Last commit made on 2016-06-05
Get this branch:
git clone -b debian/wheezy https://git.launchpad.net/ubuntu/+source/tomcat6
Members of Ubuntu Server Dev import team can upload to this branch. Log in for directions.

Branch merges

Branch information


Recent commits

49ff6e4... by Markus Koschany <email address hidden> on 2016-03-16

Import patches-unapplied version 6.0.45+dfsg-1~deb7u1 to debian/wheezy

Imported using git-ubuntu import.

Changelog parent: 467cbd7632b76c09f7d938e2a0e2b3ca62af5239

New changelog entries:
  * Team upload.
  * The full list of changes between 6.0.35 (the version previously available
    in Wheezy) and 6.0.45 can be seen in the upstream changelog, which is
    available online at http://tomcat.apache.org/tomcat-6.0-doc/changelog.html
  * This update fixes the following security issues:
    - CVE-2014-0033: prevent remote attackers from conducting session
      fixation attacks via crafted URLs.
    - CVE-2014-0119: Fix not properly constraining class loader that accesses
      the XML parser used with an XSLT stylesheet which allowed remote
      attackers to read arbitrary files via crafted web applications.
    - CVE-2014-0099: Fix integer overflow in
    - CVE-2014-0096: Properly restrict XSLT stylesheets that allowed remote
      attackers to bypass security-manager restrictions.
    - CVE-2014-0075: Fix integer overflow in the parseChunkHeader function in
    - CVE-2013-4590: prevent "Tomcat internals" information leaks.
    - CVE-2013-4322: prevent remote attackers from doing denial of service
    - CVE-2013-4286: reject requests with multiple content-length headers or
      with a content-length header when chunked encoding is being used.
    - Avoid CVE-2013-1571 when generating Javadoc.
  * CVE-2014-0227.patch:
    - Add error flag to allow subsequent attempts at reading after an error to
      fail fast.
  * CVE-2014-0230: Add support for maxSwallowSize.
  * CVE-2014-7810:
    - Fix potential BeanELResolver issue when running under a security manager.
      Some classes may not be accessible but may have accessible interfaces.
  * CVE-2015-5174: Directory traversal vulnerability in RequestUtil.java.
  * CVE-2015-5345: The Mapper component in Apache Tomcat before 6.0.45
    processes redirects before considering security constraints and Filters.
  * CVE-2016-0706: Apache Tomcat before 6.0.45 does not place
    org.apache.catalina.manager.StatusManagerServlet on the
    org/apache/catalina/core/RestrictedServlets.properties list which allows
    remote authenticated users to bypass intended SecurityManager
  * CVE-2016-0714: The session-persistence implementation in Apache Tomcat
    before 6.0.45 mishandles session attributes, which allows remote
    authenticated users to bypass intended SecurityManager restrictions.
  * CVE-2016-0763: The setGlobalContext method in
    org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat does
    not consider whether ResourceLinkFactory.setGlobalContext callers are
    authorized, which allows remote authenticated users to bypass intended
    SecurityManager restrictions and read or write to arbitrary application
    data, or cause a denial of service (application disruption), via a web
    application that sets a crafted global context.
  * CVE-2015-5351: The Manager and Host Manager applications in
    Apache Tomcat establish sessions and send CSRF tokens for arbitrary new
    requests, which allows remote attackers to bypass a CSRF protection
    mechanism by using a token.
  * Drop the following patches. Applied upstream.
    - 0011-CVE-2012-0022-regression-fix.patch
    - 0012-CVE-2012-3544.patch
    - 0014-CVE-2012-4534.patch
    - 0015-CVE-2012-4431.patch
    - 0016-CVE-2012-3546.patch
    - 0017-CVE-2013-2067.patch
    - cve-2012-2733.patch
    - cve-2012-3439.patch
    - CVE-2014-0227.patch
    - CVE-2014-0230.patch
    - CVE-2014-7810-1.patch
    - CVE-2014-7810-2.patch
    - 0011-Fix-for-NoSuchElementException-when-an-attribute-has.patch

467cbd7... by Moritz Mühlenhoff <email address hidden> on 2013-07-17

Import patches-unapplied version 6.0.35-6+deb7u1 to debian/wheezy

Imported using git-ubuntu import.

Changelog parent: e822d41283b7b1463de27afb2ffe24951565ac6b

New changelog entries:
  * CVE-2012-3544, CVE-2013-2067

e822d41... by Tony Mancill on 2012-12-07

Import patches-unapplied version 6.0.35-6 to debian/sid

Imported using git-ubuntu import.

