ubuntu/+source/tomcat7:ubuntu/quantal-security

Last commit made on 2014-03-06
Get this branch:
git clone -b ubuntu/quantal-security https://git.launchpad.net/ubuntu/+source/tomcat7
Members of Ubuntu Server Dev import team can upload to this branch. Log in for directions.

Branch merges

Branch information

Name:
ubuntu/quantal-security
Repository:
lp:ubuntu/+source/tomcat7

Recent commits

5ad2e80... by Marc Deslauriers on 2014-03-04

Import patches-unapplied version 7.0.30-0ubuntu1.3 to ubuntu/quantal-security

Imported using git-ubuntu import.

Changelog parent: bb19f3cdcfb69e483e0423ebcd779abb68c2e0f5

New changelog entries:
  * SECURITY UPDATE: request smuggling attack via content-length headers
    - debian/patches/CVE-2013-4286.patch: use long as content length in
      java/org/apache/coyote/Request.java, handle multiple content lengths
      in java/org/apache/coyote/ajp/AbstractAjpProcessor.java, handle
      content length and chunked encoding being both specified in
      java/org/apache/coyote/http11/AbstractHttp11Processor.java.
    - CVE-2013-4286
  * SECURITY UPDATE: denial of service via chunked transfer coding
    - debian/patches/CVE-2013-4322.patch: enforce maximum size in
      java/org/apache/coyote/http11/{AbstractHttp11Processor.java,
      AbstractHttp11Protocol.java, Http11AprProcessor.java,
      Http11AprProtocol.java, Http11NioProcessor.java,
      Http11NioProtocol.java, Http11Processor.java, Http11Protocol.java},
      java/org/apache/coyote/http11/filters/ChunkedInputFilter.java,
      test/org/apache/coyote/http11/filters/TestChunkedInputFilter.java,
      webapps/docs/config/http.xml.
    - CVE-2013-4322
  * SECURITY UPDATE: denial of service via malformed content-type header
    - debian/patches/CVE-2014-0050.patch: validate sizes in
      java/org/apache/tomcat/util/http/fileupload/FileUploadBase.java,
      java/org/apache/tomcat/util/http/fileupload/MultipartStream.java.
    - CVE-2014-0050
  * d/p/0018-update-test-certificates.patch: remove binary parts to
    support newer quilt.

bb19f3c... by Marc Deslauriers on 2013-05-23

Import patches-unapplied version 7.0.30-0ubuntu1.2 to ubuntu/quantal-security

Imported using git-ubuntu import.

Changelog parent: b49953175487ff7d32e794078823af64afa9b1f4

New changelog entries:
  * SECURITY UPDATE: FORM authentication request injection
    - debian/patches/CVE-2013-2067.patch: properly change session ID
      in java/org/apache/catalina/authenticator/FormAuthenticator.java.
    - CVE-2013-2067
  * SECURITY UPDATE: information leak via AsyncListeners and
    RuntimeExceptions (LP: #1178645)
    - debian/patches/CVE-2013-2071.patch: catch RuntimeExceptions in
      java/org/apache/catalina/core/AsyncContextImpl.java, added tests to
      test/org/apache/catalina/core/TestAsyncContextImpl.java.
    - CVE-2013-2071
  * Fix FTBFS due to expired test certificates:
    - d/keystores/*.jks: Newer keystores from upstream 7.0.39.
    - d/rules: Install newer keystores for testing, tidy up after use.
    - d/p/0018-update-test-certificates.patch: Cherry picked fixes from
      upstream VCS to update text based certificates.

b499531... by Marc Deslauriers on 2013-01-10

Import patches-unapplied version 7.0.30-0ubuntu1.1 to ubuntu/quantal-security

Imported using git-ubuntu import.

Changelog parent: f46bef75047745aa70712c66a1f486582586571c

New changelog entries:
  * SECURITY UPDATE: CSRF bypass via request with no session identifier
    - debian/patches/CVE-2012-4431.patch: check for session identifier in
      java/org/apache/catalina/filters/CsrfPreventionFilter.java.
    - CVE-2012-4431

f46bef7... by James Page on 2012-09-17

Import patches-unapplied version 7.0.30-0ubuntu1 to ubuntu/quantal

Imported using git-ubuntu import.

