ubuntu/+source/tomcat8:ubuntu/artful-updates

Last commit made on 2018-05-30
Get this branch:
git clone -b ubuntu/artful-updates https://git.launchpad.net/ubuntu/+source/tomcat8
Members of Ubuntu Server Dev import team can upload to this branch. Log in for directions.

Branch merges

Branch information

Name:
ubuntu/artful-updates
Repository:
lp:ubuntu/+source/tomcat8

Recent commits

603ad35... by Marc Deslauriers on 2018-05-28

Import patches-unapplied version 8.5.21-1ubuntu1.1 to ubuntu/artful-security

Imported using git-ubuntu import.

Changelog parent: 1313f8e759ef627af59f2187b35a5e4ebc7f0d95

New changelog entries:
  * SECURITY UPDATE: missing checks when HTTP PUTs enabled (LP: #1721749)
    - debian/patches/CVE-2017-12617.patch: add checks to
      java/org/apache/catalina/servlets/DefaultServlet.java,
      java/org/apache/catalina/webresources/AbstractFileResourceSet.java,
      java/org/apache/catalina/webresources/DirResourceSet.java,
      java/org/apache/tomcat/util/compat/JrePlatform.java,
      test/org/apache/catalina/webresources/AbstractTestResourceSet.java,
      test/org/apache/catalina/webresources/TestAbstractFileResourceSetPerformance.java.
    - CVE-2017-12617
  * SECURITY UPDATE: incorrectly documented CGI search algorithm
    - debian/patches/CVE-2017-15706.patch: adjust documentation in
      webapps/docs/cgi-howto.xml.
    - CVE-2017-15706
  * SECURITY UPDATE: security constraints mapped to context root are ignored
    - debian/patches/CVE-2018-1304.patch: add check to
      java/org/apache/catalina/realm/RealmBase.java.
    - CVE-2018-1304
  * SECURITY UPDATE: security constraint annotations applied too late
    - debian/patches/CVE-2018-1305.patch: change ordering in
      java/org/apache/catalina/Wrapper.java,
      java/org/apache/catalina/authenticator/AuthenticatorBase.java,
      java/org/apache/catalina/core/ApplicationContext.java,
      java/org/apache/catalina/core/ApplicationServletRegistration.java,
      java/org/apache/catalina/core/StandardContext.java,
      java/org/apache/catalina/core/StandardWrapper.java,
      java/org/apache/catalina/startup/ContextConfig.java,
      java/org/apache/catalina/startup/Tomcat.java,
      java/org/apache/catalina/startup/WebAnnotationSet.java.
    - CVE-2018-1305
  * SECURITY UPDATE: CORS filter has insecure defaults
    - debian/patches/CVE-2018-8014.patch: change defaults in
      java/org/apache/catalina/filters/CorsFilter.java,
      java/org/apache/catalina/filters/LocalStrings.properties,
      test/org/apache/catalina/filters/TestCorsFilter.java,
      test/org/apache/catalina/filters/TesterFilterConfigs.java.
    - CVE-2018-8014

1313f8e... by Robie Basak on 2017-10-13

Import patches-unapplied version 8.5.21-1ubuntu1 to ubuntu/artful-proposed

Imported using git-ubuntu import.

Changelog parent: 0043fa8fb52ee4ad9afb9be91cd75d3617fe5f3e

New changelog entries:
  * Demote libtcnative-1 from Recommends to Suggests as it is in
    universe.

0043fa8... by Emmanuel Bourg on 2017-09-20

Import patches-unapplied version 8.5.21-1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 62c00ed1740ebc10666c320ca30f36e9797a1120

New changelog entries:
  * Team upload.
  [ Emmanuel Bourg ]
  * New upstream release
    - Refreshed the patches
    - Disabled Checkstyle
  * Changed the Class-Path manifest entry of tomcat8-jasper.jar to use
    the specification jars from libtomcat8-java instead of libservlet3.1-java
    (Closes: #867247)
  [ Miguel Landaeta ]
  * Remove myself from uploaders. (Closes: #871892)
  * Update copyright info.

