ubuntu/+source/tomcat8:applied/ubuntu/zesty-updates

Last commit made on 2018-01-08
Get this branch:
git clone -b applied/ubuntu/zesty-updates https://git.launchpad.net/ubuntu/+source/tomcat8
Members of Ubuntu Server Dev import team can upload to this branch. Log in for directions.

Branch merges

Branch information

Name:
applied/ubuntu/zesty-updates
Repository:
lp:ubuntu/+source/tomcat8

Recent commits

be3558b... by Marc Deslauriers on 2017-09-27

Import patches-applied version 8.0.38-2ubuntu2.2 to applied/ubuntu/zesty-security

Imported using git-ubuntu import.

Changelog parent: 1d1f35d9a08ed6ab2924a9afdea4f1cf99ccdb7b
Unapplied parent: 33665c0987c059a698780337970bfa91b2eabfd4

New changelog entries:
  * SECURITY UPDATE: loss of pipeline requests
    - debian/patches/CVE-2017-5647.patch: improve sendfile handling when
      requests are pipelined in
      java/org/apache/coyote/AbstractProtocol.java,
      java/org/apache/coyote/http11/Http11AprProcessor.java,
      java/org/apache/coyote/http11/Http11Nio2Processor.java,
      java/org/apache/coyote/http11/Http11NioProcessor.java,
      java/org/apache/tomcat/util/net/AprEndpoint.java,
      java/org/apache/tomcat/util/net/Nio2Endpoint.java,
      java/org/apache/tomcat/util/net/NioEndpoint.java,
      java/org/apache/tomcat/util/net/SendfileKeepAliveState.java.
    - CVE-2017-5647
  * SECURITY UPDATE: incorrect facade object use
    - debian/patches/CVE-2017-5648.patch: ensure request and response
      facades are used when firing application listeners in
      java/org/apache/catalina/authenticator/FormAuthenticator.java,
      java/org/apache/catalina/core/StandardHostValve.java.
    - CVE-2017-5648
  * SECURITY UPDATE: unexpected and undesirable results for static error
    pages
    - debian/patches/CVE-2017-5664.patch: use a more reliable mechanism in
      java/org/apache/catalina/servlets/DefaultServlet.java,
      java/org/apache/catalina/servlets/WebdavServlet.java.
    - CVE-2017-5664
  * SECURITY UPDATE: client and server side cache poisoning in CORS filter
    - debian/patches/CVE-2017-7674.patch: set Vary header in response in
      java/org/apache/catalina/filters/CorsFilter.java.
    - CVE-2017-7674

33665c0... by Marc Deslauriers on 2017-09-27

fix client and server side cache poisoning in CORS filter

Gbp-Pq: CVE-2017-7674.patch.

1bafe52... by Marc Deslauriers on 2017-09-27

fix unexpected and undesirable results for static error pages

Gbp-Pq: CVE-2017-5664.patch.

6f31505... by Marc Deslauriers on 2017-09-27

fix incorrect facade object use

Gbp-Pq: CVE-2017-5648.patch.

1af1a97... by Marc Deslauriers on 2017-09-27

fix loss of pipeline requests

Gbp-Pq: CVE-2017-5647.patch.

1e927f8... by Marc Deslauriers on 2017-09-27

fix information leakage between requests

Gbp-Pq: CVE-2016-8745.patch.

782884e... by Marc Deslauriers on 2017-09-27

fix remote code execution via JmxRemoteLifecycleListener

Gbp-Pq: CVE-2016-8735.patch.

cefbf6e... by Marc Deslauriers on 2017-09-27

fix HTTP response injection via invalid characters

Gbp-Pq: CVE-2016-6816.patch.

90432a3... by Marc Deslauriers on 2017-09-27

Adds the name of the distribution to the version of Tomcat

Gbp-Pq: 0019-add-distribution-to-error-page.patch.

a985b59... by Marc Deslauriers on 2017-09-27

This patch changes the manager path from webapps/manager to

Gbp-Pq: 0018-fix-manager-webapp.patch.