ubuntu/+source/tomcat7:ubuntu/xenial-security

Last commit made on 2018-10-30
Get this branch:
git clone -b ubuntu/xenial-security https://git.launchpad.net/ubuntu/+source/tomcat7
Members of Ubuntu Server Dev import team can upload to this branch. Log in for directions.

Branch merges

Branch information

Name:
ubuntu/xenial-security
Repository:
lp:ubuntu/+source/tomcat7

Recent commits

aa92796... by Eduardo dos Santos Barretto on 2018-10-30

Import patches-unapplied version 7.0.68-1ubuntu0.4 to ubuntu/xenial-security

Imported using git-ubuntu import.

Changelog parent: 5a005ca0c1ae438225830afd745c6ed6aac725ba

New changelog entries:
  * SECURITY REGRESSION: security manager startup issue (LP: #1799990)
    - debian/patches/0009-Use-java.security.policy-file-in-catalina.sh.patch:
      update to new /var/lib/tomcat7/policy location.
    - debian/tomcat7.postrm.in: remove policy directory.

5a005ca... by Eduardo dos Santos Barretto on 2018-10-19

Import patches-unapplied version 7.0.68-1ubuntu0.3 to ubuntu/xenial-security

Imported using git-ubuntu import.

Changelog parent: 3a78f99989f10ff005f630c8e69d393de9c86376

New changelog entries:
  * SECURITY UPDATE: Timing attack can determine valid user names.
    - debian/patches/CVE-2016-0762.patch: fix in the Realm
      implementation.
    - CVE-2016-0762
  * SECURITY UPDATE: privilege escalation via insecure init script
    - debian/tomcat7.init: don't follow symlinks when handling the
      catalina.out file.
    - CVE-2016-1240
  * SECURITY UPDATE: SecurityManager bypass via a utility method.
    - debian/patches/CVE-2016-5018.patch: remove unnecessary code in
      java/org/apache/jasper/compiler/JspRuntimeContext.java,
      java/org/apache/jasper/runtime/JspRuntimeLibrary.java,
      java/org/apache/jasper/security/SecurityClassLoad.java.
    - debian/patches/CVE-2016-5018-part2.patch: fix a regression when
      using Jasper with SecurityManager enabled.
    - CVE-2016-5018
  * SECURITY UPDATE: system properties read SecurityManager bypass
    - debian/patches/CVE-2016-6794.patch: extend SecurityManager
      protection to the system property replacement feature of the
      digester in java/org/apache/catalina/loader/WebappClassLoader.java,
      java/org/apache/tomcat/util/digester/Digester.java,
      java/org/apache/tomcat/util/security/PermissionCheck.java.
    - CVE-2016-6794
  * SECURITY UPDATE: SecurityManager bypass via JSP Servlet configuration
    parameters.
    - debian/patches/CVE-2016-6796.patch: ignore some JSP options when
      running under a SecurityManager in conf/web.xml,
      java/org/apache/jasper/EmbeddedServletOptions.java,
      java/org/apache/jasper/resources/LocalStrings.properties,
      java/org/apache/jasper/servlet/JspServlet.java,
      webapps/docs/jasper-howto.xml.
    - CVE-2016-6796
  * SECURITY UPDATE: web application global JNDI resource access
    - debian/patches/CVE-2016-6797.patch: ensure that the global resource
      is only visible via the ResourceLinkFactory when it is meant to be
      in java/org/apache/catalina/core/NamingContextListener.java,
      java/org/apache/naming/factory/ResourceLinkFactory.java,
      test/org/apache/naming/TestNamingContext.java.
    - CVE-2016-6797
  * SECURITY UPDATE: HTTP response injection via invalid characters
    - debian/patches/CVE-2016-6816.patch: add additional checks for valid
      characters in
      java/org/apache/coyote/http11/AbstractInputBuffer.java,
      java/org/apache/coyote/http11/AbstractNioInputBuffer.java,
      java/org/apache/coyote/http11/InternalAprInputBuffer.java,
      java/org/apache/coyote/http11/InternalInputBuffer.java,
      java/org/apache/coyote/http11/LocalStrings.properties,
      java/org/apache/tomcat/util/http/parser/HttpParser.java.
    - CVE-2016-6816
  * SECURITY UPDATE: remote code execution via JmxRemoteLifecycleListener
    - debian/patches/CVE-2016-8735.patch: explicitly configure allowed
      credential types in
      java/org/apache/catalina/mbeans/JmxRemoteLifecycleListener.java.
    - CVE-2016-8735
  * SECURITY UPDATE: information leakage between requests
    - debian/patches/CVE-2016-8745.patch: properly handle cache when
      unable to complete sendfile request in
      java/org/apache/tomcat/util/net/NioEndpoint.java.
    - CVE-2016-8745
  * SECURITY UPDATE: privilege escalation during package upgrade
    - debian/rules, debian/tomcat7.postinst: properly set permissions on
      /etc/tomcat7/Catalina/localhost.
    - CVE-2016-9774
  * SECURITY UPDATE: privilege escalation during package removal
    - debian/tomcat7.postrm.in: don't reset permissions before removing
      user.
    - CVE-2016-9775
  * debian/tomcat7.init: further hardening.

