lp:ubuntu/karmic-security/tomcat6

Created by James Westby on 2010-02-11 and last modified on 2011-03-29
Get this branch:
bzr branch lp:ubuntu/karmic-security/tomcat6
Members of Ubuntu branches can upload to this branch. Log in for directions.

Branch merges

Related bugs

Related blueprints

Branch information

Owner:
Ubuntu branches
Review team:
Ubuntu Development Team
Status:
Mature

Recent revisions

17. By Marc Deslauriers on 2011-03-24

* SECURITY UPDATE: directory traversal via incorrect ServetContext
  attribute (LP: #717396)
  - debian/patches/0012-CVE-2010-3718.patch: mark as read only in
    java/org/apache/catalina/core/StandardContext.java.
  - CVE-2010-3718
* SECURITY UPDATE: cross-site scripting in HTML Manager interface
  - debian/patches/0013-CVE-2011-0013.patch: properly filter values in
    java/org/apache/catalina/manager/{HTMLManagerServlet.java,
    StatusTransformer.java}.
  - CVE-2011-0013
* SECURITY UPDATE: denial of service via NIOS HTTP connector
  (LP: #714239, LP: #717396)
  - debian/patches/0014-CVE-2011-0534.patch: enforce proper size in
    java/org/apache/coyote/http11/InternalNioInputBuffer.java.
  - CVE-2011-0534

16. By Marc Deslauriers on 2011-01-13

* SECURITY UPDATE: cross-site scripting in Manager application
  - debian/patches/0011-CVE-2010-4172.patch: add proper escaping to
    java/org/apache/catalina/manager/JspHelper.java,
    webapps/manager/{sessionDetail,sessionsList}.jsp.
  - patch backported from Debian 6.0.28-9 package
  - CVE-2010-4172

15. By Marc Deslauriers on 2010-08-19

* SECURITY UPDATE: denial of service and possible information disclosure
  via crafted header
  - debian/patches/CVE-2010-2227.patch: fix filter logic in
    java/org/apache/coyote/http11/{Http11AprProcessor,Http11NioProcessor,
    Http11Processor,filters/BufferedInputFilter}.java.
  - CVE-2010-2227

14. By Marc Deslauriers on 2010-02-10

* SECURITY UPDATE: arbitrary file creation or overwrite from directory
  traversal via a .. entry in a WAR file.
  - CVE-2009-2693
* SECURITY UPDATE: authentication bypass via autodeployment process
  - CVE-2009-2901
* SECURITY UPDATE: work-directory file deletion via directory traversal
  sequences in a WAR filename.
  - CVE-2009-2902
  - debian/patches/security_CVE-2009-2693_2901_2902.patch: validate file
    names and paths in java/org/apache/catalina/loader/
    {LocalStrings.properties,WebappClassLoader.java},
    java/org/apache/catalina/startup/{ContextConfig.java,ExpandWar.java,
    HostConfig.java,LocalStrings.properties}

13. By Matthias Klose on 2009-10-25

* Add maven POM's for libservlet2.5-java. LP: #454822.
* debian/policy/02debian.policy: grant access to
  /usr/share/maven-repo/ as it is a valid source of Debian JARs.

12. By Iulian Udrea on 2009-06-23

* Merge from debian unstable (LP: #391018); remaining changes:
  - debian/control, debian/rules: Use default-jdk to build
  - debian/control: Run using default-jre-headless by default

11. By Mathias Gug on 2009-06-09

[ Iulian Udrea ]
* Merge from debian unstable (LP: #385262), remaining changes:
  - debian/control, debian/rules: Use default-jdk to build
  - debian/control: Run using default-jre-headless by default

10. By Thierry Carrez on 2009-05-04

* Merge from debian unstable (LP: #371728), remaining changes:
  - debian/control, debian/rules: Use default-jdk to build
  - debian/control: Run using default-jre-headless by default
  - debian/patches/tcnative-ipv6-fix-43327.patch to fix incompatibility
    between libtcnative-1 and ipv6

9. By Thierry Carrez on 2009-02-23

* Added debian/patches/tcnative-ipv6-fix-43327.patch to fix incompatibility
  between libtcnative-1 and ipv6 (fixes LP: #287645)
* No longer create confusing /var/lib/tomcat6/lib or lib subdirectory in
  private instances, since they are ignored (LP: #324212)

8. By Mathias Gug on 2009-01-07

[ Thierry Carrez ]
* Removed tomcat6-[admin,docs,examples].post[inst,rm] and let Tomcat webapp
  autodeployment features handle application load/unload (LP: #302914)
* tomcat6-instance-create, tomcat6-instance-create.1, control:
  Allow to change the HTTP port, control port and shutdown word on the
  tomcat6-instance-create command line (LP: #300691).

[ Mathias Gug]
* debian/tomcat6-instance-create: move directoryname from an option to
  an argument.
* debian/tomcat6-instance-create.1: some updates to the man page.
* debian/control: update maintainer field to Ubuntu Core Developers now that
  tomcat6 is in main.

Branch metadata

Branch format:
Branch format 7
Repository format:
Bazaar repository format 2a (needs bzr 1.16 or later)
Stacked on:
lp:ubuntu/lucid/tomcat6
This branch contains Public information 
Everyone can see this information.

Subscribers