Ubuntu
tomcat6 package

lp:ubuntu/quantal-security/tomcat6

  1. Quantal (12.10)
  2. quantal-security
Created by Ubuntu Package Importer and last modified
Get this branch:
bzr branch lp:ubuntu/quantal-security/tomcat6
Members of Ubuntu branches can upload to this branch. Log in for directions.

Branch merges

Related bugs

Related blueprints

Branch information

Owner:
Ubuntu branches
Review team:
Ubuntu Development Team
Status:
Mature

Recent revisions

50. By Jamie Strandboge

[ Christian Kuersteiner ]
* SECURITY UPDATE: denial of service via large header data
  - debian/patches/0012-CVE-2012-2733.patch: improve size logic in
    java/org/apache/coyote/http11/InternalNioInputBuffer.java.
  - CVE-2012-2733
  - LP: #1166649
* SECURITY UPDATE: security-constraint bypass with FORM auth
  - debian/patches/CVE-2012-3546.patch: remove unneeded code in
    java/org/apache/catalina/realm/RealmBase.java.
  - CVE-2012-3546
* SECURITY UPDATE: CSRF bypass via request with no session identifier
  - debian/patches/CVE-2012-4431.patch: check for session identifier in
    java/org/apache/catalina/filters/CsrfPreventionFilter.java.
  - CVE-2012-4431
* SECURITY UPDATE: denial of service with NIO connector
  - debian/patches/CVE-2012-4534.patch: properly handle connection breaks
    in java/org/apache/tomcat/util/net/NioEndpoint.java.
  - CVE-2012-4534

[ Jamie Strandboge ]
* SECURITY UPDATE: multiple HTTP Digest Access Authentication flaws
  - debian/patches/0013-CVE-2012-588x.patch: disable caching of an
    authenticated user in the session by default, track server rather
    than client nonces, better handling of stale nonce values in
    java/org/apache/catalina/authenticator/DigestAuthenticator.java.
    Patch from Marc Deslauriers.
  - CVE-2012-3439
  - CVE-2012-5885
  - CVE-2012-5886
  - CVE-2012-5887
* SECURITY UPDATE: denial of service via chunked transfer encoding
  - debian/patches/CVE-2012-3544.patch: properly parse CRLF in requests
    in java/org/apache/coyote/http11/filters/ChunkedInputFilter.java.
    Patch from Marc Deslauriers.
  - CVE-2012-3544
* SECURITY UPDATE: FORM authentication request injection
  - debian/patches/CVE-2013-2067.patch: properly change session ID
    in java/org/apache/catalina/authenticator/FormAuthenticator.java.
    Patch from Marc Deslauriers.
  - CVE-2013-2067

49. By Tony Mancill

* Apply patch to README.Debian to explain setting the HTTPOnly flag
  in cookies by default; CVE-2010-4312. (Closes: #608286)
  - Thank you to Thijs Kinkhorst for the patch.
* Use ucf and a template for /etc/logrotate.d/tomcat6 file to avoid
  updating the shipped conffile. (Closes: #687818)

48. By Miguel Landaeta <email address hidden>

[ tony mancill ]
* Team upload.
* Apply patch from James Page (Closes: #671373)
  - d/tomcat6-instance-create: Quote access to files and directories
    so that spaces can be used when creating user instances.
  - d/tomcat6.init: Make NAME dynamic, to allow starting multiple
    instances. (Closes: #299635)

[ Miguel Landaeta ]
* Add Slovak debconf translation (Closes: #677912).
  - Thanks to Ivan Masár.

47. By James Page

No-change rebuild with openjdk-7 as default-jdk.

46. By James Page

* Merge from Debian Unstable, remaining changes:
  - d/tomcat6-instance-create: Quote access to files and directories
    so that spaces can be used when creating user instances.
  - d/tomcat6.init: Make NAME dynamic, to allow starting multiple instances.

45. By James Page

* Handle creation of user instances with pathnames containing spaces
  (LP: #977498):
  - d/tomcat6-instance-create: Quote access to files and directories
    so that spaces can be used when creating user instances.

44. By Timo Aaltonen

init: Make NAME dynamic, to allow starting multiple instances.

43. By Marc Deslauriers

debian/patches/0011-CVE-2012-0022-regression-fix.patch: fix regression
from the CVE-2012-0022 security fix that went into 6.0.35.

42. By Tony Mancill

[ Miguel Landaeta ]
* New upstream release.
* Add myself to Uploaders.
* Remove 0013-CVE-2011-3190.patch since it was included upstream.
* Add mh_clean call in clean target.
* Fix error in debian/rules that caused tomcat to report no version.
  Thanks to Jorge Barreiro for the patch. (Closes: #650656).

[ tony mancill ]
* Update Vcs-* fields in debian/control for switch to git.
* Update to run with openjdk-7 and openjdk-6 when not default-jdk is
  not present. (Closes: #651448)
* Allow java?-runtime-headless to satisfy Depends.
* Add myself to Uploaders.

41. By Tony Mancill

* Team upload.
* New upstream release.
* Remove the following patches (included upstream):
  - 0011-623242.patch
  - 0012-CVE-2011-2204.patch
  - 0015-CVE-2011-2526.patch
  - 0014-CVE-2011-1184.patch
* Add patch for multi-instance startup. CATALINA_HOME no longer
  depends on the instance $NAME. JVM_TMP is now $NAME-specific.
  - Thank you to Julien Wajsberg. (Closes: #644365)
* Add dependency on JRE to tomcat6-common (Closes: #644340)
* Modify init script to look for JVM in /usr/lib/jvm/default-java

Branch metadata

Branch format:
Branch format 7
Repository format:
Bazaar repository format 2a (needs bzr 1.16 or later)
Stacked on:
lp:ubuntu/saucy/tomcat6
This branch contains Public information 
Everyone can see this information.

Subscribers