ubuntu/+source/tomcat7:ubuntu/trusty-security

Last commit made on 2018-10-10
Get this branch:
git clone -b ubuntu/trusty-security https://git.launchpad.net/ubuntu/+source/tomcat7
Members of Ubuntu Server Dev import team can upload to this branch. Log in for directions.

Branch merges

Branch information

Name:
ubuntu/trusty-security
Repository:
lp:ubuntu/+source/tomcat7

Recent commits

506a111... by Marc Deslauriers on 2018-10-09

Import patches-unapplied version 7.0.52-1ubuntu0.16 to ubuntu/trusty-security

Imported using git-ubuntu import.

Changelog parent: 763c7d625c3d61ac97d3fea8487ca1fa466c6ed4

New changelog entries:
  * SECURITY UPDATE: arbitrary redirect issue
    - debian/patches/CVE-2018-11784.patch: avoid protocol relative
      redirects in java/org/apache/catalina/servlets/DefaultServlet.java.
    - CVE-2018-11784

763c7d6... by Marc Deslauriers on 2018-07-25

Import patches-unapplied version 7.0.52-1ubuntu0.15 to ubuntu/trusty-security

Imported using git-ubuntu import.

Changelog parent: 16b4830e2dadbe3a2abfb2a2aaad132171b0b76a

New changelog entries:
  * SECURITY UPDATE: DoS via issue in UTF-8 decoder
    - debian/patches/CVE-2018-1336.patch: fix logic in
      java/org/apache/tomcat/util/buf/Utf8Decoder.java.
    - CVE-2018-1336
  * SECURITY UPDATE: missing hostname verification in WebSocket client
    - debian/patches/CVE-2018-8034.patch: enable hostname verification by
      default in webapps/docs/web-socket-howto.xml,
      java/org/apache/tomcat/websocket/WsWebSocketContainer.java.
    - CVE-2018-8034

16b4830... by Marc Deslauriers on 2018-05-29

Import patches-unapplied version 7.0.52-1ubuntu0.14 to ubuntu/trusty-security

Imported using git-ubuntu import.

Changelog parent: 48a1fc17352252493d6a4ba16f5f8297c04a9274

New changelog entries:
  * SECURITY UPDATE: missing checks when HTTP PUTs enabled (LP: #1721749)
    - debian/patches/CVE-2017-1261x.patch: add checks to
      java/org/apache/catalina/servlets/DefaultServlet.java
      java/org/apache/naming/resources/FileDirContext.java,
      java/org/apache/naming/resources/JrePlatform.java,
      java/org/apache/naming/resources/LocalStrings.properties,
      java/org/apache/naming/resources/VirtualDirContext.java,
      test/org/apache/naming/resources/TestFileDirContext.java.
    - CVE-2017-12616
    - CVE-2017-12617
  * SECURITY UPDATE: security constraints mapped to context root are ignored
    - debian/patches/CVE-2018-1304.patch: add check to
      java/org/apache/catalina/realm/RealmBase.java.
    - CVE-2018-1304
  * SECURITY UPDATE: security constraint annotations applied too late
    - debian/patches/CVE-2018-1305.patch: change ordering in
      java/org/apache/catalina/Wrapper.java,
      java/org/apache/catalina/authenticator/AuthenticatorBase.java,
      java/org/apache/catalina/core/ApplicationContext.java,
      java/org/apache/catalina/core/ApplicationServletRegistration.java,
      java/org/apache/catalina/core/StandardContext.java,
      java/org/apache/catalina/core/StandardWrapper.java,
      java/org/apache/catalina/startup/ContextConfig.java,
      java/org/apache/catalina/startup/Tomcat.java,
      java/org/apache/catalina/startup/WebAnnotationSet.java.
    - CVE-2018-1305
  * SECURITY UPDATE: CORS filter has insecure defaults
    - debian/patches/CVE-2018-8014.patch: change defaults in
      java/org/apache/catalina/filters/CorsFilter.java,
      java/org/apache/catalina/filters/LocalStrings.properties,
      test/org/apache/catalina/filters/TestCorsFilter.java,
      test/org/apache/catalina/filters/TesterFilterConfigs.java.
    - CVE-2018-8014

48a1fc1... by Marc Deslauriers on 2017-09-27

Import patches-unapplied version 7.0.52-1ubuntu0.13 to ubuntu/trusty-security

Imported using git-ubuntu import.

