ubuntu/+source/tomcat7:debian/jessie

Last commit made on 2017-07-22
Get this branch:
git clone -b debian/jessie https://git.launchpad.net/ubuntu/+source/tomcat7
Members of Ubuntu Server Dev import team can upload to this branch. Log in for directions.

Branch merges

Branch information

Name:
debian/jessie
Repository:
lp:ubuntu/+source/tomcat7

Recent commits

a7f80c7... by Markus Koschany <email address hidden> on 2017-06-20

Import patches-unapplied version 7.0.56-3+deb8u11 to debian/jessie

Imported using git-ubuntu import.

Changelog parent: 0edd1aafc5e6f80a718d09dcae73090f0b06fc52

New changelog entries:
  * Team upload.
  * Fix CVE-2017-5664.
    The error page mechanism of the Java Servlet Specification requires that,
    when an error occurs and an error page is configured for the error that
    occurred, the original request and response are forwarded to the error
    page. This means that the request is presented to the error page with the
    original HTTP method. If the error page is a static file, expected
    behaviour is to serve content of the file as if processing a GET request,
    regardless of the actual HTTP method. The Default Servlet in Apache Tomcat
    did not do this. Depending on the original request this could lead to
    unexpected and undesirable results for static error pages including, if the
    DefaultServlet is configured to permit writes, the replacement or removal
    of the custom error page. (Closes: #864447)
  * Team upload.
  * Fix the following security vulnerabilities:
   - CVE-2017-5647:
     A bug in the handling of the pipelined requests when send file was used
     resulted in the pipelined request being lost when send file processing of
     the previous request completed. This could result in responses appearing
     to be sent for the wrong request. For example, a user agent that sent
     requests A, B and C could see the correct response for request A, the
     response for request C for request B and no response for request C.
   - CVE-2017-5648:
     It was noticed that some calls to application listeners did not use the
     appropriate facade object. When running an untrusted application under a
     SecurityManager, it was therefore possible for that untrusted application
     to retain a reference to the request or response object and thereby access
     and/or modify information associated with another web application.

0edd1aa... by Markus Koschany <email address hidden> on 2017-02-18

Import patches-unapplied version 7.0.56-3+deb8u9 to debian/jessie

Imported using git-ubuntu import.

Changelog parent: 88cbe01720eeab6259b03588ce686e2df83f760f

New changelog entries:
  * Team upload.
  * Add BZ57544-infinite-loop-part2.patch.
    Fix regression due to an incomplete fix for CVE-2017-6056.
    See #854551 for further information.
  * Team upload.
  * Add BZ57544-infinite-loop.patch: It was found that https GET requests could
    trigger an infinite loop and thus cause a denial-of-service.
    (Closes: #854551)

88cbe01... by Emmanuel Bourg on 2017-01-05

Import patches-unapplied version 7.0.56-3+deb8u7 to debian/jessie

Imported using git-ubuntu import.

