ubuntu/+source/tomcat6:ubuntu/lucid-devel

Last commit made on 2014-07-30
Get this branch:
git clone -b ubuntu/lucid-devel https://git.launchpad.net/ubuntu/+source/tomcat6
Members of Ubuntu Server Dev import team can upload to this branch. Log in for directions.

Branch merges

Branch information

Name:
ubuntu/lucid-devel
Repository:
lp:ubuntu/+source/tomcat6

Recent commits

171b98e... by Marc Deslauriers on 2014-07-24

Import patches-unapplied version 6.0.24-2ubuntu1.16 to ubuntu/lucid-security

Imported using git-ubuntu import.

Changelog parent: 3018a565b3eb61ab2c02a8cea069e40a2bc651af

New changelog entries:
  * SECURITY UPDATE: denial of service via malformed chunk size
    - debian/patches/CVE-2014-0075.patch: fix overflow in
      java/org/apache/coyote/http11/filters/ChunkedInputFilter.java.
    - CVE-2014-0075
  * SECURITY UPDATE: file disclosure via XXE issue
    - debian/patches/CVE-2014-0096.patch: change globalXsltFile to be a
      relative path in conf/web.xml,
      java/org/apache/catalina/servlets/DefaultServlet.java,
      java/org/apache/catalina/servlets/LocalStrings.properties,
      webapps/docs/default-servlet.xml.
    - CVE-2014-0096
  * SECURITY UPDATE: HTTP request smuggling attack via crafted
    Content-Length HTTP header
    - debian/patches/CVE-2014-0099.patch: correctly handle long values in
      java/org/apache/tomcat/util/buf/Ascii.java.
    - CVE-2014-0099

3018a56... by Marc Deslauriers on 2014-03-05

Import patches-unapplied version 6.0.24-2ubuntu1.15 to ubuntu/lucid-security

Imported using git-ubuntu import.

Changelog parent: 2a8dfd17d2c52530049beb8d6e782306b7b5a0c9

New changelog entries:
  * SECURITY UPDATE: request smuggling attack via content-length headers
    - debian/patches/CVE-2013-4286.patch: handle multiple content lengths
      in java/org/apache/coyote/ajp/AbstractAjpProcessor.java,
      java/org/apache/coyote/ajp/AjpProcessor.java, handle content length
      and chunked encoding being both specified in
      java/org/apache/coyote/http11/Http11AprProcessor.java,
      java/org/apache/coyote/http11/Http11NioProcessor.java,
      java/org/apache/coyote/http11/Http11Processor.java.
    - CVE-2013-4286
  * SECURITY UPDATE: denial of service via chunked transfer coding
    - debian/patches/CVE-2013-4322.patch: limit length of extension data in
      java/org/apache/coyote/Constants.java,
      java/org/apache/coyote/http11/filters/ChunkedInputFilter.java,
      webapps/docs/config/systemprops.xml.
    - CVE-2013-4322

2a8dfd1... by Marc Deslauriers on 2013-05-21

Import patches-unapplied version 6.0.24-2ubuntu1.13 to ubuntu/lucid-security

Imported using git-ubuntu import.

Changelog parent: 8ed34103959ce7e7f1200ce1bdcee7c4df409f96

New changelog entries:
  * SECURITY UPDATE: denial of service via chunked transfer encoding
    - debian/patches/CVE-2012-3544.patch: properly parse CRLF in requests
      in java/org/apache/coyote/http11/filters/ChunkedInputFilter.java.
    - CVE-2012-3544
  * SECURITY UPDATE: FORM authentication request injection
    - debian/patches/CVE-2013-2067.patch: properly change session ID
      in java/org/apache/catalina/authenticator/FormAuthenticator.java.
    - CVE-2013-2067

8ed3410... by Marc Deslauriers on 2013-01-10

Import patches-unapplied version 6.0.24-2ubuntu1.12 to ubuntu/lucid-security

Imported using git-ubuntu import.

Changelog parent: b3c946d3f03c64339489e2edc2df02147705813c

New changelog entries:
  * SECURITY UPDATE: security-constraint bypass with FORM auth
    - debian/patches/CVE-2012-3546.patch: remove unneeded code in
      java/org/apache/catalina/realm/RealmBase.java.
    - CVE-2012-3546
  * SECURITY UPDATE: denial of service with NIO connector
    - debian/patches/CVE-2012-4534.patch: properly handle connection breaks
      in java/org/apache/tomcat/util/net/NioEndpoint.java.
    - CVE-2012-4534

b3c946d... by Marc Deslauriers on 2012-11-21

Import patches-unapplied version 6.0.24-2ubuntu1.11 to ubuntu/lucid-security

Imported using git-ubuntu import.

Changelog parent: 72911b09c0dc2cb4ff20dc52c07e75d15b08d239

New changelog entries:
  * SECURITY UPDATE: denial of service via large header data
    - debian/patches/0012-CVE-2012-2733.patch: improve size logic in
      java/org/apache/coyote/http11/InternalNioInputBuffer.java.
    - CVE-2012-2733
  * SECURITY UPDATE: multiple HTTP Digest Access Authentication flaws
    - debian/patches/0013-CVE-2012-588x.patch: disable caching of an
      authenticated user in the session by default, track server rather
      than client nonces, better handling of stale nonce values in
      java/org/apache/catalina/authenticator/DigestAuthenticator.java.
    - CVE-2012-3439
    - CVE-2012-5885
    - CVE-2012-5886
    - CVE-2012-5887

72911b0... by Marc Deslauriers on 2012-01-25

Import patches-unapplied version 6.0.24-2ubuntu1.10 to ubuntu/lucid-proposed

Imported using git-ubuntu import.

