ubuntu/+source/tomcat6:applied/debian/wheezy

Last commit made on 2016-06-05
Get this branch:
git clone -b applied/debian/wheezy https://git.launchpad.net/ubuntu/+source/tomcat6
Members of Ubuntu Server Dev import team can upload to this branch. Log in for directions.

Branch merges

Branch information

Name:
applied/debian/wheezy
Repository:
lp:ubuntu/+source/tomcat6

Recent commits

30e0e02... by Markus Koschany <email address hidden> on 2016-03-16

Import patches-applied version 6.0.45+dfsg-1~deb7u1 to applied/debian/wheezy

Imported using git-ubuntu import.

Changelog parent: 4d391b01ca45250001a30523e7913c89ed2186f6
Unapplied parent: aaece1a3379ac86b12a244c15ab87a92811c9b85

New changelog entries:
  * Team upload.
  * The full list of changes between 6.0.35 (the version previously available
    in Wheezy) and 6.0.45 can be seen in the upstream changelog, which is
    available online at http://tomcat.apache.org/tomcat-6.0-doc/changelog.html
  * This update fixes the following security issues:
    - CVE-2014-0033: prevent remote attackers from conducting session
      fixation attacks via crafted URLs.
    - CVE-2014-0119: Fix not properly constraining class loader that accesses
      the XML parser used with an XSLT stylesheet which allowed remote
      attackers to read arbitrary files via crafted web applications.
    - CVE-2014-0099: Fix integer overflow in
      java/org/apache/tomcat/util/buf/Ascii.java.
    - CVE-2014-0096: Properly restrict XSLT stylesheets that allowed remote
      attackers to bypass security-manager restrictions.
    - CVE-2014-0075: Fix integer overflow in the parseChunkHeader function in
      java/org/apache/coyote/http11/filters/ChunkedInputFilter.java.
    - CVE-2013-4590: prevent "Tomcat internals" information leaks.
    - CVE-2013-4322: prevent remote attackers from doing denial of service
      attacks.
    - CVE-2013-4286: reject requests with multiple content-length headers or
      with a content-length header when chunked encoding is being used.
    - Avoid CVE-2013-1571 when generating Javadoc.
  * CVE-2014-0227.patch:
    - Add error flag to allow subsequent attempts at reading after an error to
      fail fast.
  * CVE-2014-0230: Add support for maxSwallowSize.
  * CVE-2014-7810:
    - Fix potential BeanELResolver issue when running under a security manager.
      Some classes may not be accessible but may have accessible interfaces.
  * CVE-2015-5174: Directory traversal vulnerability in RequestUtil.java.
  * CVE-2015-5345: The Mapper component in Apache Tomcat before 6.0.45
    processes redirects before considering security constraints and Filters.
  * CVE-2016-0706: Apache Tomcat before 6.0.45 does not place
    org.apache.catalina.manager.StatusManagerServlet on the
    org/apache/catalina/core/RestrictedServlets.properties list which allows
    remote authenticated users to bypass intended SecurityManager
    restrictions.
  * CVE-2016-0714: The session-persistence implementation in Apache Tomcat
    before 6.0.45 mishandles session attributes, which allows remote
    authenticated users to bypass intended SecurityManager restrictions.
  * CVE-2016-0763: The setGlobalContext method in
    org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat does
    not consider whether ResourceLinkFactory.setGlobalContext callers are
    authorized, which allows remote authenticated users to bypass intended
    SecurityManager restrictions and read or write to arbitrary application
    data, or cause a denial of service (application disruption), via a web
    application that sets a crafted global context.
  * CVE-2015-5351: The Manager and Host Manager applications in
    Apache Tomcat establish sessions and send CSRF tokens for arbitrary new
    requests, which allows remote attackers to bypass a CSRF protection
    mechanism by using a token.
  * Drop the following patches. Applied upstream.
    - 0011-CVE-2012-0022-regression-fix.patch
    - 0012-CVE-2012-3544.patch
    - 0014-CVE-2012-4534.patch
    - 0015-CVE-2012-4431.patch
    - 0016-CVE-2012-3546.patch
    - 0017-CVE-2013-2067.patch
    - cve-2012-2733.patch
    - cve-2012-3439.patch
    - CVE-2014-0227.patch
    - CVE-2014-0230.patch
    - CVE-2014-7810-1.patch
    - CVE-2014-7810-2.patch
    - 0011-Fix-for-NoSuchElementException-when-an-attribute-has.patch

aaece1a... by Markus Koschany <email address hidden> on 2016-03-16

[PATCH] Use java.security.policy file in catalina.sh

Gbp-Pq: 0010-Use-java.security.policy-file-in-catalina.sh.patch.

6ff766e... by Markus Koschany <email address hidden> on 2016-03-16

[PATCH] add OSGI headers to jsp-api

Gbp-Pq: 0008-add-OSGI-headers-to-jsp-api.patch.

2fe88fd... by Markus Koschany <email address hidden> on 2016-03-16

[PATCH] add OSGi headers to servlet-api

Gbp-Pq: 0007-add-OSGi-headers-to-servlet-api.patch.

439d7a2... by Markus Koschany <email address hidden> on 2016-03-16

[PATCH] add JARs below /var to class loader

Gbp-Pq: 0006-add-JARs-below-var-to-class-loader.patch.

378e263... by Markus Koschany <email address hidden> on 2016-03-16

[PATCH] change default DBCP factory class

Gbp-Pq: 0005-change-default-DBCP-factory-class.patch.

9629650... by Markus Koschany <email address hidden> on 2016-03-16

[PATCH] split deploy-webapps target from deploy target

Gbp-Pq: 0004-split-deploy-webapps-target-from-deploy-target.patch.

5da9057... by Markus Koschany <email address hidden> on 2016-03-16

[PATCH] disable APR library loading

Gbp-Pq: 0003-disable-APR-library-loading.patch.

41df45b... by Markus Koschany <email address hidden> on 2016-03-16

[PATCH] do not load AJP13 connector by default

Gbp-Pq: 0002-do-not-load-AJP13-connector-by-default.patch.

7ac02ff... by Markus Koschany <email address hidden> on 2016-03-16

[PATCH] set UTF-8 as default character encoding

Gbp-Pq: 0001-set-UTF-8-as-default-character-encoding.patch.