lp:ubuntu/quantal-security/tomcat7

Created by Ubuntu Package Importer on 2013-01-14 and last modified on 2014-03-04
Get this branch:
bzr branch lp:ubuntu/quantal-security/tomcat7
Members of Ubuntu branches can upload to this branch. Log in for directions.

Branch merges

Related bugs

Related blueprints

Branch information

Owner:
Ubuntu branches
Review team:
Ubuntu Development Team
Status:
Mature

Recent revisions

24. By Marc Deslauriers on 2014-03-04

* SECURITY UPDATE: request smuggling attack via content-length headers
  - debian/patches/CVE-2013-4286.patch: use long as content length in
    java/org/apache/coyote/Request.java, handle multiple content lengths
    in java/org/apache/coyote/ajp/AbstractAjpProcessor.java, handle
    content length and chunked encoding being both specified in
    java/org/apache/coyote/http11/AbstractHttp11Processor.java.
  - CVE-2013-4286
* SECURITY UPDATE: denial of service via chunked transfer coding
  - debian/patches/CVE-2013-4322.patch: enforce maximum size in
    java/org/apache/coyote/http11/{AbstractHttp11Processor.java,
    AbstractHttp11Protocol.java, Http11AprProcessor.java,
    Http11AprProtocol.java, Http11NioProcessor.java,
    Http11NioProtocol.java, Http11Processor.java, Http11Protocol.java},
    java/org/apache/coyote/http11/filters/ChunkedInputFilter.java,
    test/org/apache/coyote/http11/filters/TestChunkedInputFilter.java,
    webapps/docs/config/http.xml.
  - CVE-2013-4322
* SECURITY UPDATE: denial of service via malformed content-type header
  - debian/patches/CVE-2014-0050.patch: validate sizes in
    java/org/apache/tomcat/util/http/fileupload/FileUploadBase.java,
    java/org/apache/tomcat/util/http/fileupload/MultipartStream.java.
  - CVE-2014-0050
* d/p/0018-update-test-certificates.patch: remove binary parts to
  support newer quilt.

23. By Marc Deslauriers on 2013-05-23

* SECURITY UPDATE: FORM authentication request injection
  - debian/patches/CVE-2013-2067.patch: properly change session ID
    in java/org/apache/catalina/authenticator/FormAuthenticator.java.
  - CVE-2013-2067
* SECURITY UPDATE: information leak via AsyncListeners and
  RuntimeExceptions (LP: #1178645)
  - debian/patches/CVE-2013-2071.patch: catch RuntimeExceptions in
    java/org/apache/catalina/core/AsyncContextImpl.java, added tests to
    test/org/apache/catalina/core/TestAsyncContextImpl.java.
  - CVE-2013-2071
* Fix FTBFS due to expired test certificates:
  - d/keystores/*.jks: Newer keystores from upstream 7.0.39.
  - d/rules: Install newer keystores for testing, tidy up after use.
  - d/p/0018-update-test-certificates.patch: Cherry picked fixes from
    upstream VCS to update text based certificates.

22. By Marc Deslauriers on 2013-01-10

* SECURITY UPDATE: CSRF bypass via request with no session identifier
  - debian/patches/CVE-2012-4431.patch: check for session identifier in
    java/org/apache/catalina/filters/CsrfPreventionFilter.java.
  - CVE-2012-4431

21. By James Page on 2012-09-17

* New upstream point release including several fixes for Java 7
  specific issues.
* Refreshed patches.

20. By James Page on 2012-07-16

* Re-sync with Debian unstable.
* New upstream release:
  - Refreshed patches.
* Enabled Tomcat jdbc-pool module, aligning more closely to upstream and
  providing improved multi-threaded performance over commons-dbcp:
  - d/rules,d/libtomcat7-java.poms: Install tomcat-dbcp.jar file.
  - d/patches/0005-change-default-DBCP-factory-class.patch: Drop patch
    which switches the default DBCP factory to commons-dbcp.
  - d/NEWS: let users know about this change.

19. By Tony Mancill on 2012-06-22

[ Miguel Landaeta ]
* Add Slovak debconf translation (Closes: #677913).
  - Thanks to Ivan Masár.

[ James Page ]
* New upstream release.
* Enable test suite during package build:
  - d/control: Add junit4, libjstl1.1-java and
    libjakarta-taglibs-standard-java to BDI's.
  - d/rules:
    + Add ant/junit4 jars files to build classpath.
    + Target java 1.6 to support test suite exection.
    + Specify location of junit jar file.
    + Install jstl jar files to example webapp during build.
    + Conditionally execute test target if required.
    + Purge jar files from example webapp during clean.
* Fix JSTL examples in examples web application:
  - d/control: Add dependencies on libjstl1.1-java and
    libjakarta-taglibs-standard-java for tomcat7-examples.
  - d/tomcat7-examples.links: Add links to jstl and standard jar
    files for examples web application.
  - d/context/examples.xml: Allow linking to jar files in examples
    webapp.
* Fix mapping to javax packages for API jar files:
  - d/maven.[rules,publishedRules]: Ensure all javax.[servlet|el] jar files
    are published to the correct locations in /usr/share/[maven-repo|java].
  - d/libservlet3.0-java.manifest: Update jar file locations for javax
    remapping.
  - d/libservlet3.0-java.links: Provide backwards compatible links for
    deprecated tomcat-*.jar files in /usr/share/java.

[ tony mancill ]
* Set DMUA flag.

18. By James Page on 2012-06-17

* Enable test suite during package build:
  - d/control: Add junit4, libjstl1.1-java and
    libjakarta-taglibs-standard-java to BDI's.
  - d/rules:
    + Add ant/junit4 jars files to build classpath.
    + Target java 1.6 to support test suite exection.
    + Specify location of junit jar file.
    + Install jstl jar files to example webapp during build.
    + Conditionally execute test target if required.
    + Purge jar files from example webapp during clean.
* Fix JSTL examples in examples web application:
  - d/control: Add dependencies on libjstl1.1-java and
    libjakarta-taglibs-standard-java for tomcat7-examples.
  - d/tomcat7-examples.links: Add links to jstl and standard jar
    files for examples web application.
  - d/context/examples.xml: Allow linking to jar files in examples
    webapp.

17. By James Page on 2012-06-15

* Fix mapping to javax packages for API jar files:
  - d/maven.[rules,publishedRules]: Ensure all javax.[servlet|el] jar files
    are published to the correct locations in /usr/share/[maven-repo|java].
  - d/libservlet3.0-java.manifest: Update jar file locations for javax
    remapping.
  - d/libservlet3.0-java.links: Provide backwards compatible links for
    deprecated tomcat-*.jar files in /usr/share/java.

16. By Tony Mancill on 2012-06-07

New upstream release.

15. By Tony Mancill on 2012-05-28

* Address regression leaving ROOT webapp files after purge.
  (Closes: #670440)
* Update copyright year in javadoc to 2012.

Branch metadata

Branch format:
Branch format 7
Repository format:
Bazaar repository format 2a (needs bzr 1.16 or later)
Stacked on:
lp:ubuntu/raring/tomcat7
This branch contains Public information 
Everyone can see this information.

Subscribers