lp:ubuntu/jaunty-security/tomcat6

Created by James Westby on 2009-12-05 and last modified on 2010-08-19
Get this branch:
bzr branch lp:ubuntu/jaunty-security/tomcat6
Members of Ubuntu branches can upload to this branch. Log in for directions.

Branch merges

Related bugs

Related blueprints

Branch information

Owner:
Ubuntu branches
Review team:
Ubuntu Development Team
Status:
Mature

Recent revisions

12. By Marc Deslauriers on 2010-08-19

* SECURITY UPDATE: denial of service and possible information disclosure
  via crafted header
  - debian/patches/CVE-2010-2227.patch: fix filter logic in
    java/org/apache/coyote/http11/{Http11AprProcessor,Http11NioProcessor,
    Http11Processor,filters/BufferedInputFilter}.java.
  - CVE-2010-2227

11. By Marc Deslauriers on 2010-02-11

* SECURITY UPDATE: arbitrary file creation or overwrite from directory
  traversal via a .. entry in a WAR file.
  - CVE-2009-2693
* SECURITY UPDATE: authentication bypass via autodeployment process
  - CVE-2009-2901
* SECURITY UPDATE: work-directory file deletion via directory traversal
  sequences in a WAR filename.
  - CVE-2009-2902
  - debian/patches/security_CVE-2009-2693_2901_2902.patch: validate file
    names and paths in java/org/apache/catalina/loader/
    {LocalStrings.properties,WebappClassLoader.java},
    java/org/apache/catalina/startup/{ContextConfig.java,ExpandWar.java,
    HostConfig.java,LocalStrings.properties}

10. By Marc Deslauriers on 2009-06-10

* SECURITY UPDATE: security bypass via specially crafted request
  - debian/patches/security-CVE-2008-5515.patch: use only a single
    normalise implementation in:
    java/org/apache/catalina/connector/Request.java,
    java/org/apache/catalina/core/{ApplicationContext,ApplicationHttpRequest}.java,
    java/org/apache/catalina/servlets/WebdavServlet.java,
    java/org/apache/catalina/ssi/{SSIServletExternalResolver,SSIServletRequestUtil}.java,
    java/org/apache/catalina/util/RequestUtil.java,
    java/org/apache/naming/resources/FileDirContext.java
  - CVE-2008-5515
* SECURITY UPDATE: denial of service via request with invalid headers
  - debian/patches/security-CVE-2009-0033.patch: make sure we return
    400 to the browser in
    java/org/apache/jk/common/{ChannelNioSocket,ChannelSocket,HandlerRequest}.java
  - CVE-2009-0033
* SECURITY UPDATE: valid username enumeration via improper error checking
  - debian/patches/security-CVE-2009-0580.patch: make sure we have valid
    credentials in java/org/apache/catalina/realm/{DataSourceRealm,JDBCRealm,MemoryRealm}.java
  - CVE-2009-0580
* SECURITY UPDATE: cross-site scripting in calendar example application
  (LP: #341278)
  - debian/patches/security-CVE-2009-0781.patch: properly quote value in
    webapps/examples/jsp/cal/cal2.jsp
  - CVE-2009-0781
* SECURITY UPDATE: information disclosure via XML parser replacement
  - debian/patches/security-CVE-2009-0783.patch: create digesters and
    parsers earlier and don't use xml-parser from web-app in
    java/org/apache/catalina/core/StandardContext.java,
    java/org/apache/catalina/startup/{LocalStrings.properties,TldConfig.java}
  - CVE-2009-0783

9. By Thierry Carrez on 2009-02-23

* Added debian/patches/tcnative-ipv6-fix-43327.patch to fix incompatibility
  between libtcnative-1 and ipv6 (fixes LP: #287645)
* No longer create confusing /var/lib/tomcat6/lib or lib subdirectory in
  private instances, since they are ignored (LP: #324212)

8. By Mathias Gug on 2009-01-07

[ Thierry Carrez ]
* Removed tomcat6-[admin,docs,examples].post[inst,rm] and let Tomcat webapp
  autodeployment features handle application load/unload (LP: #302914)
* tomcat6-instance-create, tomcat6-instance-create.1, control:
  Allow to change the HTTP port, control port and shutdown word on the
  tomcat6-instance-create command line (LP: #300691).