Changelog parent: d00c9f1ebacb01aed9d8eb19f1c3bc0805a88de3

New changelog entries:
  * Acknowledge NMU: 6.0.35-5+nmu1 (Closes: #692440)
    - Thank you to Michael Gilbert.
  * Add patches for the following security issues: (Closes: #695250)
    - CVE-2012-4534, CVE-2012-4431, CVE-2012-3546

d00c9f1... by Michael Gilbert <email address hidden> on 2012-11-17

Import patches-unapplied version 6.0.35-5+nmu1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 32ca89b725ef4f08aa0e63a3b2f166179ee6ae79

New changelog entries:
  * Non-maintainer upload.
  * Fix multiple security issues (closes: #692440)
    - cve-2012-2733: denial-of-service by triggering out of memory error.
    - cve-2012-3439: multiple replay attack issues in digest authentication.

32ca89b... by Tony Mancill on 2012-08-07

Import patches-unapplied version 6.0.35-5 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 861aade8a99ecb61218e96ec98133a5776526071

New changelog entries:
  * Apply patch to README.Debian to explain setting the HTTPOnly flag
    in cookies by default; CVE-2010-4312. (Closes: #608286)
    - Thank you to Thijs Kinkhorst for the patch.
  * Use ucf and a template for /etc/logrotate.d/tomcat6 file to avoid
    updating the shipped conffile. (Closes: #687818)

861aade... by Miguel Landaeta <email address hidden> on 2012-06-17

Import patches-unapplied version 6.0.35-4 to debian/sid

Imported using git-ubuntu import.

Changelog parent: b5814ad2b4ae12770412630fce0839f5580fb2c8

New changelog entries:
  [ tony mancill ]
  * Team upload.
  * Apply patch from James Page (Closes: #671373)
    - d/tomcat6-instance-create: Quote access to files and directories
      so that spaces can be used when creating user instances.
    - d/tomcat6.init: Make NAME dynamic, to allow starting multiple
      instances. (Closes: #299635)
  [ Miguel Landaeta ]
  * Add Slovak debconf translation (Closes: #677912).
    - Thanks to Ivan Masár.

b5814ad... by Tony Mancill on 2012-04-14

Import patches-unapplied version 6.0.35-3 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 16d272edeee58af0118281744f179a86f22bb3e5

New changelog entries:
  [ Miguel Landaeta ]
  * Add Replaces and Conflicts for libservlet2.5-java to overwrite files
    in libservlet2.4-java. (Closes: #666256).
  [ tony mancill ]
  * Add libservlet2.4-java transitional package.
  * Remove /etc/authbind/byuid, /etc/authbind in postrm. (Closes: #668761)
  * Add 0011-CVE-2012-0022-regression-fix.patch. (Closes: #659748)
    - Thank you to Marc Deslauriers

16d272e... by Tony Mancill on 2012-03-29

Import patches-unapplied version 6.0.35-2 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 20976907001cbebb0bd47a3388dc33ded0eb52cb

New changelog entries:
  [ tony mancill ]
  * Remove Michael Koch from Uploaders. (Closes: #654136)
  * Add Turkish debconf translation (Closes: #664072)
    - Thanks to Atila KOÇ
  * Remove libservlet2.5-doc dependency on libservlet2.5.
  [ Miguel Landaeta ]
  * Bump Standards-Version to 3.9.3. No changes were required.
  * Provide 'debian' version symlink for Maven artifacts. (Closes: #665393).
  [ tony mancill ]

2097690... by Tony Mancill on 2011-12-13

Import patches-unapplied version 6.0.35-1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 2f2ebb09c4118908b38813a2fa46fe265b5880e6

New changelog entries:
  [ Miguel Landaeta ]
  * New upstream release.
  * Add myself to Uploaders.
  * Remove 0013-CVE-2011-3190.patch since it was included upstream.
  * Add mh_clean call in clean target.
  * Fix error in debian/rules that caused tomcat to report no version.
    Thanks to Jorge Barreiro for the patch. (Closes: #650656).
  [ tony mancill ]
  * Update Vcs-* fields in debian/control for switch to git.
  * Update to run with openjdk-7 and openjdk-6 when not default-jdk is
    not present. (Closes: #651448)
  * Allow java?-runtime-headless to satisfy Depends.
  * Add myself to Uploaders.

2f2ebb0... by Tony Mancill on 2011-11-29

Import patches-unapplied version 6.0.33-1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 27454480616454a909a041a24370a892409a59a1

New changelog entries:
  * Team upload.
  * New upstream release.
  * Remove the following patches (included upstream):
    - 0011-623242.patch
    - 0012-CVE-2011-2204.patch
    - 0015-CVE-2011-2526.patch
    - 0014-CVE-2011-1184.patch
  * Add patch for multi-instance startup. CATALINA_HOME no longer
    depends on the instance $NAME. JVM_TMP is now $NAME-specific.
    - Thank you to Julien Wajsberg. (Closes: #644365)
  * Add dependency on JRE to tomcat6-common (Closes: #644340)
  * Modify init script to look for JVM in /usr/lib/jvm/default-java