ubuntu/+source/tomcat8:ubuntu/xenial-devel

Last commit made on 2019-09-10
Get this branch:
git clone -b ubuntu/xenial-devel https://git.launchpad.net/ubuntu/+source/tomcat8
Members of Ubuntu Server Dev import team can upload to this branch. Log in for directions.

Branch merges

Branch information

Name:
ubuntu/xenial-devel
Repository:
lp:ubuntu/+source/tomcat8

Recent commits

1ed3855... by Maria Emilia Torino on 2019-09-09

Import patches-unapplied version 8.0.32-1ubuntu1.10 to ubuntu/xenial-security

Imported using git-ubuntu import.

Changelog parent: e5b8c0dc428bfbb35556f37b7102ae8c2463ae57

New changelog entries:
  * SECURITY UPDATE: XSS attack on SSI printenv command
    - debian/patches/CVE-2019-0221.patch: escape debug output to aid
      readability
    - CVE-2019-0221

e5b8c0d... by Karl Stenerud on 2018-12-10

Import patches-unapplied version 8.0.32-1ubuntu1.9 to ubuntu/xenial-proposed

Imported using git-ubuntu import.

Changelog parent: 99fabbf378b9a713124ef689606c1b2b5f8d4e70

New changelog entries:
  * d/p/fix-class-resource-name-filtering.patch: Fix class and resource name
    filtering in WebappClassLoader (LP: #1606331).

99fabbf... by Marc Deslauriers on 2018-10-09

Import patches-unapplied version 8.0.32-1ubuntu1.8 to ubuntu/xenial-security

Imported using git-ubuntu import.

Changelog parent: 26c63fe5e765b30779685da6c226875e80afe3c6

New changelog entries:
  * SECURITY UPDATE: arbitrary redirect issue
    - debian/patches/CVE-2018-11784.patch: avoid protocol relative
      redirects in java/org/apache/catalina/servlets/DefaultServlet.java.
    - CVE-2018-11784

26c63fe... by Marc Deslauriers on 2018-07-25

Import patches-unapplied version 8.0.32-1ubuntu1.7 to ubuntu/xenial-security

Imported using git-ubuntu import.

Changelog parent: ab4b4af794a7600e02bfde185c2c7740b348d54d

New changelog entries:
  * SECURITY UPDATE: DoS via issue in UTF-8 decoder
    - debian/patches/CVE-2018-1336.patch: fix logic in
      java/org/apache/tomcat/util/buf/Utf8Decoder.java.
    - CVE-2018-1336
  * SECURITY UPDATE: missing hostname verification in WebSocket client
    - debian/patches/CVE-2018-8034.patch: enable hostname verification by
      default in webapps/docs/web-socket-howto.xml,
      java/org/apache/tomcat/websocket/WsWebSocketContainer.java.
    - CVE-2018-8034

ab4b4af... by Marc Deslauriers on 2018-05-28

Import patches-unapplied version 8.0.32-1ubuntu1.6 to ubuntu/xenial-security

Imported using git-ubuntu import.

Changelog parent: 658a6bbc0a6d6a0ab8f2904bd36dd5cdc526c732

New changelog entries:
  * SECURITY UPDATE: missing checks when HTTP PUTs enabled (LP: #1721749)
    - debian/patches/CVE-2017-12617.patch: add checks to
      java/org/apache/catalina/servlets/DefaultServlet.java,
      java/org/apache/catalina/webresources/AbstractFileResourceSet.java,
      java/org/apache/catalina/webresources/DirResourceSet.java,
      java/org/apache/tomcat/util/compat/JrePlatform.java,
      test/org/apache/catalina/webresources/AbstractTestResourceSet.java,
      test/org/apache/catalina/webresources/TestAbstractFileResourceSetPerformance.java.
    - CVE-2017-12617
  * SECURITY UPDATE: security constraints mapped to context root are ignored
    - debian/patches/CVE-2018-1304.patch: add check to
      java/org/apache/catalina/realm/RealmBase.java.
    - CVE-2018-1304
  * SECURITY UPDATE: security constraint annotations applied too late
    - debian/patches/CVE-2018-1305.patch: change ordering in
      java/org/apache/catalina/Wrapper.java,
      java/org/apache/catalina/authenticator/AuthenticatorBase.java,
      java/org/apache/catalina/core/ApplicationContext.java,
      java/org/apache/catalina/core/ApplicationServletRegistration.java,
      java/org/apache/catalina/core/StandardContext.java,
      java/org/apache/catalina/core/StandardWrapper.java,
      java/org/apache/catalina/startup/ContextConfig.java,
      java/org/apache/catalina/startup/Tomcat.java,
      java/org/apache/catalina/startup/WebAnnotationSet.java.
    - CVE-2018-1305
  * SECURITY UPDATE: CORS filter has insecure defaults
    - debian/patches/CVE-2018-8014.patch: change defaults in
      java/org/apache/catalina/filters/CorsFilter.java,
      java/org/apache/catalina/filters/LocalStrings.properties,
      test/org/apache/catalina/filters/TestCorsFilter.java,
      test/org/apache/catalina/filters/TesterFilterConfigs.java.
    - CVE-2018-8014

