ubuntu/+source/tomcat6:applied/debian/sid

Last commit made on 2016-02-27
Get this branch:
git clone -b applied/debian/sid https://git.launchpad.net/ubuntu/+source/tomcat6
Members of Ubuntu Server Dev import team can upload to this branch. Log in for directions.

Branch merges

Branch information

Name:
applied/debian/sid
Repository:
lp:ubuntu/+source/tomcat6

Recent commits

4efcb92... by Markus Koschany <email address hidden> on 2016-02-27

Import patches-applied version 6.0.45+dfsg-1 to applied/debian/sid

Imported using git-ubuntu import.

Changelog parent: 46c7f69f26478e966a06e2a803fe8f5d9b296807
Unapplied parent: 596c2ba16f6ae62920ff80d4f59f246f4e11eeb8

New changelog entries:
  * Team upload.
  * Imported Upstream version 6.0.45+dfsg.
    - Remove all prebuilt jar files.
  * Declare compliance with Debian Policy 3.9.7.
  * Vcs-fields: Use https.
  * This update fixes the following security vulnerabilities in the source
    package. Since src:tomcat6 only builds libservlet2.5-java and
    documentation, users are not directly affected.
    - CVE-2015-5174: Directory traversal vulnerability in RequestUtil.java.
    - CVE-2015-5345: The Mapper component in Apache Tomcat before 6.0.45
      processes redirects before considering security constraints and Filters.
    - CVE-2016-0706: Apache Tomcat before 6.0.45 does not place
      org.apache.catalina.manager.StatusManagerServlet on the
      org/apache/catalina/core/RestrictedServlets.properties list which allows
      remote authenticated users to bypass intended SecurityManager
      restrictions.
    - CVE-2016-0714: The session-persistence implementation in Apache Tomcat
      before 6.0.45 mishandles session attributes, which allows remote
      authenticated users to bypass intended SecurityManager restrictions.
    - CVE-2016-0763: The setGlobalContext method in
      org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat does
      not consider whether ResourceLinkFactory.setGlobalContext callers are
      authorized, which allows remote authenticated users to bypass intended
      SecurityManager restrictions and read or write to arbitrary application
      data, or cause a denial of service (application disruption), via a web
      application that sets a crafted global context.
    - CVE-2015-5351: The Manager and Host Manager applications in
      Apache Tomcat establish sessions and send CSRF tokens for arbitrary new
      requests, which allows remote attackers to bypass a CSRF protection
      mechanism by using a token.

596c2ba... by Markus Koschany <email address hidden> on 2016-02-27

[PATCH] Use java.security.policy file in catalina.sh

Gbp-Pq: 0010-Use-java.security.policy-file-in-catalina.sh.patch.

470fc2f... by Markus Koschany <email address hidden> on 2016-02-27

[PATCH] add OSGI headers to jsp-api

Gbp-Pq: 0008-add-OSGI-headers-to-jsp-api.patch.

d878a5c... by Markus Koschany <email address hidden> on 2016-02-27

[PATCH] add OSGi headers to servlet-api

Gbp-Pq: 0007-add-OSGi-headers-to-servlet-api.patch.

7d8cbaf... by Markus Koschany <email address hidden> on 2016-02-27

[PATCH] add JARs below /var to class loader

Gbp-Pq: 0006-add-JARs-below-var-to-class-loader.patch.

be74eaa... by Markus Koschany <email address hidden> on 2016-02-27

[PATCH] change default DBCP factory class

Gbp-Pq: 0005-change-default-DBCP-factory-class.patch.

c1ebe2b... by Markus Koschany <email address hidden> on 2016-02-27

[PATCH] split deploy-webapps target from deploy target

Gbp-Pq: 0004-split-deploy-webapps-target-from-deploy-target.patch.

d96ad94... by Markus Koschany <email address hidden> on 2016-02-27

[PATCH] disable APR library loading

Gbp-Pq: 0003-disable-APR-library-loading.patch.

5e0b3e6... by Markus Koschany <email address hidden> on 2016-02-27

[PATCH] do not load AJP13 connector by default

Gbp-Pq: 0002-do-not-load-AJP13-connector-by-default.patch.

ba3edeb... by Markus Koschany <email address hidden> on 2016-02-27

[PATCH] set UTF-8 as default character encoding

Gbp-Pq: 0001-set-UTF-8-as-default-character-encoding.patch.