lp:ubuntu/lucid-proposed/tomcat6
- Get this branch:
- bzr branch lp:ubuntu/lucid-proposed/tomcat6
Branch merges
Branch information
Recent revisions
- 24. By Marc Deslauriers
-
* SECURITY UPDATE: denial of service via hash collision and incorrect
handling of large numbers of parameters and parameter values
(LP: #909828)
- debian/patches/ 0019-CVE- 2012-0022. patch: refactor parameter handling
code in conf/web.xml,
java/org/apache/ catalina/ connector/ Connector. java,
java/org/apache/ catalina/ connector/ mbeans- descriptors. xml,
java/org/apache/ catalina/ connector/ Request. java,
java/org/apache/ catalina/ filters/ FailedRequestFi lter.java,
java/org/apache/ catalina/ Globals. java,
java/org/apache/ coyote/ Request. java,
java/org/apache/ tomcat/ util/buf/ B2CConverter. java,
java/org/apache/ tomcat/ util/buf/ ByteChunk. java,
java/org/apache/ tomcat/ util/buf/ MessageBytes. java,
java/org/apache/ tomcat/ util/buf/ StringCache. java,
java/org/apache/ tomcat/ util/http/ LocalStrings. properties,
java/org/apache/ tomcat/ util/http/ Parameters. java,
webapps/docs/config/ ajp.xml,
webapps/docs/config/ http.xml.
- CVE-2011-4858
- CVE-2012-0022 - 23. By Marc Deslauriers
-
* SECURITY UPDATE: information disclosure via log file
- debian/patches/ 0015-CVE- 2011-2204. patch: fix logging in
java/org/apache/ catalina/ mbeans/ MemoryUserDatab aseMBean. java,
java/org/apache/ catalina/ users/MemoryUse rDatabase. java,
java/org/apache/ catalina/ users/MemoryUse r.java.
- CVE-2011-2204
* SECURITY UPDATE: file restriction bypass or denial of service via
untrusted web application.
- debian/patches/ 0016-CVE- 2011-2526. patch: check canonical name in
java/org/apache/ catalina/ connector/ LocalStrings. properties,
java/org/apache/ catalina/ connector/ Request. java,
java/org/apache/ catalina/ servlets/ DefaultServlet. java,
java/org/apache/ coyote/ http11/ Http11AprProces sor.java,
java/org/apache/ coyote/ http11/ LocalStrings. properties,
java/org/apache/ tomcat/ util/net/ AprEndpoint. java,
java/org/apache/ tomcat/ util/net/ NioEndpoint. java.
- CVE-2011-2526
* SECURITY UPDATE: AJP request spoofing and authentication bypass
(LP: #843701)
- debian/patches/ 0017-CVE- 2011-3190. patch: Properly handle request
bodies in java/org/apache/ coyote/ ajp/AjpAprProce ssor.java,
java/org/apache/ coyote/ ajp/AjpProcesso r.java.
- CVE-2011-3190
* SECURITY UPDATE: HTTP DIGEST authentication weaknesses
- debian/patches/ 0018-CVE- 2011-1184. patch: add new nonce options in
java/org/apache/ catalina/ authenticator/ DigestAuthentic ator.java,
java/org/apache/ catalina/ authenticator/ LocalStrings. properties,
java/org/apache/ catalina/ authenticator/ mbeans- descriptors. xml,
java/org/apache/ catalina/ realm/RealmBase .java,
webapps/docs/config/ valve.xml.
- CVE-2011-1184 - 22. By Marc Deslauriers
-
* SECURITY UPDATE: directory traversal via incorrect ServetContext
attribute (LP: #717396)
- debian/patches/ 0012-CVE- 2010-3718. patch: mark as read only in
java/org/apache/ catalina/ core/StandardCo ntext.java.
- CVE-2010-3718
* SECURITY UPDATE: cross-site scripting in HTML Manager interface
- debian/patches/ 0013-CVE- 2011-0013. patch: properly filter values in
java/org/apache/ catalina/ manager/ {HTMLManagerSer vlet.java,
StatusTransformer. java}.