658a6bb... by Marc Deslauriers on 2017-09-27

Import patches-unapplied version 8.0.32-1ubuntu1.5 to ubuntu/xenial-security

Imported using git-ubuntu import.

Changelog parent: a4376779440f69b59df7086ba4906b3cc11d2eea

New changelog entries:
  * SECURITY UPDATE: loss of pipeline requests
    - debian/patches/CVE-2017-5647.patch: improve sendfile handling when
      requests are pipelined in
      java/org/apache/coyote/AbstractProtocol.java,
      java/org/apache/coyote/http11/Http11AprProcessor.java,
      java/org/apache/coyote/http11/Http11Nio2Processor.java,
      java/org/apache/coyote/http11/Http11NioProcessor.java,
      java/org/apache/tomcat/util/net/AprEndpoint.java,
      java/org/apache/tomcat/util/net/Nio2Endpoint.java,
      java/org/apache/tomcat/util/net/NioEndpoint.java,
      java/org/apache/tomcat/util/net/SendfileKeepAliveState.java.
    - CVE-2017-5647
  * SECURITY UPDATE: incorrect facade object use
    - debian/patches/CVE-2017-5648.patch: ensure request and response
      facades are used when firing application listeners in
      java/org/apache/catalina/authenticator/FormAuthenticator.java,
      java/org/apache/catalina/core/StandardHostValve.java.
    - CVE-2017-5648
  * SECURITY UPDATE: unexpected and undesirable results for static error
    pages
    - debian/patches/CVE-2017-5664.patch: use a more reliable mechanism in
      java/org/apache/catalina/servlets/DefaultServlet.java,
      java/org/apache/catalina/servlets/WebdavServlet.java.
    - CVE-2017-5664
  * SECURITY UPDATE: client and server side cache poisoning in CORS filter
    - debian/patches/CVE-2017-7674.patch: set Vary header in response in
      java/org/apache/catalina/filters/CorsFilter.java.
    - CVE-2017-7674

a437677... by Joshua Powers on 2017-03-09

Import patches-unapplied version 8.0.32-1ubuntu1.4 to ubuntu/xenial-proposed

Imported using git-ubuntu import.

Changelog parent: 0ba5da15161379b630f962e1f39ba837929c30e2

New changelog entries:
  * Fix an upgrade error when JAVA_OPTS in /etc/default/tomcat8
    contains the '%' character (LP: #1666570).

0ba5da1... by Marc Deslauriers on 2017-01-16

Import patches-unapplied version 8.0.32-1ubuntu1.3 to ubuntu/xenial-security

Imported using git-ubuntu import.