Changelog parent: 3e2f89f94be90cbbc6ddc0b698c565b4a13d9191

New changelog entries:
  * SECURITY UPDATE: denial of service via hash collision and incorrect
    handling of large numbers of parameters and parameter values
    (LP: #909828)
    - debian/patches/0019-CVE-2012-0022.patch: refactor parameter handling
      code in conf/web.xml,
      java/org/apache/catalina/connector/Connector.java,
      java/org/apache/catalina/connector/mbeans-descriptors.xml,
      java/org/apache/catalina/connector/Request.java,
      java/org/apache/catalina/filters/FailedRequestFilter.java,
      java/org/apache/catalina/Globals.java,
      java/org/apache/coyote/Request.java,
      java/org/apache/tomcat/util/buf/B2CConverter.java,
      java/org/apache/tomcat/util/buf/ByteChunk.java,
      java/org/apache/tomcat/util/buf/MessageBytes.java,
      java/org/apache/tomcat/util/buf/StringCache.java,
      java/org/apache/tomcat/util/http/LocalStrings.properties,
      java/org/apache/tomcat/util/http/Parameters.java,
      webapps/docs/config/ajp.xml,
      webapps/docs/config/http.xml.
    - CVE-2011-4858
    - CVE-2012-0022

3e2f89f... by Marc Deslauriers on 2011-09-26

Import patches-unapplied version 6.0.24-2ubuntu1.9 to ubuntu/lucid-security

Imported using git-ubuntu import.

Changelog parent: e1297b4230002a65e0eb9691e80b57b491201ef8

New changelog entries:
  * SECURITY UPDATE: information disclosure via log file
    - debian/patches/0015-CVE-2011-2204.patch: fix logging in
      java/org/apache/catalina/mbeans/MemoryUserDatabaseMBean.java,
      java/org/apache/catalina/users/MemoryUserDatabase.java,
      java/org/apache/catalina/users/MemoryUser.java.
    - CVE-2011-2204
  * SECURITY UPDATE: file restriction bypass or denial of service via
    untrusted web application.
    - debian/patches/0016-CVE-2011-2526.patch: check canonical name in
      java/org/apache/catalina/connector/LocalStrings.properties,
      java/org/apache/catalina/connector/Request.java,
      java/org/apache/catalina/servlets/DefaultServlet.java,
      java/org/apache/coyote/http11/Http11AprProcessor.java,
      java/org/apache/coyote/http11/LocalStrings.properties,
      java/org/apache/tomcat/util/net/AprEndpoint.java,
      java/org/apache/tomcat/util/net/NioEndpoint.java.
    - CVE-2011-2526
  * SECURITY UPDATE: AJP request spoofing and authentication bypass
    (LP: #843701)
    - debian/patches/0017-CVE-2011-3190.patch: Properly handle request
      bodies in java/org/apache/coyote/ajp/AjpAprProcessor.java,
      java/org/apache/coyote/ajp/AjpProcessor.java.
    - CVE-2011-3190
  * SECURITY UPDATE: HTTP DIGEST authentication weaknesses
    - debian/patches/0018-CVE-2011-1184.patch: add new nonce options in
      java/org/apache/catalina/authenticator/DigestAuthenticator.java,
      java/org/apache/catalina/authenticator/LocalStrings.properties,
      java/org/apache/catalina/authenticator/mbeans-descriptors.xml,
      java/org/apache/catalina/realm/RealmBase.java,
      webapps/docs/config/valve.xml.
    - CVE-2011-1184

e1297b4... by Marc Deslauriers on 2011-03-24

Import patches-unapplied version 6.0.24-2ubuntu1.7 to ubuntu/lucid-security

Imported using git-ubuntu import.

Changelog parent: d62e2b5f44cdcb9df1ebc4cb3b3a91a8df18aaad

New changelog entries:
  * SECURITY UPDATE: directory traversal via incorrect ServetContext
    attribute (LP: #717396)
    - debian/patches/0012-CVE-2010-3718.patch: mark as read only in
      java/org/apache/catalina/core/StandardContext.java.
    - CVE-2010-3718
  * SECURITY UPDATE: cross-site scripting in HTML Manager interface
    - debian/patches/0013-CVE-2011-0013.patch: properly filter values in
      java/org/apache/catalina/manager/{HTMLManagerServlet.java,
      StatusTransformer.java}.
    - CVE-2011-0013
  * SECURITY UPDATE: denial of service via NIOS HTTP connector
    (LP: #714239, LP: #717396)
    - debian/patches/0014-CVE-2011-0534.patch: enforce proper size in
      java/org/apache/coyote/http11/InternalNioInputBuffer.java.
    - CVE-2011-0534

d62e2b5... by Marc Deslauriers on 2011-01-13

Import patches-unapplied version 6.0.24-2ubuntu1.6 to ubuntu/lucid-security

Imported using git-ubuntu import.

Changelog parent: 18efd6f07998e7d7389771d62e1092a37bfb5f5d

New changelog entries:
  * SECURITY UPDATE: cross-site scripting in Manager application
    - debian/patches/0011-CVE-2010-4172.patch: add proper escaping to
      java/org/apache/catalina/manager/JspHelper.java,
      webapps/manager/{sessionDetail,sessionsList}.jsp.
    - patch backported from Debian 6.0.28-9 package
    - CVE-2010-4172

18efd6f... by Michael Jeanson on 2010-12-08

Import patches-unapplied version 6.0.24-2ubuntu1.5 to ubuntu/lucid-proposed

Imported using git-ubuntu import.

Changelog parent: 84dfd0855e4a54dd9ca3ed2b083eebb896dd9895

New changelog entries:
  * debian/tomcat6.init: Add missing -p option in start-stop-daemon when
    starting tomcat6 to avoid failing to start due to /bin/bash running
    (LP: #632554)