ubuntu/+source/tomcat8:ubuntu/zesty

Last commit made on 2017-04-11
Get this branch:
git clone -b ubuntu/zesty https://git.launchpad.net/ubuntu/+source/tomcat8
Members of Ubuntu Server Dev import team can upload to this branch. Log in for directions.

Branch merges

Branch information

Name:
ubuntu/zesty
Repository:
lp:ubuntu/+source/tomcat8

Recent commits

b66d69c... by Joshua Powers on 2017-03-28

Import patches-unapplied version 8.0.38-2ubuntu2 to ubuntu/zesty-proposed

Imported using git-ubuntu import.

Changelog parent: 8fcde4802291510660959842797a577db834e965

New changelog entries:
  * Fix an upgrade error when JAVA_OPTS in /etc/default/tomcat8
    contains the '%' character (LP: #1666570).

8fcde48... by Marc Deslauriers on 2017-02-15

Import patches-unapplied version 8.0.38-2ubuntu1 to ubuntu/zesty-proposed

Imported using git-ubuntu import.

Changelog parent: 480e5182468ffd26ff3613eac57034b34fceb908

New changelog entries:
  * SECURITY UPDATE: HTTP response injection via invalid characters
    - debian/patches/CVE-2016-6816.patch: add additional checks for valid
      characters in java/org/apache/coyote/http11/AbstractInputBuffer.java,
      java/org/apache/coyote/http11/AbstractNioInputBuffer.java,
      java/org/apache/coyote/http11/InternalAprInputBuffer.java,
      java/org/apache/coyote/http11/InternalInputBuffer.java,
      java/org/apache/coyote/http11/LocalStrings.properties,
      java/org/apache/tomcat/util/http/parser/HttpParser.java.
    - CVE-2016-6816
  * SECURITY UPDATE: remote code execution via JmxRemoteLifecycleListener
    - debian/patches/CVE-2016-8735.patch: explicitly configure allowed
      credential types in
      java/org/apache/catalina/mbeans/JmxRemoteLifecycleListener.java.
    - CVE-2016-8735
  * SECURITY UPDATE: information leakage between requests
    - debian/patches/CVE-2016-8745.patch: properly handle cache when unable
      to complete sendfile request in
      java/org/apache/tomcat/util/net/NioEndpoint.java.
    - CVE-2016-8745
  * SECURITY UPDATE: privilege escalation during package upgrade
    - debian/rules, debian/tomcat8.postinst: properly set permissions on
      /etc/tomcat8/Catalina/localhost.
    - CVE-2016-9774
  * SECURITY UPDATE: privilege escalation during package removal
    - debian/tomcat8.postrm.in: don't reset permissions before removing
      user.
    - CVE-2016-9775

480e518... by Emmanuel Bourg on 2016-10-27

Import patches-unapplied version 8.0.38-2 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 2a5c6fe797543bf2d7fbf431e00be3b2c2776ac0

New changelog entries:
  * Team upload.
  * CVE-2016-1240 follow-up:
    - The previous init.d fix was vulnerable to a race condition that could
      be exploited to make any existing file writable by the tomcat user.
      Thanks to Paul Szabo for the report and the fix.
    - The catalina.policy file generated on startup was affected by a similar
      vulnerability that could be exploited to overwrite any file on the system.
      Thanks to Paul Szabo for the report.
  * Install the extra jar catalina-jmx-remote.jar (Closes: #762916)
  * Added the new libtomcat8-embed-java package containing the libraries
    for embedding Tomcat into other applications.
  * Switch to debhelper level 10

2a5c6fe... by Emmanuel Bourg on 2016-10-19

Import patches-unapplied version 8.0.38-1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: f250774836a3e9a7ba945f4c2cdabb1cf1950309

New changelog entries:
  * Team upload.
  * New upstream release
    - Refreshed the patches
  * Hardened the init.d script, thanks to Paul Szabo (Closes: #840685)
  * Fixed the OSGi metadata for tomcat8-jasper.jar and tomcat8-jasper-el.jar
  * Depend on libcglib-nodep-java instead of libcglib3-java
  * Removed the unused Lintian overrides

f250774... by Emmanuel Bourg on 2016-09-19

Import patches-unapplied version 8.0.37-1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 37f9d4084595f74b686aa400d6d76ef1e4c10d3f

New changelog entries:
  * Team upload.
  * New upstream release
  * Removed 0001-set-UTF-8-as-default-character-encoding.patch (fixed upstream)

37f9d40... by Emmanuel Bourg on 2016-09-14

Import patches-unapplied version 8.0.36-3 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 7be2c519bd4e57fb2ce878efca5e88be2b8de5e6

New changelog entries:
  * Team upload.
  * Fixed CVE-2016-1240: A flaw in the init.d startup script allows local
    attackers who have gained access to the server in the context of the
    tomcat user through a vulnerability in a web application to replace
    the catalina.out file with a symlink to an arbitrary file on the system,
    potentially leading to a root privilege escalation.
    Thanks to Dawid Golunski for the report.
  * Removed the default 128M heap limit (LP: #568823)
  * Depend on taglibs-standard instead of jakarta-taglibs-standard

7be2c51... by Markus Koschany <email address hidden> on 2016-08-02

Import patches-unapplied version 8.0.36-2 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 2da5b33961a166963a54147ee23cb68a86a13fee

New changelog entries:
  * Team upload.
  * Do not unconditionally overwrite files in /etc/tomcat8 anymore.
    (Closes: #825786)

2da5b33... by Emmanuel Bourg on 2016-06-14

Import patches-unapplied version 8.0.36-1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: bc20583702224592a930e782e88b0882f6d88c5f

New changelog entries:
  * Team upload.
  * New upstream release
    - Refreshed the patches
    - Depend on libecj-java (>= 3.11.0)
  * Standards-Version updated to 3.9.8 (no changes)
  * Use a secure Vcs-Git URL

bc20583... by Emmanuel Bourg on 2015-12-21

Import patches-unapplied version 8.0.32-1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 4be9fd6d46b88738180efd7ea342939c95d7279a

New changelog entries:
  * Team upload.
  * New upstream release
  * Fixed a warning in catalina.out caused by an incorrect path
    for the root context (Closes: #808378)
  * Standards-Version updated to 3.9.7 (no changes)

4be9fd6... by Emmanuel Bourg on 2015-12-18

Import patches-unapplied version 8.0.30-1 to debian/sid

Imported using git-ubuntu import.

Changelog parent: 370cdbda5f5e6dd97defe5a2e6379d50ad496b40

New changelog entries:
  * Team upload.
  * New upstream release
    - Refreshed the patches
  * Use LC_ALL instead of LANG to format the date and make the documentation
    reproducible on the builders