lp:ubuntu/lucid-proposed/tomcat6

Branch merges

Propose for merging

No branches dependent on this one.

Related source package recipes

No recipes using this branch. (?)

Create packaging recipe

Related snap packages

Related bugs

Related blueprints

24. By Marc Deslauriers on 2012-01-25

* SECURITY UPDATE: denial of service via hash collision and incorrect
  handling of large numbers of parameters and parameter values
  (LP: #909828)
  - debian/patches/0019-CVE-2012-0022.patch: refactor parameter handling
    code in conf/web.xml,
    java/org/apache/catalina/connector/Connector.java,
    java/org/apache/catalina/connector/mbeans-descriptors.xml,
    java/org/apache/catalina/connector/Request.java,
    java/org/apache/catalina/filters/FailedRequestFilter.java,
    java/org/apache/catalina/Globals.java,
    java/org/apache/coyote/Request.java,
    java/org/apache/tomcat/util/buf/B2CConverter.java,
    java/org/apache/tomcat/util/buf/ByteChunk.java,
    java/org/apache/tomcat/util/buf/MessageBytes.java,
    java/org/apache/tomcat/util/buf/StringCache.java,
    java/org/apache/tomcat/util/http/LocalStrings.properties,
    java/org/apache/tomcat/util/http/Parameters.java,
    webapps/docs/config/ajp.xml,
    webapps/docs/config/http.xml.
  - CVE-2011-4858
  - CVE-2012-0022

23. By Marc Deslauriers on 2011-09-26

* SECURITY UPDATE: information disclosure via log file
  - debian/patches/0015-CVE-2011-2204.patch: fix logging in
    java/org/apache/catalina/mbeans/MemoryUserDatabaseMBean.java,
    java/org/apache/catalina/users/MemoryUserDatabase.java,
    java/org/apache/catalina/users/MemoryUser.java.
  - CVE-2011-2204
* SECURITY UPDATE: file restriction bypass or denial of service via
  untrusted web application.
  - debian/patches/0016-CVE-2011-2526.patch: check canonical name in
    java/org/apache/catalina/connector/LocalStrings.properties,
    java/org/apache/catalina/connector/Request.java,
    java/org/apache/catalina/servlets/DefaultServlet.java,
    java/org/apache/coyote/http11/Http11AprProcessor.java,
    java/org/apache/coyote/http11/LocalStrings.properties,
    java/org/apache/tomcat/util/net/AprEndpoint.java,
    java/org/apache/tomcat/util/net/NioEndpoint.java.
  - CVE-2011-2526
* SECURITY UPDATE: AJP request spoofing and authentication bypass
  (LP: #843701)
  - debian/patches/0017-CVE-2011-3190.patch: Properly handle request
    bodies in java/org/apache/coyote/ajp/AjpAprProcessor.java,
    java/org/apache/coyote/ajp/AjpProcessor.java.
  - CVE-2011-3190
* SECURITY UPDATE: HTTP DIGEST authentication weaknesses
  - debian/patches/0018-CVE-2011-1184.patch: add new nonce options in
    java/org/apache/catalina/authenticator/DigestAuthenticator.java,
    java/org/apache/catalina/authenticator/LocalStrings.properties,
    java/org/apache/catalina/authenticator/mbeans-descriptors.xml,
    java/org/apache/catalina/realm/RealmBase.java,
    webapps/docs/config/valve.xml.
  - CVE-2011-1184

22. By Marc Deslauriers on 2011-03-24

* SECURITY UPDATE: directory traversal via incorrect ServetContext
  attribute (LP: #717396)
  - debian/patches/0012-CVE-2010-3718.patch: mark as read only in
    java/org/apache/catalina/core/StandardContext.java.
  - CVE-2010-3718
* SECURITY UPDATE: cross-site scripting in HTML Manager interface
  - debian/patches/0013-CVE-2011-0013.patch: properly filter values in
    java/org/apache/catalina/manager/{HTMLManagerServlet.java,
    StatusTransformer.java}.
  - CVE-2011-0013
* SECURITY UPDATE: denial of service via NIOS HTTP connector
  (LP: #714239, LP: #717396)
  - debian/patches/0014-CVE-2011-0534.patch: enforce proper size in
    java/org/apache/coyote/http11/InternalNioInputBuffer.java.
  - CVE-2011-0534

