Last commit made on 2016-06-05
Get this branch:
git clone -b debian/wheezy https://git.launchpad.net/ubuntu/+source/tomcat7
Members of Ubuntu Server Dev import team can upload to this branch. Log in for directions.

Branch merges

Branch information


Recent commits

8adbf54... by Markus Koschany <email address hidden> on 2016-04-16

Import patches-unapplied version 7.0.28-4+deb7u4 to debian/wheezy

Imported using git-ubuntu import.

Changelog parent: 4a3b462b0197859ee25acf601a90bdb00e054f16

New changelog entries:
  * Fix CVE-2014-0096:
    java/org/apache/catalina/servlets/DefaultServlet.java in the default
    servlet in Apache Tomcat does not properly restrict XSLT stylesheets, which
    allows remote attackers to bypass security-manager restrictions and read
    arbitrary files via a crafted web application that provides an XML external
    entity declaration in conjunction with an entity reference, related to an
    XML External Entity (XXE) issue.
  * Fix CVE-2014-0119:
    It was found that in limited circumstances it was possible for a malicious
    web application to replace the XML parsers used by Tomcat to process XSLTs
    for the default servlet, JSP documents, tag library descriptors (TLDs) and
    tag plugin configuration files. The injected XML parser(s) could then
    bypass the limits imposed on XML external entities and/or have visibility
    of the XML files processed for other web applications deployed on the same
    Tomcat instance.
  * Fix CVE-2015-5174:
    Directory traversal vulnerability in RequestUtil.java allows remote
    authenticated users to bypass intended SecurityManager restrictions and
    list a parent directory via a /.. (slash dot dot) in a pathname used by a
    web application in a getResource, getResourceAsStream, or getResourcePaths
    call, as demonstrated by the $CATALINA_BASE/webapps directory.
  * Fix CVE-2015-5345:
    The Mapper component in Apache Tomcat processes redirects before
    considering security constraints and Filters, which allows remote attackers
    to determine the existence of a directory via a URL that lacks a trailing /
    (slash) character.
  * Fix CVE-2015-5346:
    Session fixation vulnerability in Apache Tomcat when different session
    settings are used for deployments of multiple versions of the same web
    application, might allow remote attackers to hijack web sessions by
    leveraging use of a requestedSessionSSL field for an unintended request,
    related to CoyoteAdapter.java and Request.java.
  * Fix CVE-2015-5351:
    The Manager and Host Manager applications in Apache Tomcat establish
    sessions and send CSRF tokens for arbitrary new requests, which allows
    remote attackers to bypass a CSRF protection mechanism by using a token.
  * Fix CVE-2016-0706:
    Apache Tomcat does not place
    org.apache.catalina.manager.StatusManagerServlet on the
    org/apache/catalina/core/RestrictedServlets.properties list, which allows
    remote authenticated users to bypass intended SecurityManager restrictions
    and read arbitrary HTTP requests, and consequently discover session ID
    values, via a crafted web application.
  * Fix CVE-2016-0714:
    The session-persistence implementation in Apache Tomcat mishandles session
    attributes, which allows remote authenticated users to bypass intended
    SecurityManager restrictions and execute arbitrary code in a privileged
    context via a web application that places a crafted object in a session.
  * Fix CVE-2016-0763:
    The setGlobalContext method in
    org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat does
    not consider whether ResourceLinkFactory.setGlobalContext callers are
    authorized, which allows remote authenticated users to bypass intended
    SecurityManager restrictions and read or write to arbitrary application
    data, or cause a denial of service (application disruption), via a web
    application that sets a crafted global context.

4a3b462... by Emmanuel Bourg on 2016-01-11

Import patches-unapplied version 7.0.28-4+deb7u3 to debian/wheezy

Imported using git-ubuntu import.

Changelog parent: 20428f98b3388f124edfb133eb065b8e83509869

New changelog entries:
  * Team upload.
  * Fixed CVE-2014-7810: Malicious web applications could use expression
    language to bypass the protections of a Security Manager as expressions
    were evaluated within a privileged code section.
  * Fixed CVE-2014-0099: Check for overflow when parsing the request content
    length header. This exposed a request smuggling vulnerability when Tomcat
    was located behind a reverse proxy that correctly processed the content
    length header.
  * Fixed CVE-2013-4444: Remove serialization support from FileItem to prevent
    a remote code execution vulnerablity in very limited circumstances.
  * Fixed CVE-2014-0075: Malformed chunk size as part of a chuncked request
    could enable the streaming of an unlimited amount of data to the server,
    bypassing the various size limits enforced on a request. This enabled
    a denial of service attack.
  * Fixed CVE-2014-0227: Add an error flag in ChunkedInputFilter to allow
    subsequent attempts at reading after an error to fail fast. This prevents
    remote attackers from conducting HTTP request smuggling attacks or causing
    a denial of service by streaming data with malformed chunked requests.
  * Fixed CVE-2014-0230: Add a new limit for the amount of data Tomcat will
    swallow for an aborted upload. This prevents remote attackers from causing
    a denial of service (thread consumption) via a series of aborted upload

20428f9... by Miguel Landaeta <email address hidden> on 2015-03-26

Import patches-unapplied version 7.0.28-4+deb7u2 to debian/wheezy

Imported using git-ubuntu import.

