lp:ubuntu/trusty-security/tomcat7

Branch merges

Propose for merging

No branches dependent on this one.

Related source package recipes

No recipes using this branch. (?)

Create packaging recipe

Related snap packages

Related bugs

Related blueprints

33. By Marc Deslauriers on 2015-06-19

* SECURITY UPDATE: arbitrary file disclosure via XML parser
  (LP: #1449975)
  - debian/patches/CVE-2014-0119.patch: add defensive coding and ensure
    TLD parser obtained from cache has correct value of blockExternal in
    java/org/apache/catalina/security/SecurityClassLoad.java,
    java/org/apache/catalina/servlets/DefaultServlet.java,
    java/org/apache/catalina/startup/TldConfig.java,
    java/org/apache/jasper/compiler/JspDocumentParser.java,
    java/org/apache/jasper/xmlparser/ParserUtils.java,
    java/org/apache/tomcat/util/security/PrivilegedGetTccl.java,
    java/org/apache/tomcat/util/security/PrivilegedSetTccl.java.
  - CVE-2014-0119
* SECURITY UPDATE: HTTP request smuggling or denial of service via
  streaming with malformed chunked transfer encoding (LP: #1449975)
  - debian/patches/CVE-2014-0227.patch: add error flag and improve i18n
    in java/org/apache/coyote/http11/filters/ChunkedInputFilter.java,
    java/org/apache/coyote/http11/filters/LocalStrings.properties.
  - CVE-2014-0227
* SECURITY UPDATE: denial of service via aborted upload attempts
  (LP: #1449975)
  - debian/patches/CVE-2014-0230.patch: limit amount of data in
    java/org/apache/coyote/http11/AbstractHttp11Processor.java,
    java/org/apache/coyote/http11/AbstractHttp11Protocol.java,
    java/org/apache/coyote/http11/Http11AprProcessor.java,
    java/org/apache/coyote/http11/Http11AprProtocol.java,
    java/org/apache/coyote/http11/Http11NioProcessor.java,
    java/org/apache/coyote/http11/Http11NioProtocol.java,
    java/org/apache/coyote/http11/Http11Processor.java,
    java/org/apache/coyote/http11/Http11Protocol.java,
    java/org/apache/coyote/http11/filters/ChunkedInputFilter.java,
    java/org/apache/coyote/http11/filters/IdentityInputFilter.java,
    java/org/apache/coyote/http11/filters/LocalStrings.properties,
    test/org/apache/catalina/core/TestSwallowAbortedUploads.java,
    webapps/docs/config/http.xml.
  - CVE-2014-0230
* SECURITY UPDATE: SecurityManager bypass via Expression Language
  - debian/patches/CVE-2014-7810.patch: handle classes that may not be
    accessible but have accessible interfaces in
    java/javax/el/BeanELResolver.java, remove unnecessary code in
    java/org/apache/jasper/runtime/PageContextImpl.java,
    java/org/apache/jasper/security/SecurityClassLoad.java.
  - CVE-2014-7810
* Replace expired ssl certs and use TLS to fix tests causing FTBFS:
  - debian/patches/0022-use-tls-in-ssl-unit-tests.patch
  - debian/patches/0023-replace-expired-ssl-certificates.patch
  - debian/source/include-binaries

32. By Marc Deslauriers on 2014-07-24

* SECURITY UPDATE: denial of service via malformed chunk size
  - debian/patches/CVE-2014-0075.patch: fix overflow and added tests to
    java/org/apache/coyote/http11/filters/ChunkedInputFilter.java,
    test/org/apache/coyote/http11/filters/TestChunkedInputFilter.java.
  - CVE-2014-0075
* SECURITY UPDATE: file disclosure via XXE issue
  - debian/patches/CVE-2014-0096.patch: change globalXsltFile to be a
    relative path in conf/web.xml,
    java/org/apache/catalina/servlets/DefaultServlet.java,
    java/org/apache/catalina/servlets/LocalStrings.properties,
    webapps/docs/default-servlet.xml.
  - CVE-2014-0096
* SECURITY UPDATE: HTTP request smuggling attack via crafted
  Content-Length HTTP header
  - debian/patches/CVE-2014-0099.patch: correctly handle long values in
    java/org/apache/tomcat/util/buf/Ascii.java, added test to
    test/org/apache/tomcat/util/buf/TestAscii.java.
  - CVE-2014-0099

31. By Gianfranco Costamagna on 2014-02-19

* Team upload.
* New upstream release.
  - Addresses security issue: CVE-2014-0050

30. By James Page <email address hidden> on 2014-01-14

New upstream release.

29. By Tony Mancill on 2013-12-24

[ Gianfranco Costamagna ]
* Team upload.
* New upstream release, patch refresh.
* Renamed patch fix-manager-webapp.path
  to fix-manager-webapp.patch (extension typo).
* Refresh patches for upstream release.
* Removed -Djava.net.preferIPv4Stack=true
  from init script (lp: #1088681),
  thanks Hendrik Haddorp.
* Added webapp manager path patch (lp: #1128067)
  thanks TJ.

[ tony mancill ]
* Bump Standards-Version to 3.9.5.
* Change copyright year in javadocs to 2013.
* Add patch to include the distribution name in error pages.
  (Closes: #729840)

28. By Gianfranco Costamagna on 2013-07-16

[ Gianfranco Costamagna ]
* Team upload.
* New upstream release.
* Added libhamcrest-java >= 1.3 as build-dep,
  tweaked debian/rules.
* Bumped compat level to 9.
* Removed some version checks, newer releases already in oldstable.
* Refresh patches.
* debian/control: changed Vcs-Git and Vcs-Browser fields,
  now they are canonical.
* Fixed error message in Tomcat init script,
  patch by Thijs Kinkhorst (Closes: #714348)

27. By Jakub Adam on 2013-05-16

* Fix deployment of POMs for libservlet-3.0-java JARs into javax
  coordinates.
  - JARs were deployed into maven-repo, but not POMs.
* Fix servlet-api groupId in d/javaxpoms/jsp-api.pom.

26. By Miguel Landaeta on 2013-05-10

* New upstream release.
  - Addresses security issue: CVE-2013-2071
* Refresh patches:
  - 0015_disable_test_TestCometProcessor.patch

25. By James Page on 2013-04-08

* Fix FTBFS due to expired test certificates (LP: #1166187):
  - d/keystores/*.jks: Newer keystores from upstream 7.0.39.
  - d/rules: Install newer keystores for testing, tidy up after use.
  - d/p/0018-update-test-certificates.patch: Cherry picked fixes from
    upstream VCS to update text based certificates.

24. By James Page on 2013-02-24

Switch from Commons DBCP to Tomcat JDBC Pool as default connection
pool implementation (Closes: #701023).