~powersj/ubuntu/+source/tomcat7:fix-trusty-1666570

Last commit made on 2017-03-22
Get this branch:
git clone -b fix-trusty-1666570 https://git.launchpad.net/~powersj/ubuntu/+source/tomcat7
Only Joshua Powers can upload to this branch. If you are Joshua Powers please log in for upload directions.

Branch merges

Branch information

Name:
fix-trusty-1666570
Repository:
lp:~powersj/ubuntu/+source/tomcat7

Recent commits

9d02c69... by Joshua Powers on 2017-03-22

changelog

b4d415a... by Joshua Powers on 2017-03-22

Fix javax.servlet.jsp POM dependnecy

d133529... by Joshua Powers on 2017-03-09

Fix upgrade error when JAVA_OPTS contins '%'

704a303... by Marc Deslauriers on 2017-02-17

Import patches-unapplied version 7.0.52-1ubuntu0.10 to ubuntu/trusty-updates

Imported using usd-importer.

Publish parent: 1c08f8a1705ea7429c27a7ccddb06669bd4e5d7c
Changelog parent: b624f8ba1a943dca6a276ed5175b1fdd5d6ecf6e

b624f8b... by Marc Deslauriers on 2017-02-17

Import patches-unapplied version 7.0.52-1ubuntu0.10 to ubuntu/trusty-security

Imported using usd-importer.

Publish parent: e3a572680237e9183ff596b9330cab2a7b1450f7

New changelog entries:
  * SECURITY UPDATE: DoS via CPU consumption (LP: #1663318)
    - debian/patches/CVE-2017-6056.patch: fix infinite loop in
      java/org/apache/coyote/http11/AbstractInputBuffer.java.
    - CVE-2017-6056

1c08f8a... by Marc Deslauriers on 2017-02-01

Import patches-unapplied version 7.0.52-1ubuntu0.9 to ubuntu/trusty-updates

Imported using usd-importer.

Publish parent: a7072ad05a7cc67a6d5e4378983994f90aac3451
Changelog parent: e3a572680237e9183ff596b9330cab2a7b1450f7

e3a5726... by Marc Deslauriers on 2017-02-01

Import patches-unapplied version 7.0.52-1ubuntu0.9 to ubuntu/trusty-security

Imported using usd-importer.

Publish parent: 032f9aa9fab6df8de51ad58556290f6ef7ba624a

New changelog entries:
  * SECURITY REGRESSION: security manager startup issue (LP: #1659589)
    - debian/patches/0009-Use-java.security.policy-file-in-catalina.sh.patch:
      update to new /var/lib/tomcat7/policy location.
    - debian/tomcat7.postrm.in: remove policy directory.

a7072ad... by Marc Deslauriers on 2017-01-19

Import patches-unapplied version 7.0.52-1ubuntu0.8 to ubuntu/trusty-updates

Imported using usd-importer.

Publish parent: 726b29a1624a444ba41e33889c46ecaa1398327a
Changelog parent: 032f9aa9fab6df8de51ad58556290f6ef7ba624a

032f9aa... by Marc Deslauriers on 2017-01-19

Import patches-unapplied version 7.0.52-1ubuntu0.8 to ubuntu/trusty-security

Imported using usd-importer.

Publish parent: 18dce8952058c469744c264f6af3f689d13845c9

New changelog entries:
  * SECURITY UPDATE: SecurityManager bypass via a utility method
    - debian/patches/CVE-2016-5018.patch: remove unnecessary code in
      java/org/apache/jasper/compiler/JspRuntimeContext.java,
      java/org/apache/jasper/runtime/JspRuntimeLibrary.java,
      java/org/apache/jasper/security/SecurityClassLoad.java.
    - CVE-2016-5018
  * SECURITY UPDATE: mitigaton for httpoxy issue
    - debian/patches/CVE-2016-5388.patch: add envHttpHeaders initialization
      parameter to conf/web.xml, webapps/docs/cgi-howto.xml,
      java/org/apache/catalina/servlets/CGIServlet.java.
    - CVE-2016-5388
  * SECURITY UPDATE: system properties read SecurityManager bypass
    - debian/patches/CVE-2016-6794.patch: extend SecurityManager protection
      to the system property replacement feature of the digester in
      java/org/apache/catalina/loader/WebappClassLoader.java,
      java/org/apache/tomcat/util/digester/Digester.java,
      java/org/apache/tomcat/util/security/PermissionCheck.java.
    - CVE-2016-6794
  * SECURITY UPDATE: SecurityManager bypass via JSP Servlet configuration
    parameters
    - debian/patches/CVE-2016-6796.patch: ignore some JSP options when
      running under a SecurityManager in conf/web.xml,
      java/org/apache/jasper/EmbeddedServletOptions.java,
      java/org/apache/jasper/resources/LocalStrings.properties,
      java/org/apache/jasper/servlet/JspServlet.java,
      webapps/docs/jasper-howto.xml.
    - CVE-2016-6796
  * SECURITY UPDATE: web application global JNDI resource access
    - debian/patches/CVE-2016-6797.patch: ensure that the global resource
      is only visible via the ResourceLinkFactory when it is meant to be in
      java/org/apache/catalina/core/NamingContextListener.java,
      java/org/apache/naming/factory/ResourceLinkFactory.java,
      test/org/apache/naming/TestNamingContext.java.
    - CVE-2016-6797
  * SECURITY UPDATE: HTTP response injection via invalid characters
    - debian/patches/CVE-2016-6816.patch: add additional checks for valid
      characters in java/org/apache/coyote/http11/AbstractInputBuffer.java,
      java/org/apache/coyote/http11/AbstractNioInputBuffer.java,
      java/org/apache/coyote/http11/InternalAprInputBuffer.java,
      java/org/apache/coyote/http11/InternalInputBuffer.java,
      java/org/apache/coyote/http11/LocalStrings.properties,
      java/org/apache/tomcat/util/http/parser/HttpParser.java.
    - CVE-2016-6816
  * SECURITY UPDATE: remote code execution via JmxRemoteLifecycleListener
    - debian/patches/CVE-2016-8735-pre.patch: remove the restriction that
      prevented the use of SSL when specifying a bind address in
      java/org/apache/catalina/mbeans/JmxRemoteLifecycleListener.java,
      java/org/apache/catalina/mbeans/LocalStrings.properties,
      webapps/docs/config/listeners.xml.
    - debian/patches/CVE-2016-8735.patch: explicitly configure allowed
      credential types in
      java/org/apache/catalina/mbeans/JmxRemoteLifecycleListener.java.
    - CVE-2016-8735
  * SECURITY UPDATE: information leakage between requests
    - debian/patches/CVE-2016-8745.patch: properly handle cache when unable
      to complete sendfile request in
      java/org/apache/tomcat/util/net/NioEndpoint.java.
    - CVE-2016-8745
  * SECURITY UPDATE: privilege escalation during package upgrade
    - debian/rules, debian/tomcat7.postinst: properly set permissions on
      /etc/tomcat7/Catalina/localhost.
    - CVE-2016-9774
  * SECURITY UPDATE: privilege escalation during package removal
    - debian/tomcat7.postrm.in: don't reset permissions before removing
      user.
    - CVE-2016-9775
  * debian/tomcat7.init: further hardening.

726b29a... by Marc Deslauriers on 2016-09-16

Import patches-unapplied version 7.0.52-1ubuntu0.7 to ubuntu/trusty-updates

Imported using usd-importer.

Publish parent: 9e07ab7942e699a86c542282a60b9bae40f82c0c
Changelog parent: 18dce8952058c469744c264f6af3f689d13845c9