Change log for tomcat9 package in Debian
| 1 → 49 of 49 results | First • Previous • Next • Last |
| Published in bullseye-release |
tomcat9 (9.0.43-2~deb11u9) bullseye-security; urgency=high * More HTTP/2 overhead protection adjustments -- Emmanuel Bourg <email address hidden> Mon, 16 Oct 2023 14:51:43 +0200
tomcat9 (9.0.70-2) unstable; urgency=medium
* Team upload.
* Drop tomcat9 server packages because only one Tomcat version is supported
per release. Only retain libtomcat9-java because of compatibility reasons
for now. Users are strongly encouraged to switch to Tomcat 10 instead.
(Closes: #1034824)
-- Markus Koschany <email address hidden> Sat, 27 May 2023 17:51:32 +0200
Available diffs
| Superseded in bullseye-release |
tomcat9 (9.0.43-2~deb11u6) bullseye-security; urgency=high
* Team upload.
* Fix CVE-2022-42252:
Apache Tomcat was configured to ignore invalid HTTP headers via setting
rejectIllegalHeader to false. Tomcat did not reject a request containing an
invalid Content-Length header making a request smuggling attack possible if
Tomcat was located behind a reverse proxy that also failed to reject the
request with the invalid header.
* Fix CVE-2022-45143:
The JsonErrorReportValve in Apache Tomcat did not escape the type, message
or description values. In some circumstances these are constructed from
user provided data and it was therefore possible for users to supply values
that invalidated or manipulated the JSON output.
* Fix CVE-2023-28708:
When using the RemoteIpFilter with requests received from a reverse proxy
via HTTP that include the X-Forwarded-Proto header set to https, session
cookies created by Apache Tomcat did not include the secure attribute. This
could result in the user agent transmitting the session cookie over an
insecure channel. (Closes: #1033475)
-- Markus Koschany <email address hidden> Wed, 05 Apr 2023 17:47:16 +0200
| Superseded in bullseye-release |
tomcat9 (9.0.43-2~deb11u4) bullseye-security; urgency=high
* Team upload.
* Fix CVE-2021-43980:
The simplified implementation of blocking reads and writes introduced in
Tomcat 10 and back-ported to Tomcat 9.0.47 onwards exposed a long standing
(but extremely hard to trigger) concurrency bug that could cause client
connections to share an Http11Processor instance resulting in responses, or
part responses, to be received by the wrong client.
* Fix CVE-2022-23181:
The fix for bug CVE-2020-9484 introduced a time of check, time of use
vulnerability into Apache Tomcat that allowed a local attacker to perform
actions with the privileges of the user that the Tomcat process is using.
This issue is only exploitable when Tomcat is configured to persist sessions
using the FileStore.
* Fix CVE-2022-29885:
The documentation of Apache Tomcat for the EncryptInterceptor incorrectly
stated it enabled Tomcat clustering to run over an untrusted network. This
was not correct. While the EncryptInterceptor does provide confidentiality
and integrity protection, it does not protect against all risks associated
with running over any untrusted network, particularly DoS risks.
-- Markus Koschany <email address hidden> Sat, 29 Oct 2022 17:03:57 +0200
tomcat9 (9.0.70-1) unstable; urgency=medium
* New upstream release
- Refreshed the patches
-- Emmanuel Bourg <email address hidden> Mon, 05 Dec 2022 18:50:40 +0100
| Superseded in sid-release |
tomcat9 (9.0.68-1.1) unstable; urgency=medium * Non-maintainer upload. * No source change upload to rebuild with debhelper 13.10. -- Michael Biebl <email address hidden> Sat, 15 Oct 2022 12:52:26 +0200
tomcat9 (9.