lp:ubuntu/lucid-proposed/tomcat6

Created by James Westby on 2010-06-04 and last modified on 2012-01-25
Get this branch:
bzr branch lp:ubuntu/lucid-proposed/tomcat6
Members of Ubuntu branches can upload to this branch. Log in for directions.

Branch merges

Related bugs

Related blueprints

Branch information

Owner:
Ubuntu branches
Review team:
Ubuntu Development Team
Status:
Mature

Recent revisions

24. By Marc Deslauriers on 2012-01-25

* SECURITY UPDATE: denial of service via hash collision and incorrect
  handling of large numbers of parameters and parameter values
  (LP: #909828)
  - debian/patches/0019-CVE-2012-0022.patch: refactor parameter handling
    code in conf/web.xml,
    java/org/apache/catalina/connector/Connector.java,
    java/org/apache/catalina/connector/mbeans-descriptors.xml,
    java/org/apache/catalina/connector/Request.java,
    java/org/apache/catalina/filters/FailedRequestFilter.java,
    java/org/apache/catalina/Globals.java,
    java/org/apache/coyote/Request.java,
    java/org/apache/tomcat/util/buf/B2CConverter.java,
    java/org/apache/tomcat/util/buf/ByteChunk.java,
    java/org/apache/tomcat/util/buf/MessageBytes.java,
    java/org/apache/tomcat/util/buf/StringCache.java,
    java/org/apache/tomcat/util/http/LocalStrings.properties,
    java/org/apache/tomcat/util/http/Parameters.java,
    webapps/docs/config/ajp.xml,
    webapps/docs/config/http.xml.
  - CVE-2011-4858
  - CVE-2012-0022

23. By Marc Deslauriers on 2011-09-26

* SECURITY UPDATE: information disclosure via log file
  - debian/patches/0015-CVE-2011-2204.patch: fix logging in
    java/org/apache/catalina/mbeans/MemoryUserDatabaseMBean.java,
    java/org/apache/catalina/users/MemoryUserDatabase.java,
    java/org/apache/catalina/users/MemoryUser.java.
  - CVE-2011-2204
* SECURITY UPDATE: file restriction bypass or denial of service via
  untrusted web application.
  - debian/patches/0016-CVE-2011-2526.patch: check canonical name in
    java/org/apache/catalina/connector/LocalStrings.properties,
    java/org/apache/catalina/connector/Request.java,
    java/org/apache/catalina/servlets/DefaultServlet.java,
    java/org/apache/coyote/http11/Http11AprProcessor.java,
    java/org/apache/coyote/http11/LocalStrings.properties,
    java/org/apache/tomcat/util/net/AprEndpoint.java,
    java/org/apache/tomcat/util/net/NioEndpoint.java.
  - CVE-2011-2526
* SECURITY UPDATE: AJP request spoofing and authentication bypass
  (LP: #843701)
  - debian/patches/0017-CVE-2011-3190.patch: Properly handle request
    bodies in java/org/apache/coyote/ajp/AjpAprProcessor.java,
    java/org/apache/coyote/ajp/AjpProcessor.java.
  - CVE-2011-3190
* SECURITY UPDATE: HTTP DIGEST authentication weaknesses
  - debian/patches/0018-CVE-2011-1184.patch: add new nonce options in
    java/org/apache/catalina/authenticator/DigestAuthenticator.java,
    java/org/apache/catalina/authenticator/LocalStrings.properties,
    java/org/apache/catalina/authenticator/mbeans-descriptors.xml,
    java/org/apache/catalina/realm/RealmBase.java,
    webapps/docs/config/valve.xml.
  - CVE-2011-1184

22. By Marc Deslauriers on 2011-03-24

* SECURITY UPDATE: directory traversal via incorrect ServetContext
  attribute (LP: #717396)
  - debian/patches/0012-CVE-2010-3718.patch: mark as read only in
    java/org/apache/catalina/core/StandardContext.java.
  - CVE-2010-3718
* SECURITY UPDATE: cross-site scripting in HTML Manager interface
  - debian/patches/0013-CVE-2011-0013.patch: properly filter values in
    java/org/apache/catalina/manager/{HTMLManagerServlet.java,
    StatusTransformer.java}.
  - CVE-2011-0013
* SECURITY UPDATE: denial of service via NIOS HTTP connector
  (LP: #714239, LP: #717396)
  - debian/patches/0014-CVE-2011-0534.patch: enforce proper size in
    java/org/apache/coyote/http11/InternalNioInputBuffer.java.
  - CVE-2011-0534