Changelog parent: a659082395f747fd4352b6e7ec5895f801ab27f7

New changelog entries:
  * New upstream point release including several fixes for Java 7
    specific issues.
  * Refreshed patches.

a659082... by James Page on 2012-07-16

Import patches-unapplied version 7.0.29-0ubuntu1 to ubuntu/quantal

Imported using git-ubuntu import.

Changelog parent: b7f710dfd16938d59f06b5fcc4afb2cd6437827c

New changelog entries:
  * Re-sync with Debian unstable.
  * New upstream release:
    - Refreshed patches.
  * Enabled Tomcat jdbc-pool module, aligning more closely to upstream and
    providing improved multi-threaded performance over commons-dbcp:
    - d/rules,d/libtomcat7-java.poms: Install tomcat-dbcp.jar file.
    - d/patches/0005-change-default-DBCP-factory-class.patch: Drop patch
      which switches the default DBCP factory to commons-dbcp.
    - d/NEWS: let users know about this change.

b7f710d... by Tony Mancill on 2012-07-11

Import patches-unapplied version 7.0.28-2 to debian/sid

Imported using git-ubuntu import.

Changelog parent: c3caf4d3882750aa470d850435f14189482384b7

New changelog entries:
  [ Jakub Adam ]
  * Ensure webapps/examples/WEB-INF/lib exists before files are
    copied there.
  * Fix FTBFS when user home dir doesn't exist (Closes: #680844).
  [ tony mancill ]
  * Fix build to generate postrm from postrm.in (Closes: #681160)

c3caf4d... by Tony Mancill on 2012-06-22

Import patches-unapplied version 7.0.28-1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 5d4d2799f17c0557b5a6a31db462e81f4b862ff4

New changelog entries:
  [ Miguel Landaeta ]
  * Add Slovak debconf translation (Closes: #677913).
    - Thanks to Ivan Mas├ír.
  [ James Page ]
  * New upstream release.
  * Enable test suite during package build:
    - d/control: Add junit4, libjstl1.1-java and
      libjakarta-taglibs-standard-java to BDI's.
    - d/rules:
      + Add ant/junit4 jars files to build classpath.
      + Target java 1.6 to support test suite exection.
      + Specify location of junit jar file.
      + Install jstl jar files to example webapp during build.
      + Conditionally execute test target if required.
      + Purge jar files from example webapp during clean.
  * Fix JSTL examples in examples web application:
    - d/control: Add dependencies on libjstl1.1-java and
      libjakarta-taglibs-standard-java for tomcat7-examples.
    - d/tomcat7-examples.links: Add links to jstl and standard jar
      files for examples web application.
    - d/context/examples.xml: Allow linking to jar files in examples
      webapp.
  * Fix mapping to javax packages for API jar files:
    - d/maven.[rules,publishedRules]: Ensure all javax.[servlet|el] jar files
      are published to the correct locations in /usr/share/[maven-repo|java].
    - d/libservlet3.0-java.manifest: Update jar file locations for javax
      remapping.
    - d/libservlet3.0-java.links: Provide backwards compatible links for
      deprecated tomcat-*.jar files in /usr/share/java.
  [ tony mancill ]
  * Set DMUA flag.

5d4d279... by Tony Mancill on 2012-06-08

Import patches-unapplied version 7.0.27-1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: bf44323d199b3e8e6ec9b58bf2dd416262746f7a

New changelog entries:
  * New upstream release.

bf44323... by Tony Mancill on 2012-05-29

Import patches-unapplied version 7.0.26-4 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 8d76dc520029b85586bb117ecdec68bccb1a63b9

New changelog entries:
  * Address regression leaving ROOT webapp files after purge.
    (Closes: #670440)
  * Update copyright year in javadoc to 2012.

8d76dc5... by Tony Mancill on 2012-05-24

Import patches-unapplied version 7.0.26-3 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 39ad728293a97eb9f7f5f761834a9bf749350ff9

New changelog entries:
  * Team upload.
  * Apply patches provided by James Page (Closes: #671370)
    - d/patches/0012-java7-compat.patch: Added compatibility patch to
      support compilation with openjdk-7 as default-jdk (LP: #889002).
    - d/default_root/index.html: Fixup instructions for enabling
      manager web application access (LP: #910368).
  * Fix README.Debian symlink; file is not compressed. (Closes: #674119)