Last commit made on 2018-10-17
Get this branch:
git clone -b ubuntu/trusty-devel https://git.launchpad.net/ubuntu/+source/tomcat6
Members of Ubuntu Server Dev import team can upload to this branch. Log in for directions.

Branch merges

Branch information


Recent commits

773e08f... by Eduardo dos Santos Barretto on 2018-10-11

Import patches-unapplied version 6.0.39-1ubuntu0.1 to ubuntu/trusty-security

Imported using git-ubuntu import.

Changelog parent: 9a275391aa32a30784e2452e9f971a1fe82e1319

New changelog entries:
  * SECURITY UPDATE: Integer overflow
    - debian/patches/CVE-2014-0075.patch: Fix integer overflow in the
      parseChunkHeader function in
    - CVE-2014-0075
  * SECURITY UPDATE: Bypass security-manager restrictions and read
    arbitrary files via a crafted web application that provides an XML
    external entity declaration in conjunction with an entity reference.
    - debian/patches/CVE-2014-0096.patch: Properly restrict XSLT
    - CVE-2014-0096
  * SECURITY UPDATE: Fix integer overflow.
    - debian/patches/CVE-2014-0099.patch: Fix in
    - CVE-2014-0099
  * SECURITY UPDATE: Read arbitrary files via a crafted web application
    that provides an XML external entity declaration in conjunction with
    an entity reference.
    - debian/patches/CVE-2014-0119-1.patch: fix in SecurityClassLoad.java
      and DefaultServlet.java
    - debian/patches/CVE-2014-0119-2.patch: fix in TldConfig.java
    - debian/patches/CVE-2014-0119-3.patch: fix in multiple files
    - CVE-2014-0119
  * SECURITY UPDATE: Add error flag to allow subsequent attempts at
    reading after an error to fail fast.
    - debian/patches/CVE-2014-0227.patch: fix in ChunkedInputFilter.java
    - CVE-2014-0227
  * SECURITY UPDATE: DoS (thread consumption) via a series of aborted
    upload attempts.
    - debian/patches/CVE-2014-0230.patch: add support for maxSwallowSize
    - CVE-2014-0230
  * SECURITY UPDATE: Bypass a SecurityManager protection mechanism via a
    web application that leverages use of incorrect privileges during EL
    - debian/patches/CVE-2014-7810-1.patch: fix in BeanELResolver.java
    - debian/patches/CVE-2014-7810-2.patch: fix in PageContextImpl.java
      and SecurityClassLoad.java
    - CVE-2014-7810
  * SECURITY UPDATE: Directory traversal vulnerability in RequestUtil.java
    - debian/patches/CVE-2015-5174.patch: fix in RequestUtil.java
    - CVE-2015-5174
  * SECURITY UPDATE: Remote attackers can determine the existence of a
    directory via a URL that lacks a trailing slash character.
    - debian/patches/CVE-2015-5345-1.patch: fix in multiple files
    - debian/patches/CVE-2015-5345-2.patch: fix in multiple files
    - CVE-2015-5345
  * SECURITY UPDATE: Bypass CSRF protection mechanism by using a token.
    - debian/patches/CVE-2015-5351-1.patch: fix in manager application
    - debian/patches/CVE-2015-5351-2.patch: fix in host-manager
    - CVE-2015-5351
  * SECURITY UPDATE: Bypass intended SecurityManager restrictions and
    read arbitrary HTTP requests, and consequently discover session ID
    values, via a crafted web application.
    - debian/patches/CVE-2016-0706.patch: fix in
    - CVE-2016-0706
  * SECURITY UPDATE: Bypass intended SecurityManager restrictions and
    execute arbitrary code in a privileged context via a web application
    that places a crafted object in a session.
    - debian/patches/CVE-2016-0714-1.patch: fix in multiple files.
    - debian/patches/CVE-2016-0714-2.patch: fix in multiple files.
    - CVE-2016-0714
  * SECURITY UPDATE: Possible to determine valid user names.
    - debian/patches/CVE-2016-0762.patch: fix in MemoryRealm.java and
    - CVE-2016-0762
  * SECURITY UPDATE: Bypass intended SecurityManager restrictions and
    read or write to arbitrary application data, or cause a denial of
    service (application disruption), via a web application that sets
    a crafted global context.
    - debian/patches/CVE-2016-0763.patch: fix in ResourceLinkFactory.java
    - CVE-2016-0763
  * SECURITY UPDATE: Access to the tomcat account to gain root privileges
    via a symlink attack on the Catalina log file.
    - debian/tomcat6.init: don't follow symlinks when handling the
      catalina.out file.
    - CVE-2016-1240

9a27539... by Emmanuel Bourg on 2014-02-16

Import patches-unapplied version 6.0.39-1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: ce537e10f2c2627c2b41ca1b64be98cf61cd2d93