Changelog parent: 3f5c0d8b3a9db0a0cf49058b14a5e84937ebd0be

New changelog entries:
  * SECURITY UPDATE: loss of pipeline requests
    - debian/patches/CVE-2017-5647.patch: improve sendfile handling when
      requests are pipelined in
      java/org/apache/coyote/AbstractProtocol.java,
      java/org/apache/coyote/http11/Http11AprProcessor.java,
      java/org/apache/coyote/http11/Http11NioProcessor.java,
      java/org/apache/tomcat/util/net/AprEndpoint.java,
      java/org/apache/tomcat/util/net/NioEndpoint.java,
      java/org/apache/tomcat/util/net/SendfileKeepAliveState.java,
      java/org/apache/tomcat/util/net/SendfileState.java.
    - CVE-2017-5647
  * SECURITY UPDATE: incorrect facade object use
    - debian/patches/CVE-2017-5648-pre.patch: fix keep-alive with
      asynchronous servlet in
      java/org/apache/catalina/core/AsyncContextImpl.java,
      java/org/apache/coyote/AsyncContextCallback.java,
      java/org/apache/coyote/AsyncStateMachine.java,
      test/org/apache/catalina/core/TestAsyncContextImpl.java.
    - debian/patches/CVE-2017-5648.patch: ensure request and response
      facades are used when firing application listeners in
      java/org/apache/catalina/authenticator/FormAuthenticator.java,
      java/org/apache/catalina/core/StandardHostValve.java.
    - CVE-2017-5648
  * SECURITY UPDATE: unexpected and undesirable results for static error
    pages
    - debian/patches/CVE-2017-5664.patch: use a more reliable mechanism in
      java/org/apache/catalina/servlets/DefaultServlet.java,
      java/org/apache/catalina/servlets/WebdavServlet.java.
    - CVE-2017-5664
  * SECURITY UPDATE: client and server side cache poisoning in CORS filter
    - debian/patches/CVE-2017-7674.patch: set Vary header in response in
      java/org/apache/catalina/filters/CorsFilter.java.
    - CVE-2017-7674

3f5c0d8... by Joshua Powers on 2017-03-22

Import patches-unapplied version 7.0.52-1ubuntu0.11 to ubuntu/trusty-proposed

Imported using git-ubuntu import.

Changelog parent: ed7398c51db52f7787702668742abb19108df7b2

New changelog entries:
  * Fix an upgrade error when JAVA_OPTS in /etc/default/tomcat7 contains
    the '%' character (LP: #1666570).
  * Fix javax.servlet.jsp POM to use servlet-api version 3.0 instead of
    2.2 (LP: #1664179).

ed7398c... by Marc Deslauriers on 2017-02-17

Import patches-unapplied version 7.0.52-1ubuntu0.10 to ubuntu/trusty-security

Imported using git-ubuntu import.

Changelog parent: c8765acfc0933f4bd5e3a72fed6450e22b0bbc72

New changelog entries:
  * SECURITY UPDATE: DoS via CPU consumption (LP: #1663318)
    - debian/patches/CVE-2017-6056.patch: fix infinite loop in
      java/org/apache/coyote/http11/AbstractInputBuffer.java.
    - CVE-2017-6056

c8765ac... by Marc Deslauriers on 2017-02-01

Import patches-unapplied version 7.0.52-1ubuntu0.9 to ubuntu/trusty-security

Imported using git-ubuntu import.

Changelog parent: 2cd4686b332b6f62fa34301ab45029990450dd71

New changelog entries:
  * SECURITY REGRESSION: security manager startup issue (LP: #1659589)
    - debian/patches/0009-Use-java.security.policy-file-in-catalina.sh.patch:
      update to new /var/lib/tomcat7/policy location.
    - debian/tomcat7.postrm.in: remove policy directory.

2cd4686... by Marc Deslauriers on 2017-01-19

Import patches-unapplied version 7.0.52-1ubuntu0.8 to ubuntu/trusty-security

Imported using git-ubuntu import.