21. By Marc Deslauriers on 2011-01-13

* SECURITY UPDATE: cross-site scripting in Manager application
  - debian/patches/0011-CVE-2010-4172.patch: add proper escaping to
    java/org/apache/catalina/manager/JspHelper.java,
    webapps/manager/{sessionDetail,sessionsList}.jsp.
  - patch backported from Debian 6.0.28-9 package
  - CVE-2010-4172

20. By Marc Deslauriers on 2010-08-19

* SECURITY UPDATE: denial of service and possible information disclosure
  via crafted header
  - debian/patches/CVE-2010-2227.patch: fix filter logic in
    java/org/apache/coyote/http11/{Http11AprProcessor,Http11NioProcessor,
    Http11Processor,filters/BufferedInputFilter}.java.
  - CVE-2010-2227

19. By Thierry Carrez on 2010-03-31

[ Thierry Carrez ]
* Uploading what 6.0.24-5 should be (upload is blocked in Debian due to
  current infrastructure issues), in order to meet Beta2Freeze.

[ Niels Thykier ]
* Added optimised garbage collection options to tomcat6's default options.
  Thanks to Aaron J. Zirbes and Thierry Carrez for research and the patch.
  (Closes: LP: #541520)
* Updated the changelog to mention closed CVE's in the 6.0.24-1 release.
* Applied patch from Arto Jantunen fixing an issue with cleaning up the
  pid-file. (Closes: #574084)

[ Ludovic Claude ]
* debian/tomcat6.postrm: fix removal of Tomcat (Closes: #567548)
* Set UTF-8 as default character encoding - Patch by Thomas Koch
  (Closes: #573539)
* Set the major, minor and build versions when calling Ant
  (Closes: LP: #495505)
* Rebuild with a more recent version of maven-repo-helper which puts
  the javax jars at the correct location in the Maven repository.
  Fixes several FTBFS in other packages.

18. By Ludovic Claude on 2010-02-17

* Fix missing symlinks to tomcat-coyote.jar and
  catalina-tribes.jar causing NoClassDefFoundException
  at startup (last minute packaging change, sorry)
  (Closes: #570220)
* tomcat6-admin, tomcat6-examples and tomcat6-docs now depend on
  tomcat6-common instead of tomcat6, this allow users to install
  those packages without requiring tomcat6 and its automatic startup scripts
  being present. tomcat-users can be installed instead and allow full
  control over when Tomcat is started or stopped.

17. By Ludovic Claude on 2010-02-09

[ Ludovic Claude ]
* New upstream version
* Update the POM files for the new version of Tomcat
* Bump up Standards-Version to 3.8.4
* Refresh patches deploy-webapps-build-xml.patch and var_loaders.patch
* Remove patch fix_context_name.patch as it has been applied upstream
* Fix the installation of servlet-api-2.5.jar: the jar
  goes to /usr/share/java as in older versions (6.0.20-2)
  and links to the jar are added to /usr/share/maven-repo
* Moved NEWS.Debian into README.Debian
* Add a link from /usr/share/doc/tomcat6-common/README.Debian to
  /usr/share/doc/tomcat6/README.Debian to include a minimum of
  documentation in the tomcat6 package and add some useful notes.
  (Closes: #563937, #563939)
* Remove poms from the Debian packaging, use upstream pom files

[ Jason Brittain ]
* Fixed a bug in the init script: When a start fails, the PID file was
  being left in place. Now the init script makes sure it is deleted.
* Fixed a packaging bug that results in the ROOT webapp not being properly
  installed after an uninstall, then a reinstall.
* control: Corrected a couple of comments (no functional change).

16. By Torsten Werner on 2010-01-23

* Fix debian/orig-tar.sh to exclude binary only standard.jar and jstl.jar.
  (Closes: #528119)
* Upload a cleaned tarball.
* Add ${misc:Depends} in debian/control.

15. By Niels Thykier on 2009-12-19

* Fix spelling issues.
* Always set JSVC_CLASSPATH to a default value in init.