ubuntu/+source/tomcat8:applied/ubuntu/artful-security

Last commit made on 2018-05-30
Get this branch:
git clone -b applied/ubuntu/artful-security https://git.launchpad.net/ubuntu/+source/tomcat8
Members of Ubuntu Server Dev import team can upload to this branch. Log in for directions.

Branch merges

Branch information

Name:
applied/ubuntu/artful-security
Repository:
lp:ubuntu/+source/tomcat8

Recent commits

8d0ae1d... by Marc Deslauriers on 2018-05-28

Import patches-applied version 8.5.21-1ubuntu1.1 to applied/ubuntu/artful-security

Imported using git-ubuntu import.

Changelog parent: 39d96847e9c9bca7384b7535d6609062bb106f1a
Unapplied parent: 9da9844d224a211355cca4db0dbac78253be234c

New changelog entries:
  * SECURITY UPDATE: missing checks when HTTP PUTs enabled (LP: #1721749)
    - debian/patches/CVE-2017-12617.patch: add checks to
      java/org/apache/catalina/servlets/DefaultServlet.java,
      java/org/apache/catalina/webresources/AbstractFileResourceSet.java,
      java/org/apache/catalina/webresources/DirResourceSet.java,
      java/org/apache/tomcat/util/compat/JrePlatform.java,
      test/org/apache/catalina/webresources/AbstractTestResourceSet.java,
      test/org/apache/catalina/webresources/TestAbstractFileResourceSetPerformance.java.
    - CVE-2017-12617
  * SECURITY UPDATE: incorrectly documented CGI search algorithm
    - debian/patches/CVE-2017-15706.patch: adjust documentation in
      webapps/docs/cgi-howto.xml.
    - CVE-2017-15706
  * SECURITY UPDATE: security constraints mapped to context root are ignored
    - debian/patches/CVE-2018-1304.patch: add check to
      java/org/apache/catalina/realm/RealmBase.java.
    - CVE-2018-1304
  * SECURITY UPDATE: security constraint annotations applied too late
    - debian/patches/CVE-2018-1305.patch: change ordering in
      java/org/apache/catalina/Wrapper.java,
      java/org/apache/catalina/authenticator/AuthenticatorBase.java,
      java/org/apache/catalina/core/ApplicationContext.java,
      java/org/apache/catalina/core/ApplicationServletRegistration.java,
      java/org/apache/catalina/core/StandardContext.java,
      java/org/apache/catalina/core/StandardWrapper.java,
      java/org/apache/catalina/startup/ContextConfig.java,
      java/org/apache/catalina/startup/Tomcat.java,
      java/org/apache/catalina/startup/WebAnnotationSet.java.
    - CVE-2018-1305
  * SECURITY UPDATE: CORS filter has insecure defaults
    - debian/patches/CVE-2018-8014.patch: change defaults in
      java/org/apache/catalina/filters/CorsFilter.java,
      java/org/apache/catalina/filters/LocalStrings.properties,
      test/org/apache/catalina/filters/TestCorsFilter.java,
      test/org/apache/catalina/filters/TesterFilterConfigs.java.
    - CVE-2018-8014

9da9844... by Marc Deslauriers on 2018-05-28

fix CORS filter insecure defaults

Gbp-Pq: CVE-2018-8014.patch.

5c1e231... by Marc Deslauriers on 2018-05-28

fix security constraint annotations applied too late

Gbp-Pq: CVE-2018-1305.patch.

d0eed18... by Marc Deslauriers on 2018-05-28

fix security constraints mapped to context root are ignored

Gbp-Pq: CVE-2018-1304.patch.

971c40d... by Marc Deslauriers on 2018-05-28

fix incorrect search algorithm documentation

Gbp-Pq: CVE-2017-15706.patch.

05ff1b0... by Marc Deslauriers on 2018-05-28

fix missing checks when HTTP PUTs enabled

Gbp-Pq: CVE-2017-12617.patch.

faadfb9... by Marc Deslauriers on 2018-05-28

Don't check the IDEA cipher during the tests since it is disabled in Debian (see #327739)

Gbp-Pq: 0021-dont-test-unsupported-ciphers.patch.

e5e4209... by Marc Deslauriers on 2018-05-28

Adds the name of the distribution to the version of Tomcat

Gbp-Pq: 0019-add-distribution-to-error-page.patch.

ae37aab... by Marc Deslauriers on 2018-05-28

This patch changes the manager path from webapps/manager to

Gbp-Pq: 0018-fix-manager-webapp.patch.

b9b102b... by Marc Deslauriers on 2018-05-28

0013-dont-look-for-build-properties-in-user-home

Gbp-Pq: 0013-dont-look-for-build-properties-in-user-home.patch.