Ubuntu

lp:ubuntu/natty-security/tomcat6

Created by Ubuntu Package Importer on 2011-11-08 and last modified on 2012-05-04
Get this branch:
bzr branch lp:ubuntu/natty-security/tomcat6
Members of Ubuntu branches can upload to this branch. Log in for directions.

Branch merges

Related bugs

Related blueprints

Branch information

Owner:
Ubuntu branches
Review team:
Ubuntu Development Team
Status:
Mature

Recent revisions

36. By Marc Deslauriers on 2012-01-25

* SECURITY UPDATE: denial of service via hash collision and incorrect
  handling of large numbers of parameters and parameter values
  (LP: #909828)
  - debian/patches/0019-CVE-2012-0022.patch: refactor parameter handling
    code in conf/web.xml,
    java/org/apache/catalina/connector/Connector.java,
    java/org/apache/catalina/connector/mbeans-descriptors.xml,
    java/org/apache/catalina/connector/Request.java,
    java/org/apache/catalina/filters/FailedRequestFilter.java,
    java/org/apache/catalina/Globals.java,
    java/org/apache/coyote/Request.java,
    java/org/apache/tomcat/util/buf/B2CConverter.java,
    java/org/apache/tomcat/util/buf/ByteChunk.java,
    java/org/apache/tomcat/util/buf/MessageBytes.java,
    java/org/apache/tomcat/util/buf/StringCache.java,
    java/org/apache/tomcat/util/http/LocalStrings.properties,
    java/org/apache/tomcat/util/http/Parameters.java,
    webapps/docs/config/ajp.xml,
    webapps/docs/config/http.xml.
  - CVE-2011-4858
  - CVE-2012-0022

35. By Marc Deslauriers on 2011-09-26

* SECURITY UPDATE: information disclosure via log file
  - debian/patches/0015-CVE-2011-2204.patch: fix logging in
    java/org/apache/catalina/mbeans/MemoryUserDatabaseMBean.java,
    java/org/apache/catalina/users/MemoryUserDatabase.java,
    java/org/apache/catalina/users/MemoryUser.java.
  - CVE-2011-2204
* SECURITY UPDATE: file restriction bypass or denial of service via
  untrusted web application.
  - debian/patches/0016-CVE-2011-2526.patch: check canonical name in
    java/org/apache/catalina/connector/LocalStrings.properties,
    java/org/apache/catalina/connector/Request.java,
    java/org/apache/catalina/servlets/DefaultServlet.java,
    java/org/apache/coyote/http11/Http11AprProcessor.java,
    java/org/apache/coyote/http11/LocalStrings.properties,
    java/org/apache/tomcat/util/net/AprEndpoint.java,
    java/org/apache/tomcat/util/net/NioEndpoint.java.
  - CVE-2011-2526
* SECURITY UPDATE: AJP request spoofing and authentication bypass
  (LP: #843701)
  - debian/patches/0017-CVE-2011-3190.patch: Properly handle request
    bodies in java/org/apache/coyote/ajp/AjpAprProcessor.java,
    java/org/apache/coyote/ajp/AjpProcessor.java.
  - CVE-2011-3190
* SECURITY UPDATE: HTTP DIGEST authentication weaknesses
  - debian/patches/0018-CVE-2011-1184.patch: add new nonce options in
    java/org/apache/catalina/authenticator/DigestAuthenticator.java,
    java/org/apache/catalina/authenticator/LocalStrings.properties,
    java/org/apache/catalina/authenticator/mbeans-descriptors.xml,
    java/org/apache/catalina/realm/RealmBase.java,
    webapps/docs/config/valve.xml.
  - CVE-2011-1184

34. By Abhinav Upadhyay on 2011-03-11

debian/tomcat6-instance-create: Eclipse can now be configured to use a user instance
of tomcat6 using tomcat6-instance-create without any additional work.
tomcat6-instance-create will setup all the necessary symlinks to make eclipse work.
(Closes: #551091) (LP: #297675)

33. By Abhinav Upadhyay on 2011-03-09

[ Abhinav Upadhyay ]
* tomcat6-instance-create should accept -1 as the value of -c option
  as per http://tomcat.apache.org/tomcat-6.0-doc/config/server.html
  (LP: #707405)
[ Dave Walker (Daviey) ]
* debian/control: Updated Maintainer as per policy.

32. By Tony Mancill on 2011-02-09

* Team upload.
* Add Portuguese/Brazilian debconf translation.
  Thanks to José de Figueiredo (Closes: #608527)
* Add patches for CVE-2011-0534, CVE-2010-3718, CVE-2011-0013
  (Closes: #612257)

31. By Tony Mancill on 2010-12-09

* Team upload.
* Update URL for manager application in README.Debian
  Thanks to Ernesto Ongaro (Closes: #606170)
* Add patch for CVE-2010-4172. (Closes: #606388)

30. By Tony Mancill on 2010-12-04

* Team upload.

[ Thierry Carrez (ttx) ]
* Do not fail to purge if /etc/tomcat6 was manually removed (LP: #648619)
* Add missing -p option in start-stop-daemon when starting tomcat6 to avoid
  failing to start due to /bin/bash running (LP: #632554)
* Fix build failure (missing TraXLiaison class) by adding ant-nodeps
  to the classpath.

[ tony mancill ]
* Use debconf to determine tomcat6 user and group to delete upon purge.
  Thanks to Misha Koshelev. (Closes: #599458)
* Add tomcat-native to Suggests: for tomcat6 binary package.
  Thanks to Eddy Petrisor (Closes: #600590)
* Add Danish debconf template translation.
  Thanks to Joe Dalton (Closes: #605070)
* Actually add the Czech debconf template translation.
  Thanks this time to Christian PERRIER (Closes: #597863)

29. By Thierry Carrez on 2010-11-23

debian/control: Reapply ant1.7-optional to ant-optional change, was
accidentally reverted in last upload.

28. By Thierry Carrez on 2010-11-23

debian/tomcat6.init: Add missing -p option in start-stop-daemon when
starting tomcat6 to avoid failing to start due to /bin/bash running
(LP: #632554)

27. By James Page on 2010-11-08

* Build-depend on ant/ant-optional (1.8.1)
* Amended debian/rules, fix xslt processing in ant 1.8.1 to
  fix FTBFS (LP: #662588)

Branch metadata

Branch format:
Branch format 7
Repository format:
Bazaar repository format 2a (needs bzr 1.16 or later)
Stacked on:
lp:ubuntu/precise/tomcat6
This branch contains Public information 
Everyone can see this information.

Subscribers