Ubuntu
tomcat6 package

lp:ubuntu/oneiric-security/tomcat6

  1. Oneiric (11.10)
  2. oneiric-security
Created by Ubuntu Package Importer and last modified
Get this branch:
bzr branch lp:ubuntu/oneiric-security/tomcat6
Members of Ubuntu branches can upload to this branch. Log in for directions.

Branch merges

Related bugs

Related blueprints

Branch information

Owner:
Ubuntu branches
Review team:
Ubuntu Development Team
Status:
Mature

Recent revisions

42. By Marc Deslauriers

* SECURITY UPDATE: security-constraint bypass with FORM auth
  - debian/patches/CVE-2012-3546.patch: remove unneeded code in
    java/org/apache/catalina/realm/RealmBase.java.
  - CVE-2012-3546
* SECURITY UPDATE: CSRF bypass via request with no session identifier
  - debian/patches/CVE-2012-4431.patch: check for session identifier in
    java/org/apache/catalina/filters/CsrfPreventionFilter.java.
  - CVE-2012-4431
* SECURITY UPDATE: denial of service with NIO connector
  - debian/patches/CVE-2012-4534.patch: properly handle connection breaks
    in java/org/apache/tomcat/util/net/NioEndpoint.java.
  - CVE-2012-4534

41. By Marc Deslauriers

* SECURITY UPDATE: denial of service via large header data
  - debian/patches/0012-CVE-2012-2733.patch: improve size logic in
    java/org/apache/coyote/http11/InternalNioInputBuffer.java.
  - CVE-2012-2733
* SECURITY UPDATE: multiple HTTP Digest Access Authentication flaws
  - debian/patches/0013-CVE-2012-588x.patch: disable caching of an
    authenticated user in the session by default, track server rather
    than client nonces, better handling of stale nonce values in
    java/org/apache/catalina/authenticator/DigestAuthenticator.java.
  - CVE-2012-3439
  - CVE-2012-5885
  - CVE-2012-5886
  - CVE-2012-5887

40. By Marc Deslauriers

* SECURITY UPDATE: cross-request information leakage
  - debian/patches/0016-CVE-2011-3375.patch: ensure that the request and
    response objects are recycled after being re-populated in
    java/org/apache/catalina/connector/CoyoteAdapter.java,
    java/org/apache/coyote/ajp/AjpAprProcessor.java,
    java/org/apache/coyote/ajp/AjpProcessor.java,
    java/org/apache/coyote/http11/Http11AprProcessor.java,
    java/org/apache/coyote/http11/Http11NioProcessor.java,
    java/org/apache/coyote/http11/Http11Processor.java.
  - CVE-2011-3375
* SECURITY UPDATE: denial of service via hash collision and incorrect
  handling of large numbers of parameters and parameter values
  (LP: #909828)
  - debian/patches/0017-CVE-2012-0022.patch: refactor parameter handling
    code in conf/web.xml,
    java/org/apache/catalina/connector/Connector.java,
    java/org/apache/catalina/connector/mbeans-descriptors.xml,
    java/org/apache/catalina/connector/Request.java,
    java/org/apache/catalina/filters/FilterBase.java,
    java/org/apache/catalina/filters/FailedRequestFilter.java,
    java/org/apache/catalina/Globals.java,
    java/org/apache/coyote/Request.java,
    java/org/apache/tomcat/util/buf/B2CConverter.java,
    java/org/apache/tomcat/util/buf/ByteChunk.java,
    java/org/apache/tomcat/util/buf/MessageBytes.java,
    java/org/apache/tomcat/util/buf/StringCache.java,
    java/org/apache/tomcat/util/http/LocalStrings.properties,
    java/org/apache/tomcat/util/http/Parameters.java,
    webapps/docs/config/ajp.xml,
    webapps/docs/config/filter.xml,
    webapps/docs/config/http.xml.
  - CVE-2011-4858
  - CVE-2012-0022

39. By Marc Deslauriers

* SECURITY UPDATE: HTTP DIGEST authentication weaknesses
  - debian/patches/0014-CVE-2011-1184.patch: add new nonce options in
    java/org/apache/catalina/authenticator/DigestAuthenticator.java,
    java/org/apache/catalina/authenticator/LocalStrings.properties,
    java/org/apache/catalina/authenticator/mbeans-descriptors.xml,
    java/org/apache/catalina/realm/RealmBase.java,
    webapps/docs/config/valve.xml.
  - CVE-2011-1184
* SECURITY UPDATE: file restriction bypass or denial of service via
  untrusted web application.
  - debian/patches/0015-CVE-2011-2526.patch: check canonical name in
    java/org/apache/catalina/connector/LocalStrings.properties,
    java/org/apache/catalina/connector/Request.java,
    java/org/apache/catalina/servlets/DefaultServlet.java,
    java/org/apache/coyote/http11/Http11AprProcessor.java,
    java/org/apache/coyote/http11/LocalStrings.properties,
    java/org/apache/tomcat/util/net/AprEndpoint.java,
    java/org/apache/tomcat/util/net/NioEndpoint.java.
  - CVE-2011-2526

38. By James Page

Added patch for CVE-2011-3190 (LP: #843701).

37. By Tony Mancill

* Team upload.
* Add Catalan debconf translation ca.po (Closes: #630073).
* Correct Suggests for libtcnative-1 (tomcat-native) (Closes: #631919)
* Add patch for CVE-2011-2204 (Closes: #632882)

36. By Tony Mancill

* Team upload.
* Add Italian debconf translation.
  Thanks to Dario Santamaria (Closes: #624376)
* Add logrotate for catalina.out (Closes: 607050)
* Bump standards version to 3.9.2 (no changes needed).

35. By Tony Mancill

* Team upload.
* Include upstream patch for ASF Bugzilla - Bug 50700
  (Context parameters are being overridden with parameters from the
   web application deployment descriptor) (Closes: #623242)

34. By Abhinav Upadhyay

debian/tomcat6-instance-create: Eclipse can now be configured to use a user instance
of tomcat6 using tomcat6-instance-create without any additional work.
tomcat6-instance-create will setup all the necessary symlinks to make eclipse work.
(Closes: #551091) (LP: #297675)

33. By Abhinav Upadhyay

[ Abhinav Upadhyay ]
* tomcat6-instance-create should accept -1 as the value of -c option
  as per http://tomcat.apache.org/tomcat-6.0-doc/config/server.html
  (LP: #707405)
[ Dave Walker (Daviey) ]
* debian/control: Updated Maintainer as per policy.

Branch metadata

Branch format:
Branch format 7
Repository format:
Bazaar repository format 2a (needs bzr 1.16 or later)
Stacked on:
lp:ubuntu/precise/tomcat6
This branch contains Public information 
Everyone can see this information.

Subscribers