lp:ubuntu/trusty-security/tomcat7
- Get this branch:
- bzr branch lp:ubuntu/trusty-security/tomcat7
Branch merges
Branch information
Recent revisions
- 33. By Marc Deslauriers
-
* SECURITY UPDATE: arbitrary file disclosure via XML parser
(LP: #1449975)
- debian/patches/ CVE-2014- 0119.patch: add defensive coding and ensure
TLD parser obtained from cache has correct value of blockExternal in
java/org/apache/ catalina/ security/ SecurityClassLo ad.java,
java/org/apache/ catalina/ servlets/ DefaultServlet. java,
java/org/apache/ catalina/ startup/ TldConfig. java,
java/org/apache/ jasper/ compiler/ JspDocumentPars er.java,
java/org/apache/ jasper/ xmlparser/ ParserUtils. java,
java/org/apache/ tomcat/ util/security/ PrivilegedGetTc cl.java,
java/org/apache/ tomcat/ util/security/ PrivilegedSetTc cl.java.
- CVE-2014-0119
* SECURITY UPDATE: HTTP request smuggling or denial of service via
streaming with malformed chunked transfer encoding (LP: #1449975)
- debian/patches/ CVE-2014- 0227.patch: add error flag and improve i18n
in java/org/apache/ coyote/ http11/ filters/ ChunkedInputFil ter.java,
java/org/apache/ coyote/ http11/ filters/ LocalStrings. properties.
- CVE-2014-0227
* SECURITY UPDATE: denial of service via aborted upload attempts
(LP: #1449975)
- debian/patches/ CVE-2014- 0230.patch: limit amount of data in
java/org/apache/ coyote/ http11/ AbstractHttp11P rocessor. java,
java/org/apache/ coyote/ http11/ AbstractHttp11P rotocol. java,
java/org/apache/ coyote/ http11/ Http11AprProces sor.java,
java/org/apache/ coyote/ http11/ Http11AprProtoc ol.java,
java/org/apache/ coyote/ http11/ Http11NioProces sor.java,
java/org/apache/ coyote/ http11/ Http11NioProtoc ol.java,
java/org/apache/ coyote/ http11/ Http11Processor .java,
java/org/apache/ coyote/ http11/ Http11Protocol. java,
java/org/apache/ coyote/ http11/ filters/ ChunkedInputFil ter.java,
java/org/apache/ coyote/ http11/ filters/ IdentityInputFi lter.java,
java/org/apache/ coyote/ http11/ filters/ LocalStrings. properties,
test/org/apache/ catalina/ core/TestSwallo wAbortedUploads .java,
webapps/docs/config/ http.xml.
- CVE-2014-0230
* SECURITY UPDATE: SecurityManager bypass via Expression Language
- debian/patches/ CVE-2014- 7810.patch: handle classes that may not be
accessible but have accessible interfaces in
java/javax/el/ BeanELResolver. java, remove unnecessary code in
java/org/apache/ jasper/ runtime/ PageContextImpl .java,
java/org/apache/ jasper/ security/ SecurityClassLo ad.java.
- CVE-2014-7810
* Replace expired ssl certs and use TLS to fix tests causing FTBFS:
- debian/patches/ 0022-use- tls-in- ssl-unit- tests.patch
- debian/patches/ 0023-replace- expired- ssl-certificate s.patch
- debian/source/ include- binaries - 32. By Marc Deslauriers
-
* SECURITY UPDATE: denial of service via malformed chunk size
- debian/patches/ CVE-2014- 0075.patch: fix overflow and added tests to
java/org/apache/ coyote/ http11/ filters/ ChunkedInputFil ter.java,
test/org/apache/ coyote/ http11/ filters/ TestChunkedInpu tFilter. java.
- CVE-2014-0075
* SECURITY UPDATE: file disclosure via XXE issue
- debian/patches/ CVE-2014- 0096.patch: change globalXsltFile to be a
relative path in conf/web.xml,
java/org/apache/ catalina/ servlets/ DefaultServlet. java,
java/org/apache/ catalina/ servlets/ LocalStrings. properties,
webapps/docs/default- servlet. xml.
- CVE-2014-0096
* SECURITY UPDATE: HTTP request smuggling attack via crafted
Content-Length HTTP header
- debian/patches/ CVE-2014- 0099.patch: correctly handle long values in
java/org/apache/ tomcat/ util/buf/ Ascii.java, added test to
test/org/apache/ tomcat/ util/buf/ TestAscii. java.
- CVE-2014-0099 - 31. By Gianfranco Costamagna
-
* Team upload.
* New upstream release.
- Addresses security issue: CVE-2014-0050 - 29. By Tony Mancill
-
[ Gianfranco Costamagna ]
* Team upload.
* New upstream release, patch refresh.
* Renamed patch fix-manager-webapp. path
to fix-manager-webapp. patch (extension typo).
* Refresh patches for upstream release.
* Removed -Djava.net.preferIPv4S tack=true
from init script (lp: #1088681),
thanks Hendrik Haddorp.
* Added webapp manager path patch (lp: #1128067)
thanks TJ.[ tony mancill ]
* Bump Standards-Version to 3.9.5.
* Change copyright year in javadocs to 2013.
* Add patch to include the distribution name in error pages.
(Closes: #729840) - 28. By Gianfranco Costamagna
-
[ Gianfranco Costamagna ]
* Team upload.
* New upstream release.
* Added libhamcrest-java >= 1.3 as build-dep,
tweaked debian/rules.
* Bumped compat level to 9.
* Removed some version checks, newer releases already in oldstable.
* Refresh patches.
* debian/control: changed Vcs-Git and Vcs-Browser fields,
now they are canonical.
* Fixed error message in Tomcat init script,
patch by Thijs Kinkhorst (Closes: #714348) - 27. By Jakub Adam
-
* Fix deployment of POMs for libservlet-3.0-java JARs into javax
coordinates.
- JARs were deployed into maven-repo, but not POMs.
* Fix servlet-api groupId in d/javaxpoms/jsp-api. pom. - 26. By Miguel Landaeta
-
* New upstream release.
- Addresses security issue: CVE-2013-2071
* Refresh patches:
- 0015_disable_test_TestCometP rocessor. patch - 25. By James Page
-
* Fix FTBFS due to expired test certificates (LP: #1166187):
- d/keystores/*.jks: Newer keystores from upstream 7.0.39.
- d/rules: Install newer keystores for testing, tidy up after use.
- d/p/0018-update- test-certificat es.patch: Cherry picked fixes from
upstream VCS to update text based certificates. - 24. By James Page
-
Switch from Commons DBCP to Tomcat JDBC Pool as default connection
pool implementation (Closes: #701023).
Branch metadata
- Branch format:
- Branch format 7
- Repository format:
- Bazaar repository format 2a (needs bzr 1.16 or later)
- Stacked on:
- lp:ubuntu/utopic/tomcat7