- CVE-2011-0013
* SECURITY UPDATE: denial of service via NIOS HTTP connector
(LP: #714239, LP: #717396)
- debian/patches/ 0014-CVE- 2011-0534. patch: enforce proper size in
java/org/apache/ coyote/ http11/ InternalNioInpu tBuffer. java.
- CVE-2011-0534 - 21. By Marc Deslauriers
-
* SECURITY UPDATE: cross-site scripting in Manager application
- debian/patches/ 0011-CVE- 2010-4172. patch: add proper escaping to
java/org/apache/ catalina/ manager/ JspHelper. java,
webapps/manager/ {sessionDetail, sessionsList} .jsp.
- patch backported from Debian 6.0.28-9 package
- CVE-2010-4172 - 20. By Marc Deslauriers
-
* SECURITY UPDATE: denial of service and possible information disclosure
via crafted header
- debian/patches/ CVE-2010- 2227.patch: fix filter logic in
java/org/apache/ coyote/ http11/ {Http11AprProce ssor,Http11NioP rocessor,
Http11Processor,filters/ BufferedInputFi lter}.java.
- CVE-2010-2227 - 19. By Thierry Carrez
-
[ Thierry Carrez ]
* Uploading what 6.0.24-5 should be (upload is blocked in Debian due to
current infrastructure issues), in order to meet Beta2Freeze.[ Niels Thykier ]
* Added optimised garbage collection options to tomcat6's default options.
Thanks to Aaron J. Zirbes and Thierry Carrez for research and the patch.
(Closes: LP: #541520)
* Updated the changelog to mention closed CVE's in the 6.0.24-1 release.
* Applied patch from Arto Jantunen fixing an issue with cleaning up the
pid-file. (Closes: #574084)[ Ludovic Claude ]
* debian/tomcat6. postrm: fix removal of Tomcat (Closes: #567548)
* Set UTF-8 as default character encoding - Patch by Thomas Koch
(Closes: #573539)
* Set the major, minor and build versions when calling Ant
(Closes: LP: #495505)
* Rebuild with a more recent version of maven-repo-helper which puts
the javax jars at the correct location in the Maven repository.
Fixes several FTBFS in other packages. - 18. By Ludovic Claude
-
* Fix missing symlinks to tomcat-coyote.jar and
catalina-tribes. jar causing NoClassDefFound Exception
at startup (last minute packaging change, sorry)
(Closes: #570220)
* tomcat6-admin, tomcat6-examples and tomcat6-docs now depend on
tomcat6-common instead of tomcat6, this allow users to install
those packages without requiring tomcat6 and its automatic startup scripts
being present. tomcat-users can be installed instead and allow full
control over when Tomcat is started or stopped. - 17. By Ludovic Claude
-
[ Ludovic Claude ]
* New upstream version
* Update the POM files for the new version of Tomcat
* Bump up Standards-Version to 3.8.4
* Refresh patches deploy-webapps- build-xml. patch and var_loaders.patch
* Remove patch fix_context_name.patch as it has been applied upstream
* Fix the installation of servlet-api-2.5. jar: the jar
goes to /usr/share/java as in older versions (6.0.20-2)
and links to the jar are added to /usr/share/maven-repo
* Moved NEWS.Debian into README.Debian
* Add a link from /usr/share/doc/tomcat6- common/ README. Debian to
/usr/share/doc/ tomcat6/ README. Debian to include a minimum of
documentation in the tomcat6 package and add some useful notes.
(Closes: #563937, #563939)
* Remove poms from the Debian packaging, use upstream pom files[ Jason Brittain ]
* Fixed a bug in the init script: When a start fails, the PID file was
being left in place. Now the init script makes sure it is deleted.
* Fixed a packaging bug that results in the ROOT webapp not being properly
installed after an uninstall, then a reinstall.
* control: Corrected a couple of comments (no functional change). - 16. By Torsten Werner
-
* Fix debian/orig-tar.sh to exclude binary only standard.jar and jstl.jar.
(Closes: #528119)
* Upload a cleaned tarball.
* Add ${misc:Depends} in debian/control.
Branch metadata
- Branch format:
- Branch format 7
- Repository format:
- Bazaar repository format 2a (needs bzr 1.16 or later)
- Stacked on:
- lp:ubuntu/maverick/tomcat6