Changelog parent: 0f2c9c1605277e7f17bfae6fff7bb3bf331ef234

New changelog entries:
  * Fixed CVE-2016-8745: A bug in the error handling of the send file code for
    the NIO HTTP connector resulted in the current Processor object being added
    to the Processor cache multiple times. This in turn meant that the same
    Processor could be used for concurrent requests. Sharing a Processor can
    result in information leakage between requests including, not not limited
    to, session ID and the response body.
  * Fixed CVE-2016-9774: Potential privilege escalation when the tomcat7
    package is upgraded. Thanks to Paul Szabo for the report (see #845393)
  * Fixed CVE-2016-9775: Potential privilege escalation when the tomcat7
    package is purged. Thanks to Paul Szabo for the report (see #845385)
  * Fixed CVE-2016-6816: The code that parsed the HTTP request line permitted
    invalid characters. This could be exploited, in conjunction with a proxy
    that also permitted the invalid characters but with a different
    interpretation, to inject data into the HTTP response. By manipulating the
    HTTP response the attacker could poison a web-cache, perform an XSS attack
    and/or obtain sensitive information from requests other then their own.
  * Fixed CVE-2016-8735: The JmxRemoteLifecycleListener was not updated to take
    account of Oracle's fix for CVE-2016-3427. Therefore, Tomcat installations
    using this listener remained vulnerable to a similar remote code execution
    vulnerability. This issue has been rated as important rather than critical
    due to the small number of installations using this listener and that it
    would be highly unusual for the JMX ports to be accessible to an attacker
    even when the listener is used.
  * Backported the fix for upstream bug 57377: Remove the restriction that
    prevented the use of SSL when specifying a bind address for the JMX/RMI
    server. Enable SSL to be configured for the registry as well as the server.
  * CVE-2016-5018 follow-up: Applied a missing modification fixing
    a ClassNotFoundException when the security manager is enabled
    (Closes: #846298)
  * CVE-2016-6797 follow-up: Fixed a regression preventing some applications
    from accessing the global resources (Closes: #845425)
  * CVE-2015-5345 follow-up: Added a missing modification enabling the use of
    the mapperContextRootRedirectEnabled and mapperDirectoryRedirectEnabled
    attributes on a context.
  * Backported a fix for a test failure in Test*NonLoginAndBasicAuthenticator
    with recent JREs
  * Refreshed the expired SSL certificates used by the tests
  * Set the locale when running the tests to prevent locale sensitive tests
    from failing
  * Fixed a test failure in the new TestNamingContext test added with the fix
    for CVE-2016-6797
  * Fixed a test failure in TestResourceBundleELResolver
  * Reduced the verbosity of the tests
  * Fixed CVE-2016-0762: The Realm implementations did not process the supplied
    password if the supplied user name did not exist. This made a timing attack
    possible to determine valid user names. (Closes: #842662)
  * Fixed CVE-2016-5018: A malicious web application was able to bypass
    a configured SecurityManager via a Tomcat utility method that was
    accessible to web applications. (Closes: #842663)
  * Fixed CVE-2016-6794: When a SecurityManager is configured, a web
    application's ability to read system properties should be controlled by
    the SecurityManager. Tomcat's system property replacement feature for
    configuration files could be used by a malicious web application to bypass
    the SecurityManager and read system properties that should not be visible.
    (Closes: #842664)
  * Fixed CVE-2016-6796: A malicious web application was able to bypass
    a configured SecurityManager via manipulation of the configuration
    parameters for the JSP Servlet. (Closes: #842665)
  * Fixed CVE-2016-6797: The ResourceLinkFactory did not limit web application
    access to global JNDI resources to those resources explicitly linked to the
    web application. Therefore, it was possible for a web application to access
    any global JNDI resource whether an explicit ResourceLink had been
    configured or not. (Closes: #842666)
  * CVE-2016-1240 follow-up:
    - The previous init.d fix was vulnerable to a race condition that could
      be exploited to make any existing file writable by the tomcat user.
      Thanks to Paul Szabo for the report and the fix.
    - The catalina.policy file generated on startup was affected by a similar
      vulnerability that could be exploited to overwrite any file on the system.
      Thanks to Paul Szabo for the report.
  * Hardened the init.d script, thanks to Paul Szabo
  * Team upload.
  * Fix CVE-2016-1240:
    tomcat7.init: Protect /var/log/tomcat7/catalina.out against symlink
    attacks and a possible root privilege escalation.
  * Do not unconditionally override files in /etc/tomcat7.
    Change file permissions to 640 for Debian files in /etc/tomcat7/*
    (Closes: #821391)

0f2c9c1... by Emmanuel Bourg on 2016-06-22

Import patches-unapplied version 7.0.56-3+deb8u3 to debian/jessie

Imported using git-ubuntu import.

Changelog parent: 0f140642dd3ad8c7dc7e63e48f7f67c302ee7159

New changelog entries:
  * Fixed CVE-2016-3092: Denial-of-Service vulnerability with file uploads

0f14064... by Markus Koschany <email address hidden> on 2016-04-16

Import patches-unapplied version 7.0.56-3+deb8u2 to debian/jessie

Imported using git-ubuntu import.

