ubuntu/+source/tomcat6:ubuntu/precise-updates

Last commit made on 2017-02-20
Get this branch:
git clone -b ubuntu/precise-updates https://git.launchpad.net/ubuntu/+source/tomcat6
Members of Ubuntu Server Dev import team can upload to this branch. Log in for directions.

Branch merges

Branch information

Name:
ubuntu/precise-updates
Repository:
lp:ubuntu/+source/tomcat6

Recent commits

40529c0... by Marc Deslauriers on 2017-02-17

Import patches-unapplied version 6.0.35-1ubuntu3.11 to ubuntu/precise-security

Imported using git-ubuntu import.

Changelog parent: 858e9091dbe32131e4576f734d9c601c6fd04985

New changelog entries:
  * SECURITY UPDATE: possible DoS via CPU consumption (LP: #1663318)
    - debian/patches/CVE-2017-6056.patch: fix infinite loop in
      java/org/apache/coyote/http11/InternalAprInputBuffer.java,
      java/org/apache/coyote/http11/InternalInputBuffer.java,
      java/org/apache/coyote/http11/InternalNioInputBuffer.java.
    - CVE-2017-6056

858e909... by Marc Deslauriers on 2017-02-01

Import patches-unapplied version 6.0.35-1ubuntu3.10 to ubuntu/precise-security

Imported using git-ubuntu import.

Changelog parent: 8325fda1d61df33fea745b7aad67ae8a75184bf7

New changelog entries:
  * SECURITY REGRESSION: security manager startup issue (LP: #1659589)
    - debian/patches/0010-Use-java.security.policy-file-in-catalina.sh.patch:
      update to new /var/lib/tomcat6/policy location.
    - debian/tomcat6.postrm: remove policy directory.

8325fda... by Marc Deslauriers on 2017-01-19

Import patches-unapplied version 6.0.35-1ubuntu3.9 to ubuntu/precise-security

Imported using git-ubuntu import.