21. By Marc Deslauriers on 2011-01-13

* SECURITY UPDATE: cross-site scripting in Manager application
  - debian/patches/0011-CVE-2010-4172.patch: add proper escaping to
    java/org/apache/catalina/manager/JspHelper.java,
    webapps/manager/{sessionDetail,sessionsList}.jsp.
  - patch backported from Debian 6.0.28-9 package
  - CVE-2010-4172

20. By Marc Deslauriers on 2010-08-19

* SECURITY UPDATE: denial of service and possible information disclosure
  via crafted header
  - debian/patches/CVE-2010-2227.patch: fix filter logic in
    java/org/apache/coyote/http11/{Http11AprProcessor,Http11NioProcessor,
    Http11Processor,filters/BufferedInputFilter}.java.
  - CVE-2010-2227

19. By Thierry Carrez on 2010-03-31

[ Thierry Carrez ]
* Uploading what 6.0.24-5 should be (upload is blocked in Debian due to
  current infrastructure issues), in order to meet Beta2Freeze.

[ Niels Thykier ]
* Added optimised garbage collection options to tomcat6's default options.
  Thanks to Aaron J. Zirbes and Thierry Carrez for research and the patch.
  (Closes: LP: #541520)
* Updated the changelog to mention closed CVE's in the 6.0.24-1 release.
* Applied patch from Arto Jantunen fixing an issue with cleaning up the
  pid-file. (Closes: #574084)

[ Ludovic Claude ]
* debian/tomcat6.postrm: fix removal of Tomcat (Closes: #567548)
* Set UTF-8 as default character encoding - Patch by Thomas Koch
  (Closes: #573539)
* Set the major, minor and build versions when calling Ant
  (Closes: LP: #495505)
* Rebuild with a more recent version of maven-repo-helper which puts
  the javax jars at the correct location in the Maven repository.
  Fixes several FTBFS in other packages.

18. By Ludovic Claude on 2010-02-17

* Fix missing symlinks to tomcat-coyote.jar and
  catalina-tribes.jar causing NoClassDefFoundException
  at startup (last minute packaging change, sorry)
  (Closes: #570220)
* tomcat6-admin, tomcat6-examples and tomcat6-docs now depend on
  tomcat6-common instead of tomcat6, this allow users to install
  those packages without requiring tomcat6 and its automatic startup scripts
  being present. tomcat-users can be installed instead and allow full
  control over when Tomcat is started or stopped.

17. By Ludovic Claude on 2010-02-09

[ Ludovic Claude ]
* New upstream version
* Update the POM files for the new version of Tomcat
* Bump up Standards-Version to 3.8.4
* Refresh patches deploy-webapps-build-xml.patch and var_loaders.patch
* Remove patch fix_context_name.patch as it has been applied upstream
* Fix the installation of servlet-api-2.5.jar: the jar
  goes to /usr/share/java as in older versions (6.0.20-2)
  and links to the jar are added to /usr/share/maven-repo
* Moved NEWS.Debian into README.Debian
* Add a link from /usr/share/doc/tomcat6-common/README.Debian to
  /usr/share/doc/tomcat6/README.Debian to include a minimum of
  documentation in the tomcat6 package and add some useful notes.
  (Closes: #563937, #563939)
* Remove poms from the Debian packaging, use upstream pom files

[ Jason Brittain ]
* Fixed a bug in the init script: When a start fails, the PID file was
  being left in place. Now the init script makes sure it is deleted.
* Fixed a packaging bug that results in the ROOT webapp not being properly
  installed after an uninstall, then a reinstall.
* control: Corrected a couple of comments (no functional change).

16. By Torsten Werner on 2010-01-23

* Fix debian/orig-tar.sh to exclude binary only standard.jar and jstl.jar.
  (Closes: #528119)
* Upload a cleaned tarball.
* Add ${misc:Depends} in debian/control.

15. By Niels Thykier on 2009-12-19

* Fix spelling issues.
* Always set JSVC_CLASSPATH to a default value in init.

Branch metadata

Branch format:
Branch format 7
Repository format:
Bazaar repository format 2a (needs bzr 1.16 or later)
Stacked on:
lp:ubuntu/maverick/tomcat6
This branch contains Public information 
Everyone can see this information.

Subscribers