Changelog parent: 0dba2e977dff380fbc62074191bee92947237e5a

New changelog entries:
  * SECURITY UPDATE: SecurityManager bypass via a utility method
    - debian/patches/CVE-2016-5018.patch: remove unnecessary code in
      java/org/apache/jasper/compiler/JspRuntimeContext.java,
      java/org/apache/jasper/runtime/JspRuntimeLibrary.java,
      java/org/apache/jasper/security/SecurityClassLoad.java.
    - CVE-2016-5018
  * SECURITY UPDATE: mitigaton for httpoxy issue
    - debian/patches/CVE-2016-5388.patch: add envHttpHeaders initialization
      parameter to conf/web.xml, webapps/docs/cgi-howto.xml,
      java/org/apache/catalina/servlets/CGIServlet.java.
    - CVE-2016-5388
  * SECURITY UPDATE: system properties read SecurityManager bypass
    - debian/patches/CVE-2016-6794.patch: extend SecurityManager protection
      to the system property replacement feature of the digester in
      java/org/apache/catalina/loader/WebappClassLoader.java,
      java/org/apache/tomcat/util/digester/Digester.java,
      java/org/apache/tomcat/util/security/PermissionCheck.java.
    - CVE-2016-6794
  * SECURITY UPDATE: SecurityManager bypass via JSP Servlet configuration
    parameters
    - debian/patches/CVE-2016-6796.patch: ignore some JSP options when
      running under a SecurityManager in conf/web.xml,
      java/org/apache/jasper/EmbeddedServletOptions.java,
      java/org/apache/jasper/resources/LocalStrings.properties,
      java/org/apache/jasper/servlet/JspServlet.java,
      webapps/docs/jasper-howto.xml.
    - CVE-2016-6796
  * SECURITY UPDATE: web application global JNDI resource access
    - debian/patches/CVE-2016-6797.patch: ensure that the global resource
      is only visible via the ResourceLinkFactory when it is meant to be in
      java/org/apache/catalina/core/NamingContextListener.java,
      java/org/apache/naming/factory/ResourceLinkFactory.java,
      test/org/apache/naming/TestNamingContext.java.
    - CVE-2016-6797
  * SECURITY UPDATE: HTTP response injection via invalid characters
    - debian/patches/CVE-2016-6816.patch: add additional checks for valid
      characters in java/org/apache/coyote/http11/AbstractInputBuffer.java,
      java/org/apache/coyote/http11/AbstractNioInputBuffer.java,
      java/org/apache/coyote/http11/InternalAprInputBuffer.java,
      java/org/apache/coyote/http11/InternalInputBuffer.java,
      java/org/apache/coyote/http11/LocalStrings.properties,
      java/org/apache/tomcat/util/http/parser/HttpParser.java.
    - CVE-2016-6816
  * SECURITY UPDATE: remote code execution via JmxRemoteLifecycleListener
    - debian/patches/CVE-2016-8735-pre.patch: remove the restriction that
      prevented the use of SSL when specifying a bind address in
      java/org/apache/catalina/mbeans/JmxRemoteLifecycleListener.java,
      java/org/apache/catalina/mbeans/LocalStrings.properties,
      webapps/docs/config/listeners.xml.
    - debian/patches/CVE-2016-8735.patch: explicitly configure allowed
      credential types in
      java/org/apache/catalina/mbeans/JmxRemoteLifecycleListener.java.
    - CVE-2016-8735
  * SECURITY UPDATE: information leakage between requests
    - debian/patches/CVE-2016-8745.patch: properly handle cache when unable
      to complete sendfile request in
      java/org/apache/tomcat/util/net/NioEndpoint.java.
    - CVE-2016-8745
  * SECURITY UPDATE: privilege escalation during package upgrade
    - debian/rules, debian/tomcat7.postinst: properly set permissions on
      /etc/tomcat7/Catalina/localhost.
    - CVE-2016-9774
  * SECURITY UPDATE: privilege escalation during package removal
    - debian/tomcat7.postrm.in: don't reset permissions before removing
      user.
    - CVE-2016-9775
  * debian/tomcat7.init: further hardening.

0dba2e9... by Marc Deslauriers on 2016-09-16

Import patches-unapplied version 7.0.52-1ubuntu0.7 to ubuntu/trusty-security

Imported using git-ubuntu import.

Changelog parent: af708ecc8e03ca086b87b4018690fdcac16b127c

New changelog entries:
  * SECURITY UPDATE: privilege escalation via insecure init script
    - debian/tomcat7.init: don't follow symlinks when handling the
      catalina.out file.
    - CVE-2016-1240
  * SECURITY REGRESSION: change in behaviour after security update
    (LP: #1609819)
    - debian/patches/CVE-2015-5345-2.patch: fix using the new
      mapperContextRootRedirectEnabled option in
      java/org/apache/catalina/connector/MapperListener.java, change
      mapperContextRootRedirectEnabled default to true in
      java/org/apache/catalina/core/StandardContext.java,
      webapps/docs/config/context.xml. This reverts the change in behaviour
      following the CVE-2015-5345 security update and was also done
      upstream in later releases.

af708ec... by Marc Deslauriers on 2016-06-29

Import patches-unapplied version 7.0.52-1ubuntu0.6 to ubuntu/trusty-security

Imported using git-ubuntu import.

