lp:ubuntu/maverick-security/tomcat6

Created by James Westby on 2011-01-24 and last modified on 2012-05-04
Get this branch:
bzr branch lp:ubuntu/maverick-security/tomcat6
Members of Ubuntu branches can upload to this branch. Log in for directions.

Branch merges

Related bugs

Related blueprints

Branch information

Owner:
Ubuntu branches
Review team:
Ubuntu Development Team
Status:
Mature

Recent revisions

28. By Marc Deslauriers on 2012-01-25

* SECURITY UPDATE: denial of service via hash collision and incorrect
  handling of large numbers of parameters and parameter values
  (LP: #909828)
  - debian/patches/0019-CVE-2012-0022.patch: refactor parameter handling
    code in conf/web.xml,
    java/org/apache/catalina/connector/Connector.java,
    java/org/apache/catalina/connector/mbeans-descriptors.xml,
    java/org/apache/catalina/connector/Request.java,
    java/org/apache/catalina/filters/FailedRequestFilter.java,
    java/org/apache/catalina/Globals.java,
    java/org/apache/coyote/Request.java,
    java/org/apache/tomcat/util/buf/B2CConverter.java,
    java/org/apache/tomcat/util/buf/ByteChunk.java,
    java/org/apache/tomcat/util/buf/MessageBytes.java,
    java/org/apache/tomcat/util/buf/StringCache.java,
    java/org/apache/tomcat/util/http/LocalStrings.properties,
    java/org/apache/tomcat/util/http/Parameters.java,
    webapps/docs/config/ajp.xml,
    webapps/docs/config/http.xml.
  - CVE-2011-4858
  - CVE-2012-0022

27. By Marc Deslauriers on 2011-09-26

* SECURITY UPDATE: information disclosure via log file
  - debian/patches/0015-CVE-2011-2204.patch: fix logging in
    java/org/apache/catalina/mbeans/MemoryUserDatabaseMBean.java,
    java/org/apache/catalina/users/MemoryUserDatabase.java,
    java/org/apache/catalina/users/MemoryUser.java.
  - CVE-2011-2204
* SECURITY UPDATE: file restriction bypass or denial of service via
  untrusted web application.
  - debian/patches/0016-CVE-2011-2526.patch: check canonical name in
    java/org/apache/catalina/connector/LocalStrings.properties,
    java/org/apache/catalina/connector/Request.java,
    java/org/apache/catalina/servlets/DefaultServlet.java,
    java/org/apache/coyote/http11/Http11AprProcessor.java,
    java/org/apache/coyote/http11/LocalStrings.properties,
    java/org/apache/tomcat/util/net/AprEndpoint.java,
    java/org/apache/tomcat/util/net/NioEndpoint.java.
  - CVE-2011-2526
* SECURITY UPDATE: AJP request spoofing and authentication bypass
  (LP: #843701)
  - debian/patches/0017-CVE-2011-3190.patch: Properly handle request
    bodies in java/org/apache/coyote/ajp/AjpAprProcessor.java,
    java/org/apache/coyote/ajp/AjpProcessor.java.
  - CVE-2011-3190
* SECURITY UPDATE: HTTP DIGEST authentication weaknesses
  - debian/patches/0018-CVE-2011-1184.patch: add new nonce options in
    java/org/apache/catalina/authenticator/DigestAuthenticator.java,
    java/org/apache/catalina/authenticator/LocalStrings.properties,
    java/org/apache/catalina/authenticator/mbeans-descriptors.xml,
    java/org/apache/catalina/realm/RealmBase.java,
    webapps/docs/config/valve.xml.
  - CVE-2011-1184
* This package does _not_ contain the changes that were in
  6.0.28-2ubuntu1.3 in -proposed.

