ubuntu/+source/tomcat8:debian/stretch

Last commit made on 2018-11-10
Get this branch:
git clone -b debian/stretch https://git.launchpad.net/ubuntu/+source/tomcat8
Members of Ubuntu Server Dev import team can upload to this branch. Log in for directions.

Branch merges

Branch information

Name:
debian/stretch
Repository:
lp:ubuntu/+source/tomcat8

Recent commits

366923c... by Markus Koschany <email address hidden> on 2018-08-24

Import patches-unapplied version 8.5.14-1+deb9u3 to debian/stretch

Imported using git-ubuntu import.

Changelog parent: f0364fed3a05e43590126ea5fcf900b56ddfa9e9

New changelog entries:
  [ Emmanuel Bourg ]
  * Fixed CVE-2018-1304: Security constraints mapped to context root are
    ignored. The URL pattern of "" (the empty string) which exactly maps to the
    context root was not correctly handled when used as part of a security
    constraint definition. This caused the constraint to be ignored. It was,
    therefore, possible for unauthorised users to gain access to web
    application resources that should have been protected. Only security
    constraints with a URL pattern of the empty string were affected.
  * Fixed CVE-2018-1305: Security constraint annotations applied too late.
    Security constraints defined by annotations of Servlets were only applied
    once a Servlet had been loaded. Because security constraints defined in
    this way apply to the URL pattern and any URLs below that point, it was
    possible - depending on the order Servlets were loaded - for some security
    constraints not to be applied. This could have exposed resources to users
    who were not authorised to access them.
  * Changed the Class-Path manifest entry of tomcat8-jasper.jar to use
    the specification jars from libtomcat8-java instead of libservlet3.1-java
    (Closes: #867247)
  [ Markus Koschany ]
  * Fix CVE-2018-1336: An improper handing of overflow in the UTF-8 decoder
    with supplementary characters can lead to an infinite loop in the decoder
    causing a Denial of Service.
  * Fix CVE-2018-8034: The host name verification when using TLS with the
    WebSocket client was missing. It is now enabled by default.
  * Fix CVE-2018-8037: If an async request was completed by the application at
    the same time as the container triggered the async timeout, a race condition
    existed that could result in a user seeing a response intended for a
    different user. An additional issue was present in the NIO and NIO2
    connectors that did not correctly track the closure of the connection when an
    async request was completed by the application and timed out by the container
    at the same time. This could also result in a user seeing a response intended
    for another user.

f0364fe... by Markus Koschany <email address hidden> on 2017-09-03

Import patches-unapplied version 8.5.14-1+deb9u2 to debian/stretch

Imported using git-ubuntu import.

Changelog parent: 78f0e1a7043ac9b5370fa3cc7362357999d025ff

New changelog entries:
  * Team upload.
  * Fix CVE-2017-7674:
    The CORS Filter did not add an HTTP Vary header indicating that the
    response varies depending on Origin. This permitted client and server side
    cache poisoning in some circumstances.
  * Fix CVE-2017-7675:
    The HTTP/2 implementation bypassed a number of security checks that
    prevented directory traversal attacks. It was therefore possible to bypass
    security constraints using a specially crafted URL.

78f0e1a... by Emmanuel Bourg on 2017-06-21

Import patches-unapplied version 8.5.14-1+deb9u1 to debian/stretch

Imported using git-ubuntu import.

Changelog parent: de3157e6b34660fc981eff4817f1d37506d0fdd5

New changelog entries:
  * Team upload.
  * Fixed CVE-2017-5664: Static error pages can be overwritten if the
    DefaultServlet is configured to permit writes (Closes: #864447)

de3157e... by Emmanuel Bourg on 2017-05-07

Import patches-unapplied version 8.5.14-1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 36615142f4518f90e94fb2cc2daba14d5ffbd0b8

New changelog entries:
  * Team upload.
  * New upstream release
    - Removed the CVE patches (fixed in this release)

3661514... by Emmanuel Bourg on 2017-04-18

Import patches-unapplied version 8.5.12-1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: f507e3a41c8307a532143533bb77e3cd8a58d3cd

New changelog entries:
  * Team upload.
  * New upstream release
    - Refreshed the patches

f507e3a... by Markus Koschany <email address hidden> on 2017-04-12

Import patches-unapplied version 8.5.11-2 to debian/sid

Imported using git-ubuntu import.

