diff -Nru tomcat7-7.0.52/debian/changelog tomcat7-7.0.52/debian/changelog
--- tomcat7-7.0.52/debian/changelog 2016-06-29 16:51:02.000000000 +0000
+++ tomcat7-7.0.52/debian/changelog 2016-09-16 13:28:12.000000000 +0000
@@ -1,3 +1,22 @@
+tomcat7 (7.0.52-1ubuntu0.7) trusty-security; urgency=medium
+
+ * SECURITY UPDATE: privilege escalation via insecure init script
+ - debian/tomcat7.init: don't follow symlinks when handling the
+ catalina.out file.
+ - CVE-2016-1240
+ * SECURITY REGRESSION: change in behaviour after security update
+ (LP: #1609819)
+ - debian/patches/CVE-2015-5345-2.patch: fix using the new
+ mapperContextRootRedirectEnabled option in
+ java/org/apache/catalina/connector/MapperListener.java, change
+ mapperContextRootRedirectEnabled default to true in
+ java/org/apache/catalina/core/StandardContext.java,
+ webapps/docs/config/context.xml. This reverts the change in behaviour
+ following the CVE-2015-5345 security update and was also done
+ upstream in later releases.
+
+ -- Marc Deslauriers Fri, 16 Sep 2016 09:19:37 -0400
+
tomcat7 (7.0.52-1ubuntu0.6) trusty-security; urgency=medium
* SECURITY UPDATE: directory traversal vulnerability in RequestUtil.java
diff -Nru tomcat7-7.0.52/debian/patches/CVE-2015-5345-2.patch tomcat7-7.0.52/debian/patches/CVE-2015-5345-2.patch
--- tomcat7-7.0.52/debian/patches/CVE-2015-5345-2.patch 1970-01-01 00:00:00.000000000 +0000
+++ tomcat7-7.0.52/debian/patches/CVE-2015-5345-2.patch 2016-09-16 13:29:04.000000000 +0000
@@ -0,0 +1,48 @@
+Description: revert change in behaviour after security update
+Origin: backport, http://svn.apache.org/viewvc?view=revision&revision=1716860
+Origin: backport, https://svn.apache.org/viewvc?view=revision&revision=1721883
+Bug: https://bz.apache.org/bugzilla/show_bug.cgi?id=58660
+Bug: https://bz.apache.org/bugzilla/show_bug.cgi?id=58765
+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/tomcat7/+bug/1609819
+
+Index: tomcat7-7.0.52/java/org/apache/catalina/connector/MapperListener.java
+===================================================================
+--- tomcat7-7.0.52.orig/java/org/apache/catalina/connector/MapperListener.java 2014-01-27 09:53:14.000000000 -0500
++++ tomcat7-7.0.52/java/org/apache/catalina/connector/MapperListener.java 2016-09-16 09:23:55.401566399 -0400
+@@ -360,7 +360,9 @@
+ String[] welcomeFiles = context.findWelcomeFiles();
+
+ mapper.addContextVersion(host.getName(), host, contextPath,
+- context.getWebappVersion(), context, welcomeFiles, resources);
++ context.getWebappVersion(), context, welcomeFiles, resources,
++ context.getMapperContextRootRedirectEnabled(),
++ context.getMapperDirectoryRedirectEnabled());
+
+ for (Container container : context.findChildren()) {
+ registerWrapper((Wrapper) container);
+Index: tomcat7-7.0.52/java/org/apache/catalina/core/StandardContext.java
+===================================================================
+--- tomcat7-7.0.52.orig/java/org/apache/catalina/core/StandardContext.java 2016-09-16 08:14:53.000000000 -0400
++++ tomcat7-7.0.52/java/org/apache/catalina/core/StandardContext.java 2016-09-16 09:25:34.818766485 -0400
+@@ -894,7 +894,7 @@
+ private String containerSciFilter;
+
+
+- boolean mapperContextRootRedirectEnabled = false;
++ boolean mapperContextRootRedirectEnabled = true;
+
+ boolean mapperDirectoryRedirectEnabled = false;
+
+Index: tomcat7-7.0.52/webapps/docs/config/context.xml
+===================================================================
+--- tomcat7-7.0.52.orig/webapps/docs/config/context.xml 2016-09-16 08:14:53.000000000 -0400
++++ tomcat7-7.0.52/webapps/docs/config/context.xml 2016-09-16 09:25:07.282434088 -0400
+@@ -357,7 +357,7 @@
+ redirected (adding a trailing slash) if necessary by the Mapper rather
+ than the default Servlet. This is more efficient but has the side effect
+ of confirming that the context path exists. If not specified, the
+- default value of false
is used.
++ default value of true
is used.
+
+
+
diff -Nru tomcat7-7.0.52/debian/patches/series tomcat7-7.0.52/debian/patches/series
--- tomcat7-7.0.52/debian/patches/series 2016-06-27 18:17:55.000000000 +0000
+++ tomcat7-7.0.52/debian/patches/series 2016-09-16 13:22:34.000000000 +0000
@@ -31,3 +31,4 @@
CVE-2016-0763.patch
fix_cookie_names_in_tests.patch
CVE-2016-3092.patch
+CVE-2015-5345-2.patch
diff -Nru tomcat7-7.0.52/debian/tomcat7.init tomcat7-7.0.52/debian/tomcat7.init
--- tomcat7-7.0.52/debian/tomcat7.init 2014-02-21 06:11:51.000000000 +0000
+++ tomcat7-7.0.52/debian/tomcat7.init 2016-09-16 13:20:03.000000000 +0000
@@ -170,8 +170,10 @@
# Run the catalina.sh script as a daemon
set +e
- touch "$CATALINA_PID" "$CATALINA_BASE"/logs/catalina.out
- chown $TOMCAT7_USER "$CATALINA_PID" "$CATALINA_BASE"/logs/catalina.out
+ if [ ! -f "$CATALINA_BASE"/logs/catalina.out ]; then
+ install -o $TOMCAT7_USER -g adm -m 644 /dev/null "$CATALINA_BASE"/logs/catalina.out
+ fi
+ install -o $TOMCAT7_USER -g adm -m 644 /dev/null "$CATALINA_PID"
start-stop-daemon --start -b -u "$TOMCAT7_USER" -g "$TOMCAT7_GROUP" \
-c "$TOMCAT7_USER" -d "$CATALINA_TMPDIR" -p "$CATALINA_PID" \
-x /bin/bash -- -c "$AUTHBIND_COMMAND $TOMCAT_SH"