Changelog parent: 8326a24549f0477e753c74e2d3c843b40ed25970

New changelog entries:
  * SECURITY UPDATE: timing attack in realm implementations
    - debian/patches/CVE-2016-0762.patch: add time delays to
      java/org/apache/catalina/realm/MemoryRealm.java,
      java/org/apache/catalina/realm/RealmBase.java.
    - CVE-2016-0762
  * SECURITY UPDATE: SecurityManager bypass via a utility method
    - debian/patches/CVE-2016-5018.patch: remove unnecessary code in
      java/org/apache/jasper/compiler/JspRuntimeContext.java,
      java/org/apache/jasper/runtime/JspRuntimeLibrary.java,
      java/org/apache/jasper/security/SecurityClassLoad.java.
    - CVE-2016-5018
  * SECURITY UPDATE: mitigaton for httpoxy issue
    - debian/patches/CVE-2016-5388.patch: add envHttpHeaders initialization
      parameter to conf/web.xml, webapps/docs/cgi-howto.xml,
      java/org/apache/catalina/servlets/CGIServlet.java.
    - CVE-2016-5388
  * SECURITY UPDATE: system properties read SecurityManager bypass
    - debian/patches/CVE-2016-6794.patch: extend SecurityManager protection
      to the system property replacement feature of the digester in
      java/org/apache/catalina/loader/WebappClassLoader.java,
      java/org/apache/tomcat/util/digester/Digester.java,
      java/org/apache/tomcat/util/security/PermissionCheck.java.
    - CVE-2016-6794
  * SECURITY UPDATE: SecurityManager bypass via JSP Servlet configuration
    parameters
    - debian/patches/CVE-2016-6796.patch: ignore some JSP options when
      running under a SecurityManager in conf/web.xml,
      java/org/apache/jasper/EmbeddedServletOptions.java,
      java/org/apache/jasper/resources/LocalStrings.properties,
      java/org/apache/jasper/servlet/JspServlet.java,
      webapps/docs/jasper-howto.xml.
    - CVE-2016-6796
  * SECURITY UPDATE: web application global JNDI resource access
    - debian/patches/CVE-2016-6797.patch: ensure that the global resource
      is only visible via the ResourceLinkFactory when it is meant to be in
      java/org/apache/catalina/core/NamingContextListener.java,
      java/org/apache/naming/factory/ResourceLinkFactory.java.
    - CVE-2016-6797
  * SECURITY UPDATE: HTTP response injection via invalid characters
    - debian/patches/CVE-2016-6816.patch: add additional checks for valid
      characters in java/org/apache/coyote/http11/AbstractInputBuffer.java,
      java/org/apache/coyote/http11/InternalAprInputBuffer.java,
      java/org/apache/coyote/http11/InternalInputBuffer.java,
      java/org/apache/coyote/http11/InternalNioInputBuffer.java,
      java/org/apache/coyote/http11/LocalStrings.properties,
      java/org/apache/tomcat/util/http/parser/HttpParser.java.
    - CVE-2016-6816
  * SECURITY UPDATE: remote code execution via JmxRemoteLifecycleListener
    - debian/patches/CVE-2016-8735.patch: explicitly configure allowed
      credential types in
      java/org/apache/catalina/mbeans/JmxRemoteLifecycleListener.java.
    - CVE-2016-8735
  * SECURITY UPDATE: information leakage between requests
    - debian/patches/CVE-2016-8745.patch: properly handle cache when unable
      to complete sendfile request in
      java/org/apache/tomcat/util/net/NioEndpoint.java.
    - CVE-2016-8745
  * SECURITY UPDATE: privilege escalation during package upgrade
    - debian/rules, debian/tomcat6.postinst: properly set permissions on
      /etc/tomcat7/Catalina/localhost.
    - CVE-2016-9774
  * SECURITY UPDATE: privilege escalation during package removal
    - debian/tomcat6.postrm.in: don't reset permissions before removing
      user.
    - CVE-2016-9775
  * debian/tomcat6.init: further hardening.

8326a24... by Marc Deslauriers on 2016-09-16

Import patches-unapplied version 6.0.35-1ubuntu3.8 to ubuntu/precise-security

Imported using git-ubuntu import.

Changelog parent: 39e5dfa56961ddbe7a869f5fd6e734557822b4db

New changelog entries:
  * SECURITY UPDATE: privilege escalation via insecure init script
    - debian/tomcat6.init: don't follow symlinks when handling the
      catalina.out file.
    - CVE-2016-1240
  * SECURITY REGRESSION: change in behaviour after security update
    - debian/patches/CVE-2015-5345-2.patch: change
      mapperContextRootRedirectEnabled default to true in
      java/org/apache/catalina/core/StandardContext.java,
      webapps/docs/config/context.xml. This reverts the change in behaviour
      following the CVE-2015-5345 security update and was also done
      upstream in later releases.

39e5dfa... by Marc Deslauriers on 2016-06-29

Import patches-unapplied version 6.0.35-1ubuntu3.7 to ubuntu/precise-security

Imported using git-ubuntu import.