Changelog parent: f0bb75a749fb9b75c16d831be2824e9a73b3e974

New changelog entries:
  * Team upload.
  * Fix CVE-2015-5174:
    Directory traversal vulnerability in RequestUtil.java allows remote
    authenticated users to bypass intended SecurityManager restrictions and
    list a parent directory via a /.. (slash dot dot) in a pathname used by a
    web application in a getResource, getResourceAsStream, or getResourcePaths
    call, as demonstrated by the $CATALINA_BASE/webapps directory.
  * Fix CVE-2015-5345:
    The Mapper component in Apache Tomcat processes redirects before
    considering security constraints and Filters, which allows remote attackers
    to determine the existence of a directory via a URL that lacks a trailing /
    (slash) character.
  * Fix CVE-2015-5346:
    Session fixation vulnerability in Apache Tomcat when different session
    settings are used for deployments of multiple versions of the same web
    application, might allow remote attackers to hijack web sessions by
    leveraging use of a requestedSessionSSL field for an unintended request,
    related to CoyoteAdapter.java and Request.java.
  * Fix CVE-2015-5351:
    The Manager and Host Manager applications in Apache Tomcat establish
    sessions and send CSRF tokens for arbitrary new requests, which allows
    remote attackers to bypass a CSRF protection mechanism by using a token.
  * Fix CVE-2016-0706:
    Apache Tomcat does not place
    org.apache.catalina.manager.StatusManagerServlet on the
    org/apache/catalina/core/RestrictedServlets.properties list, which allows
    remote authenticated users to bypass intended SecurityManager restrictions
    and read arbitrary HTTP requests, and consequently discover session ID
    values, via a crafted web application.
  * Fix CVE-2016-0714:
    The session-persistence implementation in Apache Tomcat mishandles session
    attributes, which allows remote authenticated users to bypass intended
    SecurityManager restrictions and execute arbitrary code in a privileged
    context via a web application that places a crafted object in a session.
  * Fix CVE-2016-0763:
    The setGlobalContext method in
    org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat does
    not consider whether ResourceLinkFactory.setGlobalContext callers are
    authorized, which allows remote authenticated users to bypass intended
    SecurityManager restrictions and read or write to arbitrary application
    data, or cause a denial of service (application disruption), via a web
    application that sets a crafted global context.

f0bb75a... by Emmanuel Bourg on 2015-12-18

Import patches-unapplied version 7.0.56-3+deb8u1 to debian/jessie

Imported using git-ubuntu import.

Changelog parent: de79993a9ca0f779a3f9af8cee7ffc7f223081a9

New changelog entries:
  * Fixed CVE-2014-7810: Malicious web applications could use expression
    language to bypass the protections of a Security Manager as expressions
    were evaluated within a privileged code section.

de79993... by Miguel Landaeta <email address hidden> on 2015-03-28

Import patches-unapplied version 7.0.56-3 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 2a0977a25cb1f0e58a64ae63aef6acf31f4d5faf

New changelog entries:
  * Provide a fix for #780519 more clear/maintainable and with an approach
    similar to used one by Emmanuel to fix an issue similar in stable in
    the past.

2a0977a... by Miguel Landaeta <email address hidden> on 2015-03-26

Import patches-unapplied version 7.0.56-2 to debian/sid

Imported using git-ubuntu import.

Changelog parent: c42e79419e4c7f6a2c9d179f927ffcb1aa745541

New changelog entries:
  * Fix FTBFS error by making sure SSL unit tests use TLS protocols.
    - SSLv3 and previous protocols are not secure and deprecated
      in JDK7.
    - Additionally, some X509 certificates provided by upstream expired
      and were causing failures in unit tests as well, so they were
      regenerated. (Closes: #780519).
  * Fix FTBFS error by disabling some unit tests that depends on
    having network access.

c42e794... by Emmanuel Bourg on 2014-10-06

Import patches-unapplied version 7.0.56-1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 499c912e547b51aedd2e7b5a1ff3cf17a2b5a877

New changelog entries:
  * New upstream release
  * Install the extra jar catalina-jmx-remote.jar (Closes: #719921)
  * Removed the note about the authbind IPv6 incompatibility
    in /etc/defaults/tomcat7
  * Added the SimpleInstanceManager class from Tomcat 8 to help integrating
    the JSP compiler into Jetty 8

499c912... by Emmanuel Bourg on 2014-07-29

Import patches-unapplied version 7.0.55-1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 822c349bd4c90e5c39fd0858b55490857948b730

New changelog entries:
  * New upstream release
  * Refreshed the patches