Changelog parent: ba9e065ef06735172c9cbc6c578a4f4821b8cc75

New changelog entries:
  * Team upload.
  * Fix the following security vulnerabilities (Closes: #860068):
    Thanks to Salvatore Bonaccorso for the report.
   - CVE-2017-5647:
     A bug in the handling of the pipelined requests when send file was used
     resulted in the pipelined request being lost when send file processing of
     the previous request completed. This could result in responses appearing
     to be sent for the wrong request. For example, a user agent that sent
     requests A, B and C could see the correct response for request A, the
     response for request C for request B and no response for request C.
   - CVE-2017-5648:
     It was noticed that some calls to application listeners did not use the
     appropriate facade object. When running an untrusted application under a
     SecurityManager, it was therefore possible for that untrusted application
     to retain a reference to the request or response object and thereby access
     and/or modify information associated with another web application.
   - CVE-2017-5650:
     The handling of an HTTP/2 GOAWAY frame for a connection did not close
     streams associated with that connection that were currently waiting for a
     WINDOW_UPDATE before allowing the application to write more data. These
     waiting streams each consumed a thread. A malicious client could therefore
     construct a series of HTTP/2 requests that would consume all available
     processing threads.
   - CVE-2017-5651:
     The refactoring of the HTTP connectors for 8.5.x onwards, introduced a
     regression in the send file processing. If the send file processing
     completed quickly, it was possible for the Processor to be added to the
     processor cache twice. This could result in the same Processor being used
     for multiple requests which in turn could lead to unexpected errors and/or
     response mix-up.
  * debian/control: tomcat8: Fix Lintian error and depend on lsb-base.

ba9e065... by Emmanuel Bourg on 2017-01-17

Import patches-unapplied version 8.5.11-1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: f8677af77d14606c5288d149ac8cf856c9afdea2

New changelog entries:
  * Team upload.
  * New upstream release
    - Refreshed the patches
  * Recommend Java 8 in /etc/default/tomcat8

f8677af... by Emmanuel Bourg on 2016-12-19

Import patches-unapplied version 8.5.9-2 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 08831acf08d605ef49c65264d06a268f6b87ea47

New changelog entries:
  * Team upload.
  * Require Java 8 or higher (Closes: #848612)

08831ac... by Emmanuel Bourg on 2016-12-08

Import patches-unapplied version 8.5.9-1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 5cd835e0e495fda8e4fe5a4cd7b4a8cd6295220a

New changelog entries:
  * Team upload.
  * New upstream release
    - Refreshed the patches
  * Restored the classloading from the common, server and shared directories
    under CATALINA_BASE (Closes: #847137)
  * Fixed the installation error when JAVA_OPTS in /etc/default/tomcat8
    contains the '%' character (Closes: #770911)

5cd835e... by Emmanuel Bourg on 2016-12-01

Import patches-unapplied version 8.5.8-2 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 4b09645c1215d79ad1e7eee0f82ef30b2ad72450

New changelog entries:
  * Team upload.
  * Upload to unstable.
  * No longer make /etc/tomcat8/Catalina/localhost writable by the tomcat8 user
    in the postinst script (Closes: #845393)
  * The tomcat8 user is no longer removed when the package is purged
    (Closes: #845385)
  * Compress and remove the access log files with a .txt extension
    (Closes: #845661)
  * Added the delaycompress option to the logrotate configuration
    of catalina.out (Closes: #843135)
  * Changed the home directory for the tomcat8 user from /usr/share/tomcat8
    to /var/lib/tomcat8 (Closes: #833261)
  * Aligned the logging configuration with the upstream one
  * Set the proper permissions for /etc/tomcat8/jaspic-providers.xml
  * Install the new library jaspic-api.jar
  * Install the Maven artifacts for tomcat-storeconfig
  * Simplified debian/rules