, but please address my comments to be sure.

review: Needs Fixing
Reply

Unmerged commits

5871f3e... by Anshul Singh

update maintainer

a3fe025... by Anshul Singh

changelog: Merge of 10.1.46-1

22b924d... by Anshul Singh

refreshed patch

1c7b5f8... by Anshul Singh

* SECURITY UPDATE: Security Constraint Bypass
    - debian/patches/CVE-2025-46701.patch: Refactor CGI servlet to
      access resources via WebResources
    - CVE-2025-46701

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index 2954234..52d8366 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,3 +1,13 @@
6+tomcat10 (10.1.46-1ubuntu1) resolute; urgency=medium
7+
8+ * Remaining changes:
9+ - SECURITY UPDATE: Security Constraint Bypass
10+ - debian/patches/CVE-2025-46701.patch: Refactor CGI servlet to
11+ access resources via WebResources
12+ - CVE-2025-46701
13+
14+ -- Anshul Singh <anshul.singh@canonical.com> Wed, 12 Nov 2025 08:27:52 +0000
15+
16 tomcat10 (10.1.46-1) unstable; urgency=medium
17
18 * New upstream release
19@@ -5,6 +15,15 @@ tomcat10 (10.1.46-1) unstable; urgency=medium
20
21 -- Emmanuel Bourg <ebourg@apache.org> Mon, 29 Sep 2025 13:43:22 +0200
22
23+tomcat10 (10.1.40-1ubuntu1) questing; urgency=medium
24+
25+ * SECURITY UPDATE: Security Constraint Bypass
26+ - debian/patches/CVE-2025-46701.patch: Refactor CGI servlet to
27+ access resources via WebResources
28+ - CVE-2025-46701
29+
30+ -- Bruce Cable <bruce.cable@canonical.com> Fri, 20 Jun 2025 14:15:00 +1000
31+
32 tomcat10 (10.1.40-1) unstable; urgency=medium
33
34 * New upstream release
35diff --git a/debian/control b/debian/control
36index f6c40b6..e7d5506 100644
37--- a/debian/control
38+++ b/debian/control
39@@ -1,7 +1,8 @@
40 Source: tomcat10
41 Section: java
42 Priority: optional
43-Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
44+Maintainer: Ubuntu Developers <ubuntu-devel-discuss@lists.ubuntu.com>
45+XSBC-Original-Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
46 Uploaders:
47 tony mancill <tmancill@debian.org>,
48 Emmanuel Bourg <ebourg@apache.org>,
49diff --git a/debian/patches/CVE-2025-46701.patch b/debian/patches/CVE-2025-46701.patch
50new file mode 100644
51index 0000000..beb59cc
52--- /dev/null
53+++ b/debian/patches/CVE-2025-46701.patch
54@@ -0,0 +1,26 @@
55+From 2c6800111e7d8d8d5403c07978ea9bff3db5a5a5 Mon Sep 17 00:00:00 2001
56+From: Mark Thomas <markt@apache.org>
57+Date: Mon, 28 Apr 2025 12:58:21 +0100
58+Subject: [PATCH] Refactor CGI servlet to access resources via WebResources
59+
60+---
61+ .../apache/catalina/servlets/CGIServlet.java | 233 +++++++-----------
62+ .../catalina/servlets/LocalStrings.properties | 1 -
63+ .../servlets/LocalStrings_fr.properties | 1 -
64+ .../servlets/LocalStrings_ja.properties | 1 -
65+ .../servlets/LocalStrings_ko.properties | 1 -
66+ .../servlets/LocalStrings_zh_CN.properties | 1 -
67+ webapps/docs/changelog.xml | 4 +
68+ 7 files changed, 97 insertions(+), 145 deletions(-)
69+
70+--- a/java/org/apache/catalina/servlets/CGIServlet.java
71++++ b/java/org/apache/catalina/servlets/CGIServlet.java
72+@@ -24,6 +24,8 @@
73+ import java.io.InputStreamReader;
74+ import java.io.OutputStream;
75+ import java.io.UnsupportedEncodingException;
76++import java.net.MalformedURLException;
77++import java.net.URL;
78+ import java.net.URLDecoder;
79+ import java.nio.file.Files;
80+ import java.util.ArrayList;
81diff --git a/debian/patches/series b/debian/patches/series
82index e9a79e2..780f2de 100644
83--- a/debian/patches/series
84+++ b/debian/patches/series
85@@ -13,3 +13,4 @@
86 exclude-TestJNDIRealmIntegration.patch
87 disable-jacoco.patch
88 0030-eclipse-jdt-classpath.patch
89+CVE-2025-46701.patch

Subscribers

People subscribed via source and target branches