ubuntu/+source/tomcat8:ubuntu/yakkety-security

Last commit made on 2017-01-23
Get this branch:
git clone -b ubuntu/yakkety-security https://git.launchpad.net/ubuntu/+source/tomcat8
Members of Ubuntu Server Dev import team can upload to this branch. Log in for directions.

Branch merges

Branch information

Name:
ubuntu/yakkety-security
Repository:
lp:ubuntu/+source/tomcat8

Recent commits

a9c810e... by Marc Deslauriers on 2017-01-13

Import patches-unapplied version 8.0.37-1ubuntu0.1 to ubuntu/yakkety-security

Imported using git-ubuntu import.

Changelog parent: f250774836a3e9a7ba945f4c2cdabb1cf1950309

New changelog entries:
  * SECURITY UPDATE: HTTP response injection via invalid characters
    - debian/patches/CVE-2016-6816.patch: add additional checks for valid
      characters in java/org/apache/coyote/http11/AbstractInputBuffer.java,
      java/org/apache/coyote/http11/AbstractNioInputBuffer.java,
      java/org/apache/coyote/http11/InternalAprInputBuffer.java,
      java/org/apache/coyote/http11/InternalInputBuffer.java,
      java/org/apache/coyote/http11/LocalStrings.properties,
      java/org/apache/tomcat/util/http/parser/HttpParser.java.
    - CVE-2016-6816
  * SECURITY UPDATE: remote code execution via JmxRemoteLifecycleListener
    - debian/patches/CVE-2016-8735.patch: explicitly configure allowed
      credential types in
      java/org/apache/catalina/mbeans/JmxRemoteLifecycleListener.java.
    - CVE-2016-8735
  * SECURITY UPDATE: information leakage between requests
    - debian/patches/CVE-2016-8745.patch: properly handle cache when unable
      to complete sendfile request in
      java/org/apache/tomcat/util/net/NioEndpoint.java.
    - CVE-2016-8745
  * SECURITY UPDATE: privilege escalation during package upgrade
    - debian/rules, debian/tomcat8.postinst: properly set permissions on
      /etc/tomcat8/Catalina/localhost.
    - CVE-2016-9774
  * SECURITY UPDATE: privilege escalation during package removal
    - debian/tomcat8.postrm.in: don't reset permissions before removing
      user.
    - CVE-2016-9775
  * debian/tomcat8.init: further hardening.

f250774... by Emmanuel Bourg on 2016-09-19

Import patches-unapplied version 8.0.37-1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 37f9d4084595f74b686aa400d6d76ef1e4c10d3f

New changelog entries:
  * Team upload.
  * New upstream release
  * Removed 0001-set-UTF-8-as-default-character-encoding.patch (fixed upstream)

37f9d40... by Emmanuel Bourg on 2016-09-14

Import patches-unapplied version 8.0.36-3 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 7be2c519bd4e57fb2ce878efca5e88be2b8de5e6

New changelog entries:
  * Team upload.
  * Fixed CVE-2016-1240: A flaw in the init.d startup script allows local
    attackers who have gained access to the server in the context of the
    tomcat user through a vulnerability in a web application to replace
    the catalina.out file with a symlink to an arbitrary file on the system,
    potentially leading to a root privilege escalation.
    Thanks to Dawid Golunski for the report.
  * Removed the default 128M heap limit (LP: #568823)
  * Depend on taglibs-standard instead of jakarta-taglibs-standard

7be2c51... by Markus Koschany <email address hidden> on 2016-08-02

Import patches-unapplied version 8.0.36-2 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 2da5b33961a166963a54147ee23cb68a86a13fee

New changelog entries:
  * Team upload.
  * Do not unconditionally overwrite files in /etc/tomcat8 anymore.
    (Closes: #825786)

2da5b33... by Emmanuel Bourg on 2016-06-14

Import patches-unapplied version 8.0.36-1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: bc20583702224592a930e782e88b0882f6d88c5f

New changelog entries:
  * Team upload.
  * New upstream release
    - Refreshed the patches
    - Depend on libecj-java (>= 3.11.0)
  * Standards-Version updated to 3.9.8 (no changes)
  * Use a secure Vcs-Git URL

bc20583... by Emmanuel Bourg on 2015-12-21

Import patches-unapplied version 8.0.32-1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 4be9fd6d46b88738180efd7ea342939c95d7279a

New changelog entries:
  * Team upload.
  * New upstream release
  * Fixed a warning in catalina.out caused by an incorrect path
    for the root context (Closes: #808378)
  * Standards-Version updated to 3.9.7 (no changes)

4be9fd6... by Emmanuel Bourg on 2015-12-18

Import patches-unapplied version 8.0.30-1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 370cdbda5f5e6dd97defe5a2e6379d50ad496b40

New changelog entries:
  * Team upload.
  * New upstream release
    - Refreshed the patches
  * Use LC_ALL instead of LANG to format the date and make the documentation
    reproducible on the builders

370cdbd... by Emmanuel Bourg on 2015-10-19

Import patches-unapplied version 8.0.28-1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 34bb8cc0daf7bd5a1bf1a7f55ab475ccfbd71234

New changelog entries:
  * Team upload.
  * New upstream release
    - Refreshed the patches
  * Fixed a localized date in the documentation to improve the reproducibility

34bb8cc... by Emmanuel Bourg on 2015-08-23

Import patches-unapplied version 8.0.26-1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 9f73ca1aa93c7c8e37f985bebb22ddf4806999cb

New changelog entries:
  * Team upload.
  * New upstream release
    - Refreshed the patches
  * Changed the authbind configuration to allow IPv6 connections (LP: #1443041)
  * Fixed an upgrade error when /etc/tomcat8/tomcat-users.xml is removed
    (LP: #1010791)
  * Fixed a minor HTML error in the default index.html file (LP: #1236132)

9f73ca1... by Emmanuel Bourg on 2015-07-08

Import patches-unapplied version 8.0.24-1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 9afa3fa8c94276800763937e98d89971f5952183

New changelog entries:
  * Team upload.
  * New upstream release
    - Refreshed the patches
  * debian/rules: Use an english locale when generating the documentation
    to improve the reproducibility