Ubuntu
tomcat7 package

tomcat7 7.0.52-1ubuntu0.3 source package in Ubuntu

Changelog

tomcat7 (7.0.52-1ubuntu0.3) trusty-security; urgency=medium

  * SECURITY UPDATE: arbitrary file disclosure via XML parser
    (LP: #1449975)
    - debian/patches/CVE-2014-0119.patch: add defensive coding and ensure
      TLD parser obtained from cache has correct value of blockExternal in
      java/org/apache/catalina/security/SecurityClassLoad.java,
      java/org/apache/catalina/servlets/DefaultServlet.java,
      java/org/apache/catalina/startup/TldConfig.java,
      java/org/apache/jasper/compiler/JspDocumentParser.java,
      java/org/apache/jasper/xmlparser/ParserUtils.java,
      java/org/apache/tomcat/util/security/PrivilegedGetTccl.java,
      java/org/apache/tomcat/util/security/PrivilegedSetTccl.java.
    - CVE-2014-0119
  * SECURITY UPDATE: HTTP request smuggling or denial of service via
    streaming with malformed chunked transfer encoding (LP: #1449975)
    - debian/patches/CVE-2014-0227.patch: add error flag and improve i18n
      in java/org/apache/coyote/http11/filters/ChunkedInputFilter.java,
      java/org/apache/coyote/http11/filters/LocalStrings.properties.
    - CVE-2014-0227
  * SECURITY UPDATE: denial of service via aborted upload attempts
    (LP: #1449975)
    - debian/patches/CVE-2014-0230.patch: limit amount of data in
      java/org/apache/coyote/http11/AbstractHttp11Processor.java,
      java/org/apache/coyote/http11/AbstractHttp11Protocol.java,
      java/org/apache/coyote/http11/Http11AprProcessor.java,
      java/org/apache/coyote/http11/Http11AprProtocol.java,
      java/org/apache/coyote/http11/Http11NioProcessor.java,
      java/org/apache/coyote/http11/Http11NioProtocol.java,
      java/org/apache/coyote/http11/Http11Processor.java,
      java/org/apache/coyote/http11/Http11Protocol.java,
      java/org/apache/coyote/http11/filters/ChunkedInputFilter.java,
      java/org/apache/coyote/http11/filters/IdentityInputFilter.java,
      java/org/apache/coyote/http11/filters/LocalStrings.properties,
      test/org/apache/catalina/core/TestSwallowAbortedUploads.java,
      webapps/docs/config/http.xml.
    - CVE-2014-0230
  * SECURITY UPDATE: SecurityManager bypass via Expression Language
    - debian/patches/CVE-2014-7810.patch: handle classes that may not be
      accessible but have accessible interfaces in
      java/javax/el/BeanELResolver.java, remove unnecessary code in
      java/org/apache/jasper/runtime/PageContextImpl.java,
      java/org/apache/jasper/security/SecurityClassLoad.java.
    - CVE-2014-7810
  * Replace expired ssl certs and use TLS to fix tests causing FTBFS:
    - debian/patches/0022-use-tls-in-ssl-unit-tests.patch
    - debian/patches/0023-replace-expired-ssl-certificates.patch
    - debian/source/include-binaries

 -- Marc Deslauriers <email address hidden>  Fri, 19 Jun 2015 12:30:21 -0400

Upload details

Uploaded by:
Marc Deslauriers
Uploaded to:
Trusty
Original maintainer:
Ubuntu Developers
Architectures:
all
Section:
java
Urgency:
Medium Urgency

See full publishing history Publishing

Series Pocket Published Component Section

Builds

Trusty: [FULLYBUILT] i386

Downloads

File Size SHA-256 Checksum
tomcat7_7.0.52.orig.tar.gz 4.1 MiB feaf30f38df1cda467ce04ceec09a4e06ad8cf499cc800fa1ece74ef836cedb1
tomcat7_7.0.52-1ubuntu0.3.debian.tar.gz 90.7 KiB ee19bf380c3a13a255a9ef93f0562967c18a8f22935466d59ff0a254efa03ea0
tomcat7_7.0.52-1ubuntu0.3.dsc 2.7 KiB 218fc0251cee74715381c8d7b8b93aee2d4be246be88ddafcc9c8c909baf275f

View changes file

Binary packages built by this source

libservlet3.0-java: Servlet 3.0 and JSP 2.2 Java API classes

 Apache Tomcat implements the Java Servlet and the JavaServer Pages (JSP)
 specifications from Sun Microsystems, and provides a "pure Java" HTTP web
 server environment for Java code to run.
 .
 This package contains the Java Servlet and JSP library.

libservlet3.0-java-doc: Servlet 3.0 and JSP 2.2 Java API documentation

 Apache Tomcat implements the Java Servlet and the JavaServer Pages (JSP)
 specifications from Sun Microsystems, and provides a "pure Java" HTTP web
 server environment for Java code to run.
 .
 This package contains the documentation for the Java Servlet and JSP library.

libtomcat7-java: Servlet and JSP engine -- core libraries

 Apache Tomcat implements the Java Servlet and the JavaServer Pages (JSP)
 specifications from Sun Microsystems, and provides a "pure Java" HTTP web
 server environment for Java code to run.
 .
 This package contains the Tomcat core classes which can be used by other
 Java applications to embed Tomcat.

tomcat7: Servlet and JSP engine

 Apache Tomcat implements the Java Servlet and the JavaServer Pages (JSP)
 specifications from Sun Microsystems, and provides a "pure Java" HTTP web
 server environment for Java code to run.
 .
 This package contains only the startup scripts for the system-wide daemon.
 No documentation or web applications are included here, please install
 the tomcat7-docs and tomcat7-examples packages if you want them.
 Install the authbind package if you need to use Tomcat on ports 1-1023.
 Install tomcat7-user instead of this package if you don't want Tomcat to
 start as a service.

tomcat7-admin: Servlet and JSP engine -- admin web applications

 Apache Tomcat implements the Java Servlet and the JavaServer Pages (JSP)
 specifications from Sun Microsystems, and provides a "pure Java" HTTP web
 server environment for Java code to run.
 .
 This package contains the administrative web interfaces.

tomcat7-common: Servlet and JSP engine -- common files

 Apache Tomcat implements the Java Servlet and the JavaServer Pages (JSP)
 specifications from Sun Microsystems, and provides a "pure Java" HTTP web
 server environment for Java code to run.
 .
 This package contains common files needed by the tomcat7 and tomcat7-user
 packages (Tomcat 6 scripts and libraries).

tomcat7-docs: Servlet and JSP engine -- documentation

 Apache Tomcat implements the Java Servlet and the JavaServer Pages (JSP)
 specifications from Sun Microsystems, and provides a "pure Java" HTTP web
 server environment for Java code to run.
 .
 This package contains the online documentation web application.

tomcat7-examples: Servlet and JSP engine -- example web applications

 Apache Tomcat implements the Java Servlet and the JavaServer Pages (JSP)
 specifications from Sun Microsystems, and provides a "pure Java" HTTP web
 server environment for Java code to run.
 .
 This package contains the default Tomcat example webapps.

tomcat7-user: Servlet and JSP engine -- tools to create user instances

 Apache Tomcat implements the Java Servlet and the JavaServer Pages (JSP)
 specifications from Sun Microsystems, and provides a "pure Java" HTTP web
 server environment for Java code to run.
 .
 This package contains files needed to create a user Tomcat instance.
 This user Tomcat instance can be started and stopped using the scripts
 provided in the Tomcat instance directory.