lp:ubuntu/oneiric-security/tomcat6
- Get this branch:
- bzr branch lp:ubuntu/oneiric-security/tomcat6
Branch merges
Branch information
Recent revisions
- 42. By Marc Deslauriers
-
* SECURITY UPDATE: security-constraint bypass with FORM auth
- debian/patches/ CVE-2012- 3546.patch: remove unneeded code in
java/org/apache/ catalina/ realm/RealmBase .java.
- CVE-2012-3546
* SECURITY UPDATE: CSRF bypass via request with no session identifier
- debian/patches/ CVE-2012- 4431.patch: check for session identifier in
java/org/apache/ catalina/ filters/ CsrfPreventionF ilter.java.
- CVE-2012-4431
* SECURITY UPDATE: denial of service with NIO connector
- debian/patches/ CVE-2012- 4534.patch: properly handle connection breaks
in java/org/apache/ tomcat/ util/net/ NioEndpoint. java.
- CVE-2012-4534 - 41. By Marc Deslauriers
-
* SECURITY UPDATE: denial of service via large header data
- debian/patches/ 0012-CVE- 2012-2733. patch: improve size logic in
java/org/apache/ coyote/ http11/ InternalNioInpu tBuffer. java.
- CVE-2012-2733
* SECURITY UPDATE: multiple HTTP Digest Access Authentication flaws
- debian/patches/ 0013-CVE- 2012-588x. patch: disable caching of an
authenticated user in the session by default, track server rather
than client nonces, better handling of stale nonce values in
java/org/apache/ catalina/ authenticator/ DigestAuthentic ator.java.
- CVE-2012-3439
- CVE-2012-5885
- CVE-2012-5886
- CVE-2012-5887 - 40. By Marc Deslauriers
-
* SECURITY UPDATE: cross-request information leakage
- debian/patches/ 0016-CVE- 2011-3375. patch: ensure that the request and
response objects are recycled after being re-populated in
java/org/apache/ catalina/ connector/ CoyoteAdapter. java,
java/org/apache/ coyote/ ajp/AjpAprProce ssor.java,
java/org/apache/ coyote/ ajp/AjpProcesso r.java,
java/org/apache/ coyote/ http11/ Http11AprProces sor.java,
java/org/apache/ coyote/ http11/ Http11NioProces sor.java,
java/org/apache/ coyote/ http11/ Http11Processor .java.
- CVE-2011-3375
* SECURITY UPDATE: denial of service via hash collision and incorrect
handling of large numbers of parameters and parameter values
(LP: #909828)
- debian/patches/ 0017-CVE- 2012-0022. patch: refactor parameter handling
code in conf/web.xml,
java/org/apache/ catalina/ connector/ Connector. java,
java/org/apache/ catalina/ connector/ mbeans- descriptors. xml,
java/org/apache/ catalina/ connector/ Request. java,
java/org/apache/ catalina/ filters/ FilterBase. java,
java/org/apache/ catalina/ filters/ FailedRequestFi lter.java,
java/org/apache/ catalina/ Globals. java,
java/org/apache/ coyote/ Request. java,
java/org/apache/ tomcat/ util/buf/ B2CConverter. java,
java/org/apache/ tomcat/ util/buf/ ByteChunk. java,
java/org/apache/ tomcat/ util/buf/ MessageBytes. java,
java/org/apache/ tomcat/ util/buf/ StringCache. java,
java/org/apache/ tomcat/ util/http/ LocalStrings. properties,
java/org/apache/ tomcat/ util/http/ Parameters. java,
webapps/docs/config/ ajp.xml,
webapps/docs/config/ filter. xml,
webapps/docs/config/ http.xml.
- CVE-2011-4858
- CVE-2012-0022 - 39. By Marc Deslauriers
-
* SECURITY UPDATE: HTTP DIGEST authentication weaknesses
- debian/patches/ 0014-CVE- 2011-1184. patch: add new nonce options in
java/org/apache/ catalina/ authenticator/ DigestAuthentic ator.java,
java/org/apache/ catalina/ authenticator/ LocalStrings. properties,
java/org/apache/ catalina/ authenticator/ mbeans- descriptors. xml,
java/org/apache/ catalina/ realm/RealmBase .java,
webapps/docs/config/ valve.xml.
- CVE-2011-1184
* SECURITY UPDATE: file restriction bypass or denial of service via
untrusted web application.
- debian/patches/ 0015-CVE- 2011-2526. patch: check canonical name in
java/org/apache/ catalina/ connector/ LocalStrings. properties,
java/org/apache/ catalina/ connector/ Request. java,
java/org/apache/ catalina/ servlets/ DefaultServlet. java,
java/org/apache/ coyote/ http11/ Http11AprProces sor.java,
java/org/apache/ coyote/ http11/ LocalStrings. properties,
java/org/apache/ tomcat/ util/net/ AprEndpoint. java,
java/org/apache/ tomcat/ util/net/ NioEndpoint. java.
- CVE-2011-2526 - 37. By Tony Mancill
-
* Team upload.
* Add Catalan debconf translation ca.po (Closes: #630073).
* Correct Suggests for libtcnative-1 (tomcat-native) (Closes: #631919)
* Add patch for CVE-2011-2204 (Closes: #632882) - 36. By Tony Mancill
-
* Team upload.
* Add Italian debconf translation.
Thanks to Dario Santamaria (Closes: #624376)
* Add logrotate for catalina.out (Closes: 607050)
* Bump standards version to 3.9.2 (no changes needed). - 35. By Tony Mancill
-
* Team upload.
* Include upstream patch for ASF Bugzilla - Bug 50700
(Context parameters are being overridden with parameters from the
web application deployment descriptor) (Closes: #623242) - 34. By Abhinav Upadhyay
-
debian/
tomcat6- instance- create: Eclipse can now be configured to use a user instance
of tomcat6 using tomcat6-instance- create without any additional work.
tomcat6-instance- create will setup all the necessary symlinks to make eclipse work.
(Closes: #551091) (LP: #297675) - 33. By Abhinav Upadhyay
-
[ Abhinav Upadhyay ]
* tomcat6-instance- create should accept -1 as the value of -c option
as per http://tomcat. apache. org/tomcat- 6.0-doc/ config/ server. html
(LP: #707405)
[ Dave Walker (Daviey) ]
* debian/control: Updated Maintainer as per policy.
Branch metadata
- Branch format:
- Branch format 7
- Repository format:
- Bazaar repository format 2a (needs bzr 1.16 or later)
- Stacked on:
- lp:ubuntu/precise/tomcat6