Changelog parent: df3ad80aba4cbff644525b970b56ff79f1e2b0de

New changelog entries:
  * SECURITY UPDATE: directory traversal vulnerability in RequestUtil.java
    - debian/patches/CVE-2015-5174.patch: fix normalization edge cases in
      java/org/apache/tomcat/util/http/RequestUtil.java.
    - CVE-2015-5174
  * SECURITY UPDATE: information disclosure via redirects by mapper
    - debian/patches/CVE-2015-5345.patch: fix redirect logic in
      java/org/apache/catalina/Context.java,
      java/org/apache/catalina/authenticator/FormAuthenticator.java,
      java/org/apache/catalina/connector/MapperListener.java,
      java/org/apache/catalina/core/StandardContext.java,
      java/org/apache/catalina/core/mbeans-descriptors.xml,
      java/org/apache/catalina/servlets/DefaultServlet.java,
      java/org/apache/catalina/servlets/WebdavServlet.java,
      java/org/apache/tomcat/util/http/mapper/Mapper.java,
      webapps/docs/config/context.xml.
    - CVE-2015-5345
  * SECURITY UPDATE: securityManager restrictions bypass via
    StatusManagerServlet
    - debian/patches/CVE-2016-0706.patch: place servlet in restricted list
      in java/org/apache/catalina/core/RestrictedServlets.properties.
    - CVE-2016-0706
  * SECURITY UPDATE: securityManager restrictions bypass via
    session-persistence implementation
    - debian/patches/CVE-2016-0714.patch: extend the session attribute
      filtering options in
      java/org/apache/catalina/ha/session/mbeans-descriptors.xml,
      java/org/apache/catalina/session/LocalStrings.properties,
      java/org/apache/catalina/session/ManagerBase.java,
      java/org/apache/catalina/session/mbeans-descriptors.xml,
      webapps/docs/config/cluster-manager.xml,
      webapps/docs/config/manager.xml,
      java/org/apache/catalina/session/StandardManager.java,
      java/org/apache/catalina/util/CustomObjectInputStream.java.
    - CVE-2016-0714
  * SECURITY UPDATE: securityManager restrictions bypass via crafted global
    context
    - debian/patches/CVE-2016-0763.patch: protect initialization in
      java/org/apache/naming/factory/ResourceLinkFactory.java.
    - CVE-2016-0763
  * SECURITY UPDATE: denial of service in FileUpload
    - debian/patches/CVE-2016-3092.patch: properly handle size in
      java/org/apache/tomcat/util/http/fileupload/MultipartStream.java.
    - CVE-2016-3092

df3ad80... by Marc Deslauriers on 2015-06-22

Import patches-unapplied version 6.0.35-1ubuntu3.6 to ubuntu/precise-security

Imported using git-ubuntu import.

Changelog parent: 671acbad81fec5cc355c827e9f895b19bb1fde9b

New changelog entries:
  * SECURITY UPDATE: HTTP request smuggling or denial of service via
    streaming with malformed chunked transfer encoding (LP: #1449975)
    - debian/patches/CVE-2014-0227.patch: add error flag and improve i18n
      in java/org/apache/coyote/http11/filters/ChunkedInputFilter.java,
      java/org/apache/coyote/http11/filters/LocalStrings.properties.
    - CVE-2014-0227
  * SECURITY UPDATE: denial of service via aborted upload attempts
    (LP: #1449975)
    - debian/patches/CVE-2014-0230.patch: limit amount of data in
      java/org/apache/coyote/Constants.java,
      java/org/apache/coyote/http11/filters/ChunkedInputFilter.java,
      java/org/apache/coyote/http11/filters/IdentityInputFilter.java,
      java/org/apache/coyote/http11/filters/LocalStrings.properties,
      webapps/docs/config/systemprops.xml.
    - CVE-2014-0230
  * SECURITY UPDATE: SecurityManager bypass via Expression Language
    - debian/patches/CVE-2014-7810.patch: handle classes that may not be
      accessible but have accessible interfaces in
      java/javax/el/BeanELResolver.java, remove unnecessary code in
      java/org/apache/jasper/runtime/PageContextImpl.java,
      java/org/apache/jasper/security/SecurityClassLoad.java.
    - CVE-2014-7810

671acba... by Marc Deslauriers on 2014-07-24

Import patches-unapplied version 6.0.35-1ubuntu3.5 to ubuntu/precise-security

Imported using git-ubuntu import.