Changelog parent: 7a039a1ca41505d6cc0627bc71dfe1584234add9

New changelog entries:
  * SECURITY UPDATE: directory traversal vulnerability in RequestUtil.java
    - debian/patches/CVE-2015-5174.patch: fix normalization edge cases in
      java/org/apache/tomcat/util/http/RequestUtil.java,
      test/org/apache/tomcat/util/http/TestRequestUtil.java.
    - CVE-2015-5174
  * SECURITY UPDATE: information disclosure via redirects by mapper
    - debian/patches/CVE-2015-5345.patch: fix redirect logic in
      java/org/apache/catalina/Context.java,
      java/org/apache/catalina/authenticator/FormAuthenticator.java,
      java/org/apache/catalina/core/StandardContext.java,
      java/org/apache/catalina/core/mbeans-descriptors.xml,
      java/org/apache/catalina/servlets/DefaultServlet.java,
      java/org/apache/catalina/servlets/WebdavServlet.java,
      java/org/apache/catalina/startup/FailedContext.java,
      java/org/apache/tomcat/util/http/mapper/Mapper.java,
      test/org/apache/catalina/startup/TomcatBaseTest.java,
      webapps/docs/config/context.xml,
      test/org/apache/catalina/core/TesterContext.java.
    - CVE-2015-5345
  * SECURITY UPDATE: session fixation vulnerability
    - debian/patches/CVE-2015-5346.patch: handle different session settings
      in java/org/apache/catalina/connector/CoyoteAdapter.java,
      java/org/apache/catalina/connector/Request.java.
    - CVE-2015-5346
  * SECURITY UPDATE: CSRF protection mechanism bypass
    - debian/patches/CVE-2015-5351.patch: don't create sessions
      unnecessarily in webapps/host-manager/WEB-INF/jsp/401.jsp,
      webapps/host-manager/WEB-INF/jsp/403.jsp,
      webapps/host-manager/WEB-INF/jsp/404.jsp,
      webapps/host-manager/index.jsp,
      webapps/manager/WEB-INF/web.xml,
      webapps/manager/index.jsp.
    - CVE-2015-5351
  * SECURITY UPDATE: securityManager restrictions bypass via
    StatusManagerServlet
    - debian/patches/CVE-2016-0706.patch: place servlet in restricted list
      in java/org/apache/catalina/core/RestrictedServlets.properties.
    - CVE-2016-0706
  * SECURITY UPDATE: securityManager restrictions bypass via
    session-persistence implementation
    - debian/patches/CVE-2016-0714.patch: extend the session attribute
      filtering options in
      java/org/apache/catalina/ha/session/ClusterManagerBase.java
      java/org/apache/catalina/ha/session/mbeans-descriptors.xml,
      java/org/apache/catalina/session/LocalStrings.properties,
      java/org/apache/catalina/session/ManagerBase.java,
      java/org/apache/catalina/session/StandardManager.java,
      java/org/apache/catalina/session/mbeans-descriptors.xml,
      java/org/apache/catalina/util/CustomObjectInputStream.java,
      java/org/apache/catalina/util/LocalStrings.properties,
      webapps/docs/config/cluster-manager.xml,
      webapps/docs/config/manager.xml.
    - CVE-2016-0714
  * SECURITY UPDATE: securityManager restrictions bypass via crafted global
    context
    - debian/patches/CVE-2016-0763.patch: protect initialization in
      java/org/apache/naming/factory/ResourceLinkFactory.java.
    - CVE-2016-0763
  * SECURITY UPDATE: denial of service in FileUpload
    - debian/patches/CVE-2016-3092.patch: properly handle size in
      java/org/apache/tomcat/util/http/fileupload/MultipartStream.java.
    - CVE-2016-3092
  * debian/patches/fix_cookie_names_in_tests.patch: fix FTBFS by removing
    colons in cookie names which is illegal in newer java versions in
    test/org/apache/catalina/authenticator/*.java.