26. By Marc Deslauriers on 2011-03-24

* SECURITY UPDATE: directory traversal via incorrect ServetContext
  attribute (LP: #717396)
  - debian/patches/0012-CVE-2010-3718.patch: mark as read only in
    java/org/apache/catalina/core/StandardContext.java.
  - CVE-2010-3718
* SECURITY UPDATE: cross-site scripting in HTML Manager interface
  - debian/patches/0013-CVE-2011-0013.patch: properly filter values in
    java/org/apache/catalina/manager/{HTMLManagerServlet.java,
    StatusTransformer.java}.
  - CVE-2011-0013
* SECURITY UPDATE: denial of service via NIOS HTTP connector
  (LP: #714239, LP: #717396)
  - debian/patches/0014-CVE-2011-0534.patch: enforce proper size in
    java/org/apache/coyote/http11/InternalNioInputBuffer.java.
  - CVE-2011-0534

25. By Marc Deslauriers on 2011-01-13

* SECURITY UPDATE: cross-site scripting in Manager application
  - debian/patches/0011-CVE-2010-4172.patch: add proper escaping to
    java/org/apache/catalina/manager/JspHelper.java,
    webapps/manager/WEB-INF/jsp/{sessionDetail,sessionsList}.jsp.
  - patch from Debian 6.0.28-9 package
  - CVE-2010-4172

24. By Thierry Carrez on 2010-08-25

Check for group existence to avoid postinst failure (LP: #611721)

23. By Thierry Carrez on 2010-07-20

* Add debconf questions for user, group and Java options.
* Use ucf to install /etc/default/tomcat6 from a template
* Drop CATALINA_BASE and CATALINA_HOME from /etc/default/tomcat6 since we
  shouldn't encourage users to change those anyway

22. By Torsten Werner on 2010-06-28

* Convert patches to dep3 format.
* Backport security fix from trunk to fix CVE-2010-1157. (Closes: #587447)
* Set urgency to medium due to the security fix.

21. By Marcus Better on 2010-05-31

[ Marcus Better ]
* Apply upstream fix for deadlock in WebappClassLoader. (Closes: #583896)

[ Thierry Carrez ]
* debian/tomcat6.{install,postinst}: Do not store the default root webapp
  in /usr/share/tomcat6/webapps as it increases confusion on what this
  directory contains (and its relation with /var/lib/tomcat6/webapps).
  Store it inside /usr/share/tomcat6-root instead (LP: #575303).

20. By Thierry Carrez on 2010-05-21

* debian/tomcat6.{postinst,prerm}: Respect TOMCAT6_USER and TOMCAT6_GROUP
  as defined in /etc/default/tomcat6 when setting directory permissions and
  authbind configuration (Closes: #581018, LP: #557300)
* debian/tomcat6.postinst: Use group "tomcat6" instead of "adm" for
  permissions in /var/lib/tomcat6, so that group "adm" doesn't get write
  permissions over /var/lib/tomcat6/webapps (LP: #569118)

19. By Thierry Carrez on 2010-03-31

[ Thierry Carrez ]
* Uploading what 6.0.24-5 should be (upload is blocked in Debian due to
  current infrastructure issues), in order to meet Beta2Freeze.

[ Niels Thykier ]
* Added optimised garbage collection options to tomcat6's default options.
  Thanks to Aaron J. Zirbes and Thierry Carrez for research and the patch.
  (Closes: LP: #541520)
* Updated the changelog to mention closed CVE's in the 6.0.24-1 release.
* Applied patch from Arto Jantunen fixing an issue with cleaning up the
  pid-file. (Closes: #574084)

[ Ludovic Claude ]
* debian/tomcat6.postrm: fix removal of Tomcat (Closes: #567548)
* Set UTF-8 as default character encoding - Patch by Thomas Koch
  (Closes: #573539)
* Set the major, minor and build versions when calling Ant
  (Closes: LP: #495505)
* Rebuild with a more recent version of maven-repo-helper which puts
  the javax jars at the correct location in the Maven repository.
  Fixes several FTBFS in other packages.

Branch metadata

Branch format:
Branch format 7
Repository format:
Bazaar repository format 2a (needs bzr 1.16 or later)
Stacked on:
lp:ubuntu/natty/tomcat6
This branch contains Public information 
Everyone can see this information.

Subscribers