New changelog entries:
  * Team upload.
  * New upstream release.
    - Refreshed the patches
  * Standards-Version updated to 3.9.5 (no changes)
  * Switch to debhelper level 9
  * Use XZ compression for the upstream tarball
  * Use canonical URL for the Vcs-Git field

ce537e1... by Tony Mancill on 2013-08-04

Import patches-unapplied version 6.0.37-1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 12f003fbf61503009ca78e513a97d70ed34dc9df

New changelog entries:
  * New upstream release.
    - Drop patches for CVE-2012-4534, CVE-2012-4431, CVE-2012-3546,
      CVE-2012-2733, CVE-2012-3439
    - Drop 0011-CVE-02012-0022-regression-fix.patch
    - Drop 0017-eclipse-compiler-update.patch
  * Freshened remaining patches.

12f003f... by Stephen Nelson on 2013-07-30

Import patches-unapplied version 6.0.35-7 to debian/sid

Imported using git-ubuntu import.

Changelog parent: e822d41283b7b1463de27afb2ffe24951565ac6b

New changelog entries:
  * Team upload.
  * Fixed the watch file
  * Fix FTBFS with ecj 3.8 (closes: #717279, #713796)
  * Updated the standards version to 3.9.4 - no changes
  * Updated the Vcs-Git field to the canonical url

e822d41... by Tony Mancill on 2012-12-07

Import patches-unapplied version 6.0.35-6 to debian/sid

Imported using git-ubuntu import.

Changelog parent: d00c9f1ebacb01aed9d8eb19f1c3bc0805a88de3

New changelog entries:
  * Acknowledge NMU: 6.0.35-5+nmu1 (Closes: #692440)
    - Thank you to Michael Gilbert.
  * Add patches for the following security issues: (Closes: #695250)
    - CVE-2012-4534, CVE-2012-4431, CVE-2012-3546

d00c9f1... by Michael Gilbert <email address hidden> on 2012-11-17

Import patches-unapplied version 6.0.35-5+nmu1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 32ca89b725ef4f08aa0e63a3b2f166179ee6ae79

New changelog entries:
  * Non-maintainer upload.
  * Fix multiple security issues (closes: #692440)
    - cve-2012-2733: denial-of-service by triggering out of memory error.
    - cve-2012-3439: multiple replay attack issues in digest authentication.

32ca89b... by Tony Mancill on 2012-08-07

Import patches-unapplied version 6.0.35-5 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 861aade8a99ecb61218e96ec98133a5776526071

New changelog entries:
  * Apply patch to README.Debian to explain setting the HTTPOnly flag
    in cookies by default; CVE-2010-4312. (Closes: #608286)
    - Thank you to Thijs Kinkhorst for the patch.
  * Use ucf and a template for /etc/logrotate.d/tomcat6 file to avoid
    updating the shipped conffile. (Closes: #687818)

861aade... by Miguel Landaeta <email address hidden> on 2012-06-17

Import patches-unapplied version 6.0.35-4 to debian/sid

Imported using git-ubuntu import.

Changelog parent: b5814ad2b4ae12770412630fce0839f5580fb2c8

New changelog entries:
  [ tony mancill ]
  * Team upload.
  * Apply patch from James Page (Closes: #671373)
    - d/tomcat6-instance-create: Quote access to files and directories
      so that spaces can be used when creating user instances.
    - d/tomcat6.init: Make NAME dynamic, to allow starting multiple
      instances. (Closes: #299635)
  [ Miguel Landaeta ]
  * Add Slovak debconf translation (Closes: #677912).
    - Thanks to Ivan Masár.

b5814ad... by Tony Mancill on 2012-04-14

Import patches-unapplied version 6.0.35-3 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 16d272edeee58af0118281744f179a86f22bb3e5

New changelog entries:
  [ Miguel Landaeta ]
  * Add Replaces and Conflicts for libservlet2.5-java to overwrite files
    in libservlet2.4-java. (Closes: #666256).
  [ tony mancill ]
  * Add libservlet2.4-java transitional package.
  * Remove /etc/authbind/byuid, /etc/authbind in postrm. (Closes: #668761)
  * Add 0011-CVE-2012-0022-regression-fix.patch. (Closes: #659748)
    - Thank you to Marc Deslauriers

16d272e... by Tony Mancill on 2012-03-29

Import patches-unapplied version 6.0.35-2 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 20976907001cbebb0bd47a3388dc33ded0eb52cb

New changelog entries:
  [ tony mancill ]
  * Remove Michael Koch from Uploaders. (Closes: #654136)
  * Add Turkish debconf translation (Closes: #664072)
    - Thanks to Atila KOÇ
  * Remove libservlet2.5-doc dependency on libservlet2.5.
  [ Miguel Landaeta ]
  * Bump Standards-Version to 3.9.3. No changes were required.
  * Provide 'debian' version symlink for Maven artifacts. (Closes: #665393).
  [ tony mancill ]