ubuntu/+source/tomcat6:ubuntu/trusty-security

Last commit made on 2018-10-17
Get this branch:
git clone -b ubuntu/trusty-security https://git.launchpad.net/ubuntu/+source/tomcat6
Members of Ubuntu Server Dev import team can upload to this branch. Log in for directions.

Branch merges

Branch information

Name:
ubuntu/trusty-security
Repository:
lp:ubuntu/+source/tomcat6

Recent commits

773e08f... by Eduardo dos Santos Barretto on 2018-10-11

Import patches-unapplied version 6.0.39-1ubuntu0.1 to ubuntu/trusty-security

Imported using git-ubuntu import.

Changelog parent: 9a275391aa32a30784e2452e9f971a1fe82e1319

New changelog entries:
  * SECURITY UPDATE: Integer overflow
    - debian/patches/CVE-2014-0075.patch: Fix integer overflow in the
      parseChunkHeader function in
      java/org/apache/coyote/http11/filters/ChunkedInputFilter.java
    - CVE-2014-0075
  * SECURITY UPDATE: Bypass security-manager restrictions and read
    arbitrary files via a crafted web application that provides an XML
    external entity declaration in conjunction with an entity reference.
    - debian/patches/CVE-2014-0096.patch: Properly restrict XSLT
      stylesheets
    - CVE-2014-0096
  * SECURITY UPDATE: Fix integer overflow.
    - debian/patches/CVE-2014-0099.patch: Fix in
      java/org/apache/tomcat/util/buf/Ascii.java
    - CVE-2014-0099
  * SECURITY UPDATE: Read arbitrary files via a crafted web application
    that provides an XML external entity declaration in conjunction with
    an entity reference.
    - debian/patches/CVE-2014-0119-1.patch: fix in SecurityClassLoad.java
      and DefaultServlet.java
    - debian/patches/CVE-2014-0119-2.patch: fix in TldConfig.java
    - debian/patches/CVE-2014-0119-3.patch: fix in multiple files
    - CVE-2014-0119
  * SECURITY UPDATE: Add error flag to allow subsequent attempts at
    reading after an error to fail fast.
    - debian/patches/CVE-2014-0227.patch: fix in ChunkedInputFilter.java
    - CVE-2014-0227
  * SECURITY UPDATE: DoS (thread consumption) via a series of aborted
    upload attempts.
    - debian/patches/CVE-2014-0230.patch: add support for maxSwallowSize
    - CVE-2014-0230
  * SECURITY UPDATE: Bypass a SecurityManager protection mechanism via a
    web application that leverages use of incorrect privileges during EL
    evaluation.
    - debian/patches/CVE-2014-7810-1.patch: fix in BeanELResolver.java
    - debian/patches/CVE-2014-7810-2.patch: fix in PageContextImpl.java
      and SecurityClassLoad.java
    - CVE-2014-7810
  * SECURITY UPDATE: Directory traversal vulnerability in RequestUtil.java
    - debian/patches/CVE-2015-5174.patch: fix in RequestUtil.java
    - CVE-2015-5174
  * SECURITY UPDATE: Remote attackers can determine the existence of a
    directory via a URL that lacks a trailing slash character.
    - debian/patches/CVE-2015-5345-1.patch: fix in multiple files
    - debian/patches/CVE-2015-5345-2.patch: fix in multiple files
    - CVE-2015-5345
  * SECURITY UPDATE: Bypass CSRF protection mechanism by using a token.
    - debian/patches/CVE-2015-5351-1.patch: fix in manager application
    - debian/patches/CVE-2015-5351-2.patch: fix in host-manager
      application
    - CVE-2015-5351
  * SECURITY UPDATE: Bypass intended SecurityManager restrictions and
    read arbitrary HTTP requests, and consequently discover session ID
    values, via a crafted web application.
    - debian/patches/CVE-2016-0706.patch: fix in
      RestrictedServlets.properties
    - CVE-2016-0706
  * SECURITY UPDATE: Bypass intended SecurityManager restrictions and
    execute arbitrary code in a privileged context via a web application
    that places a crafted object in a session.
    - debian/patches/CVE-2016-0714-1.patch: fix in multiple files.
    - debian/patches/CVE-2016-0714-2.patch: fix in multiple files.
    - CVE-2016-0714
  * SECURITY UPDATE: Possible to determine valid user names.
    - debian/patches/CVE-2016-0762.patch: fix in MemoryRealm.java and
      RealmBase.java
    - CVE-2016-0762
  * SECURITY UPDATE: Bypass intended SecurityManager restrictions and
    read or write to arbitrary application data, or cause a denial of
    service (application disruption), via a web application that sets
    a crafted global context.
    - debian/patches/CVE-2016-0763.patch: fix in ResourceLinkFactory.java
    - CVE-2016-0763
  * SECURITY UPDATE: Access to the tomcat account to gain root privileges
    via a symlink attack on the Catalina log file.
    - debian/tomcat6.init: don't follow symlinks when handling the
      catalina.out file.
    - CVE-2016-1240