[ Mathias Gug]
* debian/tomcat6-instance-create: move directoryname from an option to
  an argument.
* debian/tomcat6-instance-create.1: some updates to the man page.
* debian/control: update maintainer field to Ubuntu Core Developers now that
  tomcat6 is in main.

7. By Thierry Carrez on 2008-11-27

* tomcat6.init, tomcat6.postinst, tomcat6.dirs, tomcat6.default,
  README.debian: Use /tmp/tomcat6-temp instead of /var/lib/tomcat6/temp as
  the JVM temporary directory and clean it at each restart (LP: #287452)
* policy/04webapps.policy: add rules to allow usage of java.io.tmpdir
* tomcat6.init, rules: Do not use TearDown, as this results in
  LifecycleListener callbacks in webapps being bypassed (LP: #299436)
* rules: Compile at Java 1.5 level to allow usage of Java 5 JREs
  (LP: #286427)
* control, rules, libservlet2.5-java-doc.install,
  libservlet2.5-java-doc.links: New libservlet2.5-java-doc package ships
  missing Servlet/JSP API documentation (LP: #279645)
* patches/use-commons-dbcp.patch: Change default DBCP factory class
  to org.apache.commons.dbcp.BasicDataSourceFactory (LP: #283852)
* tomcat6.dirs, tomcat6.postinst, default_root/index.html: Create
  Catalina/localhost in /etc/tomcat6 and make it writeable by the tomcat6
  group, so that autodeploy and admin webapps work as expected (LP: #294277)
* patches/disable-apr-loading.patch: Disable APR library loading until we
  properly provide it.
* patches/disable-ajp-connector: Do not load AJP13 connector by default
  (LP: #300697)
* rules: minor fixes to prevent build being called twice.

6. By Thierry Carrez on 2008-10-23

* debian/tomcat6.postinst:
  - Make /var/lib/tomcat6/temp writeable by the tomcat6 user (LP: #287126)
  - Make /var/lib/tomcat6/webapps writeable by tomcat6 group (LP: #287447)
* debian/tomcat6.init: make status return nonzero if tomcat6 is not running
  (fixes LP: #288218)

5. By Thierry Carrez on 2008-10-06

debian/rules: call dh_installinit with --error-handler so that install
doesn't fail if Tomcat cannot be started during configure (LP: #274365)

4. By Thierry Carrez on 2008-08-22

* New upstream version (LP: #260016)
  - Fixes CVE-2008-2938: Directory traversal vulnerability (LP: #256802)
  - Fixes CVE-2008-2370: Information disclosure vulnerability (LP: #256922)
  - Fixes CVE-2008-1232: XSS through sendError vulnerability (LP: #256926)
* Dropped CVE-2008-1947.patch (fix is shipped in this upstream release)
* control: Improve short descriptions for the binary packages
* copyright: Added link to /usr/share/common-licenses/Apache-2.0
* control: To pull the right JRE, libtomcat6-java now depends on
  default-jre-headless | java6-runtime-headless

3. By Thierry Carrez on 2008-08-08

* Adding full Tomcat 6 server stack support (LP: #256052)
  - tomcat6 handles the system instance (/var/lib/tomcat6)
  - tomcat6-user allows users to create their own private instances
  - tomcat6-common installs common files in /usr/share/tomcat6
  - libtomcat6-java installs Tomcat 6 java libs in /usr/share/java
  - tomcat6-docs installs the documentation webapp
  - tomcat6-examples installs the examples webapp
  - tomcat6-admin installs the manager and host-manager webapps
* Other key differences with the tomcat5.5 packages:
  - default-jdk build support
  - OpenJDK-6 JRE runtime support
  - tomcat6 installs a minimal ROOT webapp
  - new webapp locations follow Debian webapp policy
  - webapps restart tomcat6 in postrm rather than in prerm
  - added a doc-base entry
  - use standard upstream server.xml
  - initscript: try to check if Tomcat is really running before returning OK
  - removed transitional configuration migration code
  - autogenerate policy in /var/cache/tomcat6 rather than /etc/tomcat6
  - logging.properties is customized to remove -webapps-related lines
  - initscript: implement TearDown spec
* CVE-2008-1947 fix (cross-site-scripting issue in host-manager webapp)

Branch metadata

Branch format:
Branch format 7
Repository format:
Bazaar repository format 2a (needs bzr 1.16 or later)
Stacked on:
lp:ubuntu/lucid/tomcat6
This branch contains Public information 
Everyone can see this information.

Subscribers