Changelog parent: 71c12b708dd15dc1c9fe21dab2d93a44dcd9bfe3

New changelog entries:
  * SECURITY UPDATE: timing attack in realm implementations
    - debian/patches/CVE-2016-0762.patch: add time delays to
      java/org/apache/catalina/realm/DataSourceRealm.java,
      java/org/apache/catalina/realm/JDBCRealm.java,
      java/org/apache/catalina/realm/MemoryRealm.java,
      java/org/apache/catalina/realm/RealmBase.java.
    - CVE-2016-0762
  * SECURITY UPDATE: SecurityManager bypass via a Tomcat utility method
    - debian/patches/CVE-2016-5018.patch: remove unnecessary code in
      java/org/apache/jasper/runtime/JspRuntimeLibrary.java,
      java/org/apache/jasper/security/SecurityClassLoad.java,
      java/org/apache/jasper/servlet/JasperInitializer.java.
    - CVE-2016-5018
  * SECURITY UPDATE: mitigaton for httpoxy issue
    - debian/patches/CVE-2016-5388.patch: add envHttpHeaders initialization
      parameter to conf/web.xml, webapps/docs/cgi-howto.xml,
      java/org/apache/catalina/servlets/CGIServlet.java.
    - CVE-2016-5388
  * SECURITY UPDATE: system properties read SecurityManager bypass
    - debian/patches/CVE-2016-6794.patch: extend SecurityManager protection
      to the system property replacement feature of the digester in
      java/org/apache/catalina/loader/WebappClassLoaderBase.java,
      java/org/apache/tomcat/util/digester/Digester.java,
      java/org/apache/tomcat/util/security/PermissionCheck.java.
    - CVE-2016-6794
  * SECURITY UPDATE: SecurityManager bypass via JSP Servlet configuration
    parameters
    - debian/patches/CVE-2016-6796.patch: ignore some JSP options when
      running under a SecurityManager in conf/web.xml,
      java/org/apache/jasper/EmbeddedServletOptions.java,
      java/org/apache/jasper/resources/LocalStrings.properties,
      java/org/apache/jasper/servlet/JspServlet.java,
      webapps/docs/jasper-howto.xml.
    - CVE-2016-6796
  * SECURITY UPDATE: web application global JNDI resource access
    - debian/patches/CVE-2016-6797.patch: ensure that the global resource
      is only visible via the ResourceLinkFactory when it is meant to be in
      java/org/apache/catalina/core/NamingContextListener.java,
      java/org/apache/naming/factory/ResourceLinkFactory.java,
      test/org/apache/naming/TestNamingContext.java.
    - CVE-2016-6797
  * SECURITY UPDATE: HTTP response injection via invalid characters
    - debian/patches/CVE-2016-6816.patch: add additional checks for valid
      characters in java/org/apache/coyote/http11/AbstractInputBuffer.java,
      java/org/apache/coyote/http11/AbstractNioInputBuffer.java,
      java/org/apache/coyote/http11/InternalAprInputBuffer.java,
      java/org/apache/coyote/http11/InternalInputBuffer.java,
      java/org/apache/coyote/http11/LocalStrings.properties,
      java/org/apache/tomcat/util/http/parser/HttpParser.java.
    - CVE-2016-6816
  * SECURITY UPDATE: remote code execution via JmxRemoteLifecycleListener
    - debian/patches/CVE-2016-8735.patch: explicitly configure allowed
      credential types in
      java/org/apache/catalina/mbeans/JmxRemoteLifecycleListener.java.
    - CVE-2016-8735
  * SECURITY UPDATE: information leakage between requests
    - debian/patches/CVE-2016-8745.patch: properly handle cache when unable
      to complete sendfile request in
      java/org/apache/tomcat/util/net/NioEndpoint.java.
    - CVE-2016-8745
  * SECURITY UPDATE: privilege escalation during package upgrade
    - debian/rules, debian/tomcat8.postinst: properly set permissions on
      /etc/tomcat8/Catalina/localhost.
    - CVE-2016-9774
  * SECURITY UPDATE: privilege escalation during package removal
    - debian/tomcat8.postrm.in: don't reset permissions before removing
      user.
    - CVE-2016-9775
  * debian/tomcat8.init: further hardening.

71c12b7... by Marc Deslauriers on 2016-09-16

Import patches-unapplied version 8.0.32-1ubuntu1.2 to ubuntu/xenial-security

Imported using git-ubuntu import.

Changelog parent: 5e57ed0be761e2371df4a96fa26a50202ef9b362

New changelog entries:
  * SECURITY UPDATE: privilege escalation via insecure init script
    - debian/tomcat8.init: don't follow symlinks when handling the
      catalina.out file.
    - CVE-2016-1240

5e57ed0... by Marc Deslauriers on 2016-07-06

Import patches-unapplied version 8.0.32-1ubuntu1.1 to ubuntu/xenial-security

Imported using git-ubuntu import.

Changelog parent: b1fd2e46b85130d8b344dd8ee99c14b1f5401a01

New changelog entries:
  * SECURITY UPDATE: denial of service in FileUpload
    - debian/patches/CVE-2016-3092.patch: properly handle size in
      java/org/apache/tomcat/util/http/fileupload/MultipartStream.java.
    - CVE-2016-3092