ubuntu/+source/tomcat7:ubuntu/wily-security

Last commit made on 2016-07-05
Get this branch:
git clone -b ubuntu/wily-security https://git.launchpad.net/ubuntu/+source/tomcat7
Members of Ubuntu Server Dev import team can upload to this branch. Log in for directions.

Branch merges

Branch information

Name:
ubuntu/wily-security
Repository:
lp:ubuntu/+source/tomcat7

Recent commits

134bb27... by Marc Deslauriers on 2016-06-29

Import patches-unapplied version 7.0.64-1ubuntu0.3 to ubuntu/wily-security

Imported using git-ubuntu import.

Changelog parent: abaeef61301502f35d53e0c8c28f494d0ccea8d8

New changelog entries:
  * SECURITY UPDATE: directory traversal vulnerability in RequestUtil.java
    - debian/patches/CVE-2015-5174.patch: fix more normalization edge cases
      in java/org/apache/tomcat/util/http/RequestUtil.java,
      test/org/apache/tomcat/util/http/TestRequestUtil.java.
    - CVE-2015-5174
  * SECURITY UPDATE: information disclosure via redirects by mapper
    - debian/patches/CVE-2015-5345.patch: fix redirect logic in
      java/org/apache/catalina/Context.java,
      java/org/apache/catalina/authenticator/FormAuthenticator.java,
      java/org/apache/catalina/core/StandardContext.java,
      java/org/apache/catalina/core/mbeans-descriptors.xml,
      java/org/apache/catalina/servlets/DefaultServlet.java,
      java/org/apache/catalina/servlets/WebdavServlet.java,
      java/org/apache/catalina/startup/FailedContext.java,
      java/org/apache/tomcat/util/http/mapper/Mapper.java,
      test/org/apache/catalina/startup/TomcatBaseTest.java,
      webapps/docs/config/context.xml,
      test/org/apache/catalina/core/TesterContext.java,
      test/org/apache/tomcat/util/http/mapper/TestMapperWebapps.java.
    - CVE-2015-5345
  * SECURITY UPDATE: session fixation vulnerability
    - debian/patches/CVE-2015-5346.patch: handle different session settings
      in java/org/apache/catalina/connector/CoyoteAdapter.java,
      java/org/apache/catalina/connector/Request.java.
    - CVE-2015-5346
  * SECURITY UPDATE: CSRF protection mechanism bypass
    - debian/patches/CVE-2015-5351.patch: don't create sessions
      unnecessarily in webapps/host-manager/WEB-INF/jsp/401.jsp,
      webapps/host-manager/WEB-INF/jsp/403.jsp,
      webapps/host-manager/WEB-INF/jsp/404.jsp,
      webapps/host-manager/index.jsp,
      webapps/manager/WEB-INF/web.xml,
      webapps/manager/index.jsp.
    - CVE-2015-5351
  * SECURITY UPDATE: securityManager restrictions bypass via
    StatusManagerServlet
    - debian/patches/CVE-2016-0706.patch: place servlet in restricted list
      in java/org/apache/catalina/core/RestrictedServlets.properties.
    - CVE-2016-0706
  * SECURITY UPDATE: securityManager restrictions bypass via
    session-persistence implementation
    - debian/patches/CVE-2016-0714.patch: extend the session attribute
      filtering options in
      java/org/apache/catalina/ha/session/ClusterManagerBase.java
      java/org/apache/catalina/ha/session/mbeans-descriptors.xml,
      java/org/apache/catalina/session/LocalStrings.properties,
      java/org/apache/catalina/session/ManagerBase.java,
      java/org/apache/catalina/session/StandardManager.java,
      java/org/apache/catalina/session/mbeans-descriptors.xml,
      java/org/apache/catalina/util/CustomObjectInputStream.java,
      java/org/apache/catalina/util/LocalStrings.properties,
      webapps/docs/config/cluster-manager.xml,
      webapps/docs/config/manager.xml.
    - CVE-2016-0714
  * SECURITY UPDATE: securityManager restrictions bypass via crafted global
    context
    - debian/patches/CVE-2016-0763.patch: protect initialization in
      java/org/apache/naming/factory/ResourceLinkFactory.java.
    - CVE-2016-0763
  * SECURITY UPDATE: denial of service in FileUpload
    - debian/patches/CVE-2016-3092.patch: properly handle size in
      java/org/apache/tomcat/util/http/fileupload/MultipartStream.java.
    - CVE-2016-3092
  * debian/patches/fix_cookie_names_in_tests.patch: fix FTBFS by removing
    colons in cookie names which is illegal in newer java versions in
    test/org/apache/catalina/authenticator/*.java.

