ubuntu/+source/tomcat7:applied/debian/jessie

Last commit made on 2017-07-22
Get this branch:
git clone -b applied/debian/jessie https://git.launchpad.net/ubuntu/+source/tomcat7
Members of Ubuntu Server Dev import team can upload to this branch. Log in for directions.

Branch merges

Branch information

Name:
applied/debian/jessie
Repository:
lp:ubuntu/+source/tomcat7

Recent commits

ec20639... by Markus Koschany <email address hidden> on 2017-06-20

Import patches-applied version 7.0.56-3+deb8u11 to applied/debian/jessie

Imported using git-ubuntu import.

Changelog parent: e196615822430a33e68451c9ffc8a6ac0953fa70
Unapplied parent: 9d98df2e31e085690bf0abe67dfab80b188737de

New changelog entries:
  * Team upload.
  * Fix CVE-2017-5664.
    The error page mechanism of the Java Servlet Specification requires that,
    when an error occurs and an error page is configured for the error that
    occurred, the original request and response are forwarded to the error
    page. This means that the request is presented to the error page with the
    original HTTP method. If the error page is a static file, expected
    behaviour is to serve content of the file as if processing a GET request,
    regardless of the actual HTTP method. The Default Servlet in Apache Tomcat
    did not do this. Depending on the original request this could lead to
    unexpected and undesirable results for static error pages including, if the
    DefaultServlet is configured to permit writes, the replacement or removal
    of the custom error page. (Closes: #864447)
  * Team upload.
  * Fix the following security vulnerabilities:
   - CVE-2017-5647:
     A bug in the handling of the pipelined requests when send file was used
     resulted in the pipelined request being lost when send file processing of
     the previous request completed. This could result in responses appearing
     to be sent for the wrong request. For example, a user agent that sent
     requests A, B and C could see the correct response for request A, the
     response for request C for request B and no response for request C.
   - CVE-2017-5648:
     It was noticed that some calls to application listeners did not use the
     appropriate facade object. When running an untrusted application under a
     SecurityManager, it was therefore possible for that untrusted application
     to retain a reference to the request or response object and thereby access
     and/or modify information associated with another web application.

9d98df2... by Markus Koschany <email address hidden> on 2017-06-20

CVE-2017-5664

Gbp-Pq: CVE-2017-5664.patch.

0b6d711... by Markus Koschany <email address hidden> on 2017-06-20

CVE-2017-5648

Gbp-Pq: CVE-2017-5648.patch.

5e1646a... by Markus Koschany <email address hidden> on 2017-06-20

CVE-2017-5647

Gbp-Pq: CVE-2017-5647.patch.

7e7b545... by Markus Koschany <email address hidden> on 2017-06-20

BZ57544-infinite-loop-part2

Gbp-Pq: BZ57544-infinite-loop-part2.patch.

188d2da... by Markus Koschany <email address hidden> on 2017-06-20

BZ57544 infinite loop

Gbp-Pq: BZ57544-infinite-loop.patch.

ef52f65... by Markus Koschany <email address hidden> on 2017-06-20

Fixes: CVE-2016-8745: When unable to complete sendfile request,

Gbp-Pq: CVE-2016-8745.patch.

4b39987... by Markus Koschany <email address hidden> on 2017-06-20

Fixes CVE-2016-8735: The JmxRemoteLifecycleListener was not updated

Gbp-Pq: CVE-2016-8735.patch.

a08c742... by Markus Koschany <email address hidden> on 2017-06-20

Remove the restriction that prevented the use of SSL when

Gbp-Pq: BZ-57377.patch.

9068fa4... by Markus Koschany <email address hidden> on 2017-06-20

Fixes CVE-2016-6816: The code that parsed the HTTP request line

Gbp-Pq: CVE-2016-6816.patch.