lp:ubuntu/quantal-security/tomcat6
- Get this branch:
- bzr branch lp:ubuntu/quantal-security/tomcat6
Branch merges
Branch information
Recent revisions
- 50. By Jamie Strandboge
-
[ Christian Kuersteiner ]
* SECURITY UPDATE: denial of service via large header data
- debian/patches/ 0012-CVE- 2012-2733. patch: improve size logic in
java/org/apache/ coyote/ http11/ InternalNioInpu tBuffer. java.
- CVE-2012-2733
- LP: #1166649
* SECURITY UPDATE: security-constraint bypass with FORM auth
- debian/patches/ CVE-2012- 3546.patch: remove unneeded code in
java/org/apache/ catalina/ realm/RealmBase .java.
- CVE-2012-3546
* SECURITY UPDATE: CSRF bypass via request with no session identifier
- debian/patches/ CVE-2012- 4431.patch: check for session identifier in
java/org/apache/ catalina/ filters/ CsrfPreventionF ilter.java.
- CVE-2012-4431
* SECURITY UPDATE: denial of service with NIO connector
- debian/patches/ CVE-2012- 4534.patch: properly handle connection breaks
in java/org/apache/ tomcat/ util/net/ NioEndpoint. java.
- CVE-2012-4534[ Jamie Strandboge ]
* SECURITY UPDATE: multiple HTTP Digest Access Authentication flaws
- debian/patches/ 0013-CVE- 2012-588x. patch: disable caching of an
authenticated user in the session by default, track server rather
than client nonces, better handling of stale nonce values in
java/org/apache/ catalina/ authenticator/ DigestAuthentic ator.java.
Patch from Marc Deslauriers.
- CVE-2012-3439
- CVE-2012-5885
- CVE-2012-5886
- CVE-2012-5887
* SECURITY UPDATE: denial of service via chunked transfer encoding
- debian/patches/ CVE-2012- 3544.patch: properly parse CRLF in requests
in java/org/apache/ coyote/ http11/ filters/ ChunkedInputFil ter.java.
Patch from Marc Deslauriers.
- CVE-2012-3544
* SECURITY UPDATE: FORM authentication request injection
- debian/patches/ CVE-2013- 2067.patch: properly change session ID
in java/org/apache/ catalina/ authenticator/ FormAuthenticat or.java.
Patch from Marc Deslauriers.
- CVE-2013-2067 - 49. By Tony Mancill
-
* Apply patch to README.Debian to explain setting the HTTPOnly flag
in cookies by default; CVE-2010-4312. (Closes: #608286)
- Thank you to Thijs Kinkhorst for the patch.
* Use ucf and a template for /etc/logrotate.d/tomcat6 file to avoid
updating the shipped conffile. (Closes: #687818) - 48. By Miguel Landaeta <email address hidden>
-
[ tony mancill ]
* Team upload.
* Apply patch from James Page (Closes: #671373)
- d/tomcat6-instance- create: Quote access to files and directories
so that spaces can be used when creating user instances.
- d/tomcat6.init: Make NAME dynamic, to allow starting multiple
instances. (Closes: #299635)[ Miguel Landaeta ]
* Add Slovak debconf translation (Closes: #677912).
- Thanks to Ivan Masár. - 46. By James Page
-
* Merge from Debian Unstable, remaining changes:
- d/tomcat6-instance- create: Quote access to files and directories
so that spaces can be used when creating user instances.
- d/tomcat6.init: Make NAME dynamic, to allow starting multiple instances. - 45. By James Page
-
* Handle creation of user instances with pathnames containing spaces
(LP: #977498):
- d/tomcat6-instance- create: Quote access to files and directories
so that spaces can be used when creating user instances. - 43. By Marc Deslauriers
-
debian/
patches/ 0011-CVE- 2012-0022- regression- fix.patch: fix regression
from the CVE-2012-0022 security fix that went into 6.0.35. - 42. By Tony Mancill
-
[ Miguel Landaeta ]
* New upstream release.
* Add myself to Uploaders.
* Remove 0013-CVE-2011-3190. patch since it was included upstream.
* Add mh_clean call in clean target.
* Fix error in debian/rules that caused tomcat to report no version.
Thanks to Jorge Barreiro for the patch. (Closes: #650656).[ tony mancill ]
* Update Vcs-* fields in debian/control for switch to git.
* Update to run with openjdk-7 and openjdk-6 when not default-jdk is
not present. (Closes: #651448)
* Allow java?-runtime-headless to satisfy Depends.
* Add myself to Uploaders. - 41. By Tony Mancill
-
* Team upload.
* New upstream release.
* Remove the following patches (included upstream):
- 0011-623242.patch
- 0012-CVE-2011-2204. patch
- 0015-CVE-2011-2526. patch
- 0014-CVE-2011-1184. patch
* Add patch for multi-instance startup. CATALINA_HOME no longer
depends on the instance $NAME. JVM_TMP is now $NAME-specific.
- Thank you to Julien Wajsberg. (Closes: #644365)
* Add dependency on JRE to tomcat6-common (Closes: #644340)
* Modify init script to look for JVM in /usr/lib/jvm/default- java
Branch metadata
- Branch format:
- Branch format 7
- Repository format:
- Bazaar repository format 2a (needs bzr 1.16 or later)
- Stacked on:
- lp:ubuntu/saucy/tomcat6