62c00ed... by Emmanuel Bourg on 2017-06-26

Import patches-unapplied version 8.5.16-1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 1169300911a32cabd907fd04393b8bb89f16ba7b

New changelog entries:
  * Team upload.
  * New upstream release
    - Refreshed the patches
  * Standards-Version updated to 4.0.0

1169300... by Emmanuel Bourg on 2017-06-21

Import patches-unapplied version 8.5.15-1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 2e47474f21419db2c834f9d09eed5782800ce0f0

New changelog entries:
  * Team upload.
  * New upstream release
    - Refreshed the patches

2e47474... by Emmanuel Bourg on 2017-06-08

Import patches-unapplied version 8.5.14-2 to debian/sid

Imported using git-ubuntu import.

Changelog parent: de3157e6b34660fc981eff4817f1d37506d0fdd5

New changelog entries:
  * Team upload.
  * Fixed CVE-2017-5664: Static error pages can be overwritten if the
    DefaultServlet is configured to permit writes (Closes: #864447)

de3157e... by Emmanuel Bourg on 2017-05-07

Import patches-unapplied version 8.5.14-1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 36615142f4518f90e94fb2cc2daba14d5ffbd0b8

New changelog entries:
  * Team upload.
  * New upstream release
    - Removed the CVE patches (fixed in this release)

3661514... by Emmanuel Bourg on 2017-04-18

Import patches-unapplied version 8.5.12-1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: f507e3a41c8307a532143533bb77e3cd8a58d3cd

New changelog entries:
  * Team upload.
  * New upstream release
    - Refreshed the patches

f507e3a... by Markus Koschany <email address hidden> on 2017-04-12

Import patches-unapplied version 8.5.11-2 to debian/sid

Imported using git-ubuntu import.

Changelog parent: ba9e065ef06735172c9cbc6c578a4f4821b8cc75

New changelog entries:
  * Team upload.
  * Fix the following security vulnerabilities (Closes: #860068):
    Thanks to Salvatore Bonaccorso for the report.
   - CVE-2017-5647:
     A bug in the handling of the pipelined requests when send file was used
     resulted in the pipelined request being lost when send file processing of
     the previous request completed. This could result in responses appearing
     to be sent for the wrong request. For example, a user agent that sent
     requests A, B and C could see the correct response for request A, the
     response for request C for request B and no response for request C.
   - CVE-2017-5648:
     It was noticed that some calls to application listeners did not use the
     appropriate facade object. When running an untrusted application under a
     SecurityManager, it was therefore possible for that untrusted application
     to retain a reference to the request or response object and thereby access
     and/or modify information associated with another web application.
   - CVE-2017-5650:
     The handling of an HTTP/2 GOAWAY frame for a connection did not close
     streams associated with that connection that were currently waiting for a
     WINDOW_UPDATE before allowing the application to write more data. These
     waiting streams each consumed a thread. A malicious client could therefore
     construct a series of HTTP/2 requests that would consume all available
     processing threads.
   - CVE-2017-5651:
     The refactoring of the HTTP connectors for 8.5.x onwards, introduced a
     regression in the send file processing. If the send file processing
     completed quickly, it was possible for the Processor to be added to the
     processor cache twice. This could result in the same Processor being used
     for multiple requests which in turn could lead to unexpected errors and/or
     response mix-up.
  * debian/control: tomcat8: Fix Lintian error and depend on lsb-base.

ba9e065... by Emmanuel Bourg on 2017-01-17

Import patches-unapplied version 8.5.11-1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: f8677af77d14606c5288d149ac8cf856c9afdea2

New changelog entries:
  * Team upload.
  * New upstream release
    - Refreshed the patches
  * Recommend Java 8 in /etc/default/tomcat8