Multiple open vulnerabilities in tomcat6 in quantal

I prepared a patch but want to test it first. Is there a testsuite available in tomcat6 and is it enabled?

There seems to be, yes. I see a test/ directory and references to junit. In theory, should be able to update the packaging like we did with tomcat7. You might want to discuss with with jamespage in #ubuntu-server as ISTR he looked at the testsuite at one point (I'm not sure about that though).

Sitting too long on this patch for quantal and could not really enable the testsuite I thought I just drop it here. Even with some hints from jamespage I could not run the built in tests and didn't really had enough time to look further in it.
The changes are all done as in upstream and it builds and installs fine. Didn't see any problems from basic testing.

Thanks for the debdiff!

Since Marc just updated precise, I compared your patches to his and noticed a few things:
 * 0016-CVE-2012-3439.patch should be renamed 0013-CVE-2012-588x.patch since CVE-2012-3439 was split out into CVE-2012-5885, CVE-2012-5886 and CVE-2012-5887 (as mentioned in the changelog)
 * 0016-CVE-2012-3439.patch had some additional whitespace changes not in the upstream patch
 * 0016-CVE-2012-3439.patch does not match the changes in http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/authenticator/DigestAuthenticator.java?r1=1380829&r2=1380828&pathrev=1380829. Specifically, your patch retains 'this.' in this chunk, but it should not (ie, you use !this.opaque.equals):
@@ -587,7 +623,7 @@
             }

             // Validate the opaque string
- if (!this.opaque.equals(opaque)) {
+ if (!opaque.equals(opaqueReceived)) {
                 return false;
             }
 * 0014-CVE-2012-4431.patch has additional whitespace changes
 * 0015-CVE-2012-4534.patch has additional whitespace and typo changes
 * debian/changelog is not formatted in the normal manner, with one stanza per CVE

It seems like you might have applied the patches by hand. If so, I encourage you to use the 'patch' utility. At this point, since there are now additional fixes, I think I am going to pull Marc's new patches and where the patches differ, update the changelog, run through QRT and publish. Thanks for your work on this!

FYI, this passed QRT/scripts/test-tomcat6.py

This bug was fixed in the package tomcat6 - 6.0.35-5ubuntu0.1

---------------
tomcat6 (6.0.35-5ubuntu0.1) quantal-security; urgency=low

  [ Christian Kuersteiner ]
  * SECURITY UPDATE: denial of service via large header data
    - debian/patches/0012-CVE-2012-2733.patch: improve size logic in
      java/org/apache/coyote/http11/InternalNioInputBuffer.java.
    - CVE-2012-2733
    - LP: #1166649
  * SECURITY UPDATE: security-constraint bypass with FORM auth
    - debian/patches/CVE-2012-3546.patch: remove unneeded code in
      java/org/apache/catalina/realm/RealmBase.java.
    - CVE-2012-3546
  * SECURITY UPDATE: CSRF bypass via request with no session identifier
    - debian/patches/CVE-2012-4431.patch: check for session identifier in
      java/org/apache/catalina/filters/CsrfPreventionFilter.java.
    - CVE-2012-4431
  * SECURITY UPDATE: denial of service with NIO connector
    - debian/patches/CVE-2012-4534.patch: properly handle connection breaks
      in java/org/apache/tomcat/util/net/NioEndpoint.java.
    - CVE-2012-4534

  [ Jamie Strandboge ]
  * SECURITY UPDATE: multiple HTTP Digest Access Authentication flaws
    - debian/patches/0013-CVE-2012-588x.patch: disable caching of an
      authenticated user in the session by default, track server rather
      than client nonces, better handling of stale nonce values in
      java/org/apache/catalina/authenticator/DigestAuthenticator.java.
      Patch from Marc Deslauriers.
    - CVE-2012-3439
    - CVE-2012-5885
    - CVE-2012-5886
    - CVE-2012-5887
  * SECURITY UPDATE: denial of service via chunked transfer encoding
    - debian/patches/CVE-2012-3544.patch: properly parse CRLF in requests
      in java/org/apache/coyote/http11/filters/ChunkedInputFilter.java.
      Patch from Marc Deslauriers.
    - CVE-2012-3544
  * SECURITY UPDATE: FORM authentication request injection
    - debian/patches/CVE-2013-2067.patch: properly change session ID
      in java/org/apache/catalina/authenticator/FormAuthenticator.java.
      Patch from Marc Deslauriers.
    - CVE-2013-2067
 -- Jamie Strandboge <email address hidden> Tue, 28 May 2013 15:11:06 -0500