3a78f99... by Marc Deslauriers on 2016-06-27

Import patches-unapplied version 7.0.68-1ubuntu0.1 to ubuntu/xenial-security

Imported using git-ubuntu import.

Changelog parent: 5cf3ad682e4a131572a905ff3b8b1907e6efdbbd

New changelog entries:
  * SECURITY UPDATE: denial of service in FileUpload
    - debian/patches/CVE-2016-3092.patch: properly handle size in
      java/org/apache/tomcat/util/http/fileupload/MultipartStream.java.
    - CVE-2016-3092

5cf3ad6... by Emmanuel Bourg on 2016-02-18

Import patches-unapplied version 7.0.68-1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: abaeef61301502f35d53e0c8c28f494d0ccea8d8

New changelog entries:
  * Team upload.
  * New upstream release (Closes: #814640)
    - Refreshed the patches
    - New build dependencies on easymock, cglib and objenesis
    - Added ASM to the test classpath (required by Easymock)
  * Use LC_ALL instead of LANG to format the date and make the documentation
    reproducible on the builders
  * Standards-Version updated to 3.9.7 (no changes)
  * Use secure Vcs-* URLs

abaeef6... by Emmanuel Bourg on 2015-08-28

Import patches-unapplied version 7.0.64-1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 72d173f9bcd5de93812daaeacbd25f350d279766

New changelog entries:
  * Team upload.
  * New upstream release
    - Refreshed the patches
  * Install the missing WebSocket jars in /usr/share/tomcat7/lib/
    (Closes: #787220, LP: #1326687)
  * Changed the authbind configuration to allow IPv6 connections (LP: #1443041)
  * Fixed an upgrade error when /etc/tomcat7/tomcat-users.xml is removed
    (LP: #1010791)
  * Fixed a minor HTML error in the default index.html file (LP: #1236132)

72d173f... by Emmanuel Bourg on 2015-07-08

Import patches-unapplied version 7.0.63-1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 2cf80e95f9634c07e236552257ee5f2b22781f35

New changelog entries:
  * New upstream release
    - Refreshed the patches
  * debian/rules: Use an english locale when generating the documentation
    to improve the reproducibility

2cf80e9... by Emmanuel Bourg on 2015-05-27

Import patches-unapplied version 7.0.62-1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: aef00074f40453f08e71009264e177851f9acac9

New changelog entries:
  * New upstream release
    - Refreshed the patches
  * Replaced the date in ServerInfo.properties and in the documentation
    with the latest date in debian/changelog to make the build reproducible
  * debian/rules:
    - Modified to use the dh sequencer
    - Simplified the ant invocation and moved some properties
      to debian/ant.properties
    - Do not set the version.* properties already defined
      in build.properties.default
    - Renamed T_VER to VERSION
    - Removed the RWFILES and RWLOC variables
    - Merged the ANT_ARGS and ANT_INVOKE variables
    - No longer remove the long gone .svn directories under
      /usr/share/tomcat8/webapps/default_root
    - Let dh_fixperms set the permissions instead of calling chmod +x
    - Use debian/tomcat7-user.manpages instead of calling dh_installman
    - Updated the copyright year in the Javadoc

aef0007... by Emmanuel Bourg on 2015-05-06

Import patches-unapplied version 7.0.61-1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 35d5b011bb9d3f0f1777004d0ca297b4d6934b99

New changelog entries:
  * Upload to unstable
  * New upstream release
    - Refreshed the patches
    - Updated the test certificates
    - Added a patch renaming the taglibs-standard-*.jar files used in the tests
  * debian/rules: export JAVA_HOME to fix a build failure
  * debian/orig-tar.sh: Exclude the taglibs-standard-*.jar files
    from the upstream tarball
  * Removed the timestamp from the Javadoc of the Servlet API
    to make the build reproducible

35d5b01... by Miguel Landaeta <email address hidden> on 2015-03-28

Import patches-unapplied version 7.0.59-2 to debian/experimental

Imported using git-ubuntu import.

Changelog parent: b8932b15e84dfa6375d94b98953ebeb6d406aa8a

New changelog entries:
  * Fix FTBFS due to some X509 certificates provided by upstream expired
    and were causing failures in unit tests as well, so they were
    regenerated. (Closes: #780519).
  * Fix FTBFS error by disabling some unit tests that depends on
    having network access.

b8932b1... by Emmanuel Bourg on 2015-02-10

Import patches-unapplied version 7.0.59-1 to debian/experimental

Imported using git-ubuntu import.

Changelog parent: 1a69d177154626e18f401c6363888567ecf91025

New changelog entries:
  * Team upload.
  * New upstream release
  * Enabled Java 8 support in JSPs (requires libecj-java 3.10.1)