ubuntu/+source/tomcat8:applied/ubuntu/yakkety-security

Last commit made on 2017-01-23
Get this branch:
git clone -b applied/ubuntu/yakkety-security https://git.launchpad.net/ubuntu/+source/tomcat8
Members of Ubuntu Server Dev import team can upload to this branch. Log in for directions.

Branch merges

Branch information

Name:
applied/ubuntu/yakkety-security
Repository:
lp:ubuntu/+source/tomcat8

Recent commits

d4e3e8d... by Marc Deslauriers on 2017-01-13

Import patches-applied version 8.0.37-1ubuntu0.1 to applied/ubuntu/yakkety-security

Imported using git-ubuntu import.

Changelog parent: adafa06c2d373b3edaf5d7f39b18a819855c1899
Unapplied parent: 9d9e980d9bf5abe73d5bd348eb507af2e2e88467

New changelog entries:
  * SECURITY UPDATE: HTTP response injection via invalid characters
    - debian/patches/CVE-2016-6816.patch: add additional checks for valid
      characters in java/org/apache/coyote/http11/AbstractInputBuffer.java,
      java/org/apache/coyote/http11/AbstractNioInputBuffer.java,
      java/org/apache/coyote/http11/InternalAprInputBuffer.java,
      java/org/apache/coyote/http11/InternalInputBuffer.java,
      java/org/apache/coyote/http11/LocalStrings.properties,
      java/org/apache/tomcat/util/http/parser/HttpParser.java.
    - CVE-2016-6816
  * SECURITY UPDATE: remote code execution via JmxRemoteLifecycleListener
    - debian/patches/CVE-2016-8735.patch: explicitly configure allowed
      credential types in
      java/org/apache/catalina/mbeans/JmxRemoteLifecycleListener.java.
    - CVE-2016-8735
  * SECURITY UPDATE: information leakage between requests
    - debian/patches/CVE-2016-8745.patch: properly handle cache when unable
      to complete sendfile request in
      java/org/apache/tomcat/util/net/NioEndpoint.java.
    - CVE-2016-8745
  * SECURITY UPDATE: privilege escalation during package upgrade
    - debian/rules, debian/tomcat8.postinst: properly set permissions on
      /etc/tomcat8/Catalina/localhost.
    - CVE-2016-9774
  * SECURITY UPDATE: privilege escalation during package removal
    - debian/tomcat8.postrm.in: don't reset permissions before removing
      user.
    - CVE-2016-9775
  * debian/tomcat8.init: further hardening.

9d9e980... by Marc Deslauriers on 2017-01-13

fix information leakage between requests

Gbp-Pq: CVE-2016-8745.patch.

affa274... by Marc Deslauriers on 2017-01-13

fix remote code execution via JmxRemoteLifecycleListener

Gbp-Pq: CVE-2016-8735.patch.

0bd31e5... by Marc Deslauriers on 2017-01-13

fix HTTP response injection via invalid characters

Gbp-Pq: CVE-2016-6816.patch.

10cd75b... by Marc Deslauriers on 2017-01-13

Adds the name of the distribution to the version of Tomcat

Gbp-Pq: 0019-add-distribution-to-error-page.patch.

def6fd8... by Marc Deslauriers on 2017-01-13

This patch changes the manager path from webapps/manager to

Gbp-Pq: 0018-fix-manager-webapp.patch.

6193b13... by Marc Deslauriers on 2017-01-13

Disables TestCometProcessor.testConnectionClose()

Gbp-Pq: 0015_disable_test_TestCometProcessor.patch.

38f6588... by Marc Deslauriers on 2017-01-13

0013-dont-look-for-build-properties-in-user-home

Gbp-Pq: 0013-dont-look-for-build-properties-in-user-home.patch.

33a99ac... by Marc Deslauriers on 2017-01-13

Disable usage of embedded library copies

Gbp-Pq: 0010-debianize-build-xml.patch.

cd72d92... by Marc Deslauriers on 2017-01-13

[PATCH] Use java.security.policy file in catalina.sh

Gbp-Pq: 0009-Use-java.security.policy-file-in-catalina.sh.patch.