9a27539... by Emmanuel Bourg on 2014-02-16

Import patches-unapplied version 6.0.39-1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: ce537e10f2c2627c2b41ca1b64be98cf61cd2d93

New changelog entries:
  * Team upload.
  * New upstream release.
    - Refreshed the patches
  * Standards-Version updated to 3.9.5 (no changes)
  * Switch to debhelper level 9
  * Use XZ compression for the upstream tarball
  * Use canonical URL for the Vcs-Git field

ce537e1... by Tony Mancill on 2013-08-04

Import patches-unapplied version 6.0.37-1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 12f003fbf61503009ca78e513a97d70ed34dc9df

New changelog entries:
  * New upstream release.
    - Drop patches for CVE-2012-4534, CVE-2012-4431, CVE-2012-3546,
      CVE-2012-2733, CVE-2012-3439
    - Drop 0011-CVE-02012-0022-regression-fix.patch
    - Drop 0017-eclipse-compiler-update.patch
  * Freshened remaining patches.

12f003f... by Stephen Nelson on 2013-07-30

Import patches-unapplied version 6.0.35-7 to debian/sid

Imported using git-ubuntu import.

Changelog parent: e822d41283b7b1463de27afb2ffe24951565ac6b

New changelog entries:
  * Team upload.
  * Fixed the watch file
  * Fix FTBFS with ecj 3.8 (closes: #717279, #713796)
  * Updated the standards version to 3.9.4 - no changes
  * Updated the Vcs-Git field to the canonical url

e822d41... by Tony Mancill on 2012-12-07

Import patches-unapplied version 6.0.35-6 to debian/sid

Imported using git-ubuntu import.

Changelog parent: d00c9f1ebacb01aed9d8eb19f1c3bc0805a88de3

New changelog entries:
  * Acknowledge NMU: 6.0.35-5+nmu1 (Closes: #692440)
    - Thank you to Michael Gilbert.
  * Add patches for the following security issues: (Closes: #695250)
    - CVE-2012-4534, CVE-2012-4431, CVE-2012-3546

d00c9f1... by Michael Gilbert <email address hidden> on 2012-11-17

Import patches-unapplied version 6.0.35-5+nmu1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 32ca89b725ef4f08aa0e63a3b2f166179ee6ae79

New changelog entries:
  * Non-maintainer upload.
  * Fix multiple security issues (closes: #692440)
    - cve-2012-2733: denial-of-service by triggering out of memory error.
    - cve-2012-3439: multiple replay attack issues in digest authentication.

32ca89b... by Tony Mancill on 2012-08-07

Import patches-unapplied version 6.0.35-5 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 861aade8a99ecb61218e96ec98133a5776526071

New changelog entries:
  * Apply patch to README.Debian to explain setting the HTTPOnly flag
    in cookies by default; CVE-2010-4312. (Closes: #608286)
    - Thank you to Thijs Kinkhorst for the patch.
  * Use ucf and a template for /etc/logrotate.d/tomcat6 file to avoid
    updating the shipped conffile. (Closes: #687818)

861aade... by Miguel Landaeta <email address hidden> on 2012-06-17

Import patches-unapplied version 6.0.35-4 to debian/sid

Imported using git-ubuntu import.

Changelog parent: b5814ad2b4ae12770412630fce0839f5580fb2c8

New changelog entries:
  [ tony mancill ]
  * Team upload.
  * Apply patch from James Page (Closes: #671373)
    - d/tomcat6-instance-create: Quote access to files and directories
      so that spaces can be used when creating user instances.
    - d/tomcat6.init: Make NAME dynamic, to allow starting multiple
      instances. (Closes: #299635)
  [ Miguel Landaeta ]
  * Add Slovak debconf translation (Closes: #677912).
    - Thanks to Ivan Masár.

b5814ad... by Tony Mancill on 2012-04-14

Import patches-unapplied version 6.0.35-3 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 16d272edeee58af0118281744f179a86f22bb3e5

New changelog entries:
  [ Miguel Landaeta ]
  * Add Replaces and Conflicts for libservlet2.5-java to overwrite files
    in libservlet2.4-java. (Closes: #666256).
  [ tony mancill ]
  * Add libservlet2.4-java transitional package.
  * Remove /etc/authbind/byuid, /etc/authbind in postrm. (Closes: #668761)
  * Add 0011-CVE-2012-0022-regression-fix.patch. (Closes: #659748)
    - Thank you to Marc Deslauriers

16d272e... by Tony Mancill on 2012-03-29

Import patches-unapplied version 6.0.35-2 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 20976907001cbebb0bd47a3388dc33ded0eb52cb

New changelog entries:
  [ tony mancill ]
  * Remove Michael Koch from Uploaders. (Closes: #654136)
  * Add Turkish debconf translation (Closes: #664072)
    - Thanks to Atila KOÇ
  * Remove libservlet2.5-doc dependency on libservlet2.5.
  [ Miguel Landaeta ]
  * Bump Standards-Version to 3.9.3. No changes were required.
  * Provide 'debian' version symlink for Maven artifacts. (Closes: #665393).
  [ tony mancill ]
  *