abaeef6... by Emmanuel Bourg on 2015-08-28

Import patches-unapplied version 7.0.64-1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 72d173f9bcd5de93812daaeacbd25f350d279766

New changelog entries:
  * Team upload.
  * New upstream release
    - Refreshed the patches
  * Install the missing WebSocket jars in /usr/share/tomcat7/lib/
    (Closes: #787220, LP: #1326687)
  * Changed the authbind configuration to allow IPv6 connections (LP: #1443041)
  * Fixed an upgrade error when /etc/tomcat7/tomcat-users.xml is removed
    (LP: #1010791)
  * Fixed a minor HTML error in the default index.html file (LP: #1236132)

72d173f... by Emmanuel Bourg on 2015-07-08

Import patches-unapplied version 7.0.63-1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 2cf80e95f9634c07e236552257ee5f2b22781f35

New changelog entries:
  * New upstream release
    - Refreshed the patches
  * debian/rules: Use an english locale when generating the documentation
    to improve the reproducibility

2cf80e9... by Emmanuel Bourg on 2015-05-27

Import patches-unapplied version 7.0.62-1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: aef00074f40453f08e71009264e177851f9acac9

New changelog entries:
  * New upstream release
    - Refreshed the patches
  * Replaced the date in ServerInfo.properties and in the documentation
    with the latest date in debian/changelog to make the build reproducible
  * debian/rules:
    - Modified to use the dh sequencer
    - Simplified the ant invocation and moved some properties
      to debian/ant.properties
    - Do not set the version.* properties already defined
      in build.properties.default
    - Renamed T_VER to VERSION
    - Removed the RWFILES and RWLOC variables
    - Merged the ANT_ARGS and ANT_INVOKE variables
    - No longer remove the long gone .svn directories under
      /usr/share/tomcat8/webapps/default_root
    - Let dh_fixperms set the permissions instead of calling chmod +x
    - Use debian/tomcat7-user.manpages instead of calling dh_installman
    - Updated the copyright year in the Javadoc

aef0007... by Emmanuel Bourg on 2015-05-06

Import patches-unapplied version 7.0.61-1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 35d5b011bb9d3f0f1777004d0ca297b4d6934b99

New changelog entries:
  * Upload to unstable
  * New upstream release
    - Refreshed the patches
    - Updated the test certificates
    - Added a patch renaming the taglibs-standard-*.jar files used in the tests
  * debian/rules: export JAVA_HOME to fix a build failure
  * debian/orig-tar.sh: Exclude the taglibs-standard-*.jar files
    from the upstream tarball
  * Removed the timestamp from the Javadoc of the Servlet API
    to make the build reproducible

35d5b01... by Miguel Landaeta <email address hidden> on 2015-03-28

Import patches-unapplied version 7.0.59-2 to debian/experimental

Imported using git-ubuntu import.

Changelog parent: b8932b15e84dfa6375d94b98953ebeb6d406aa8a

New changelog entries:
  * Fix FTBFS due to some X509 certificates provided by upstream expired
    and were causing failures in unit tests as well, so they were
    regenerated. (Closes: #780519).
  * Fix FTBFS error by disabling some unit tests that depends on
    having network access.

b8932b1... by Emmanuel Bourg on 2015-02-10

Import patches-unapplied version 7.0.59-1 to debian/experimental

Imported using git-ubuntu import.

Changelog parent: 1a69d177154626e18f401c6363888567ecf91025

New changelog entries:
  * Team upload.
  * New upstream release
  * Enabled Java 8 support in JSPs (requires libecj-java 3.10.1)

1a69d17... by Emmanuel Bourg on 2014-12-03

Import patches-unapplied version 7.0.57-1 to debian/experimental

Imported using git-ubuntu import.

Changelog parent: c42e79419e4c7f6a2c9d179f927ffcb1aa745541

New changelog entries:
  * Team upload.
  * New upstream release
    - Suggest libtcnative-1 (>= 1.1.32~) for the tomcat7 package
  * Standards-Version updated to 3.9.6 (no changes)

c42e794... by Emmanuel Bourg on 2014-10-06

Import patches-unapplied version 7.0.56-1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 499c912e547b51aedd2e7b5a1ff3cf17a2b5a877

New changelog entries:
  * New upstream release
  * Install the extra jar catalina-jmx-remote.jar (Closes: #719921)
  * Removed the note about the authbind IPv6 incompatibility
    in /etc/defaults/tomcat7
  * Added the SimpleInstanceManager class from Tomcat 8 to help integrating
    the JSP compiler into Jetty 8

499c912... by Emmanuel Bourg on 2014-07-29

Import patches-unapplied version 7.0.55-1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 822c349bd4c90e5c39fd0858b55490857948b730

New changelog entries:
  * New upstream release
  * Refreshed the patches