Changelog parent: 6678a873c6fa7ff73533ae00287cf9ef369983a3

New changelog entries:
  * Team upload.
  * Fix FTBFS error by making sure SSL unit tests use TLS protocols.
    - SSLv3 and previous protocols are not secure and deprecated
      in JDK7.
    - Additionally, some X509 certificates provided by upstream expired
      and were causing failures in unit tests as well, so they were
      regenerated. (Closes: #780519).

6678a87... by Emmanuel Bourg on 2014-03-10

Import patches-unapplied version 7.0.28-4+deb7u1 to debian/wheezy

Imported using git-ubuntu import.

Changelog parent: 4732c5459bcdb790a2da6f69ea78f246ff3b4102

New changelog entries:
  * Team upload.
  * Fix CVE-2014-0050: Multipart requests with a malformed Content-Type header
    can trigger an infinite loop causing a denial of service.
  * Fix CVE-2013-2067: FORM authentication associates the most recent request
    requiring authentication with the current session. By repeatedly sending
    a request for an authenticated resource while the victim is completing
    the login form, an attacker could inject a request that would be executed
    using the victim's credentials. (Closes: #707704)
  * Fix CVE-2013-2071: A runtime exception in AsyncListener.onComplete()
    prevents the request from being recycled. This may expose elements of a
    previous request to a current request.
  * Fix CVE-2012-3544 and CVE-2013-4322: When processing a request submitted
    using the chunked transfer encoding, Tomcat ignored but did not limit any
    extensions that were included. This allows a client to perform a limited
    denial of service.
    by streaming an unlimited amount of data to the server.
  * Fix CVE-2013-4286: Reject requests with multiple content-length headers
    or with a content-length header when chunked encoding is being used.
  * Replaced the expired certificates used by the tests
    (backported from Tomcat 7.0.39)

4732c54... by Tony Mancill on 2012-12-07

Import patches-unapplied version 7.0.28-4 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 8ae5d4f828f102e4ec3755459b746eef1df461a3

New changelog entries:
  * Acknowledge NMU: 7.0.28-3+nmu1 (Closes: #692440)
    - Thank you to Michael Gilbert.
  * Add patches for the following security issues: (Closes: #695251)
    - CVE-2012-4431, CVE-2012-3546

8ae5d4f... by Michael Gilbert <email address hidden> on 2012-11-18

Import patches-unapplied version 7.0.28-3+nmu1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 6db617f6d4b2967901cbf8f293ae8da67370f21d

New changelog entries:
  * Non-maintainer upload.
  * Fix cve-2012-3439: multiple replay attack issues in digest authentication.
    (closes: #692440)

6db617f... by Tony Mancill on 2012-09-27

Import patches-unapplied version 7.0.28-3 to debian/sid

Imported using git-ubuntu import.

Changelog parent: b7f710dfd16938d59f06b5fcc4afb2cd6437827c

New changelog entries:
  [ Miguel Landaeta ]
  * Fix small typo in README.Debian.
  [ tony mancill ]
  * Use ucf and a template for /etc/logrotate.d/tomcat6 file to avoid
    updating the shipped conffile. (Closes: #688936)

b7f710d... by Tony Mancill on 2012-07-11

Import patches-unapplied version 7.0.28-2 to debian/sid

Imported using git-ubuntu import.

Changelog parent: c3caf4d3882750aa470d850435f14189482384b7

New changelog entries:
  [ Jakub Adam ]
  * Ensure webapps/examples/WEB-INF/lib exists before files are
    copied there.
  * Fix FTBFS when user home dir doesn't exist (Closes: #680844).
  [ tony mancill ]
  * Fix build to generate postrm from postrm.in (Closes: #681160)

c3caf4d... by Tony Mancill on 2012-06-22

Import patches-unapplied version 7.0.28-1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 5d4d2799f17c0557b5a6a31db462e81f4b862ff4

New changelog entries:
  [ Miguel Landaeta ]
  * Add Slovak debconf translation (Closes: #677913).
    - Thanks to Ivan Mas├ír.
  [ James Page ]
  * New upstream release.
  * Enable test suite during package build:
    - d/control: Add junit4, libjstl1.1-java and
      libjakarta-taglibs-standard-java to BDI's.
    - d/rules:
      + Add ant/junit4 jars files to build classpath.
      + Target java 1.6 to support test suite exection.
      + Specify location of junit jar file.
      + Install jstl jar files to example webapp during build.
      + Conditionally execute test target if required.
      + Purge jar files from example webapp during clean.
  * Fix JSTL examples in examples web application:
    - d/control: Add dependencies on libjstl1.1-java and
      libjakarta-taglibs-standard-java for tomcat7-examples.
    - d/tomcat7-examples.links: Add links to jstl and standard jar
      files for examples web application.
    - d/context/examples.xml: Allow linking to jar files in examples
  * Fix mapping to javax packages for API jar files:
    - d/maven.[rules,publishedRules]: Ensure all javax.[servlet|el] jar files
      are published to the correct locations in /usr/share/[maven-repo|java].
    - d/libservlet3.0-java.manifest: Update jar file locations for javax
    - d/libservlet3.0-java.links: Provide backwards compatible links for
      deprecated tomcat-*.jar files in /usr/share/java.
  [ tony mancill ]
  * Set DMUA flag.

5d4d279... by Tony Mancill on 2012-06-08

Import patches-unapplied version 7.0.27-1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: bf44323d199b3e8e6ec9b58bf2dd416262746f7a

New changelog entries:
  * New upstream release.