Changelog parent: a1410cda72d1473a0540406a1cde97aa698f843c

New changelog entries:
  * SECURITY UPDATE: denial of service via malformed chunk size
    - debian/patches/CVE-2014-0075.patch: fix overflow in
      java/org/apache/coyote/http11/filters/ChunkedInputFilter.java.
    - CVE-2014-0075
  * SECURITY UPDATE: file disclosure via XXE issue
    - debian/patches/CVE-2014-0096.patch: change globalXsltFile to be a
      relative path in conf/web.xml,
      java/org/apache/catalina/servlets/DefaultServlet.java,
      java/org/apache/catalina/servlets/LocalStrings.properties,
      webapps/docs/default-servlet.xml.
    - CVE-2014-0096
  * SECURITY UPDATE: HTTP request smuggling attack via crafted
    Content-Length HTTP header
    - debian/patches/CVE-2014-0099.patch: correctly handle long values in
      java/org/apache/tomcat/util/buf/Ascii.java.
    - CVE-2014-0099

a1410cd... by Marc Deslauriers on 2014-03-04

Import patches-unapplied version 6.0.35-1ubuntu3.4 to ubuntu/precise-security

Imported using git-ubuntu import.

Changelog parent: bafe3c3e9c8f7ead8c905bc8816a04435c5069b1

New changelog entries:
  * SECURITY UPDATE: request smuggling attack via content-length headers
    - debian/patches/CVE-2013-4286.patch: handle multiple content lengths
      in java/org/apache/coyote/ajp/AbstractAjpProcessor.java,
      java/org/apache/coyote/ajp/AjpProcessor.java, handle content length
      and chunked encoding being both specified in
      java/org/apache/coyote/http11/Http11AprProcessor.java,
      java/org/apache/coyote/http11/Http11NioProcessor.java,
      java/org/apache/coyote/http11/Http11Processor.java.
    - CVE-2013-4286
  * SECURITY UPDATE: denial of service via chunked transfer coding
    - debian/patches/CVE-2013-4322.patch: limit length of extension data in
      java/org/apache/coyote/Constants.java,
      java/org/apache/coyote/http11/filters/ChunkedInputFilter.java,
      webapps/docs/config/systemprops.xml.
    - CVE-2013-4322
  * SECURITY UPDATE: session fixation attack via crafted URL
    - debian/patches/CVE-2014-0033.patch: properly handle
      disableURLRewriting in
      java/org/apache/catalina/connector/CoyoteAdapter.java.
    - CVE-2014-0033

bafe3c3... by Marc Deslauriers on 2013-05-21

Import patches-unapplied version 6.0.35-1ubuntu3.3 to ubuntu/precise-security

Imported using git-ubuntu import.

Changelog parent: 6731a0ac3889f313b34128a3c693acc9cf9c6cec

New changelog entries:
  * SECURITY UPDATE: denial of service via chunked transfer encoding
    - debian/patches/CVE-2012-3544.patch: properly parse CRLF in requests
      in java/org/apache/coyote/http11/filters/ChunkedInputFilter.java.
    - CVE-2012-3544
  * SECURITY UPDATE: FORM authentication request injection
    - debian/patches/CVE-2013-2067.patch: properly change session ID
      in java/org/apache/catalina/authenticator/FormAuthenticator.java.
    - CVE-2013-2067

6731a0a... by Marc Deslauriers on 2013-01-10

Import patches-unapplied version 6.0.35-1ubuntu3.2 to ubuntu/precise-security

Imported using git-ubuntu import.

Changelog parent: 154e7efde31f9f436c2a57715063a241bcbade1b

New changelog entries:
  * SECURITY UPDATE: security-constraint bypass with FORM auth
    - debian/patches/CVE-2012-3546.patch: remove unneeded code in
      java/org/apache/catalina/realm/RealmBase.java.
    - CVE-2012-3546
  * SECURITY UPDATE: CSRF bypass via request with no session identifier
    - debian/patches/CVE-2012-4431.patch: check for session identifier in
      java/org/apache/catalina/filters/CsrfPreventionFilter.java.
    - CVE-2012-4431
  * SECURITY UPDATE: denial of service with NIO connector
    - debian/patches/CVE-2012-4534.patch: properly handle connection breaks
      in java/org/apache/tomcat/util/net/NioEndpoint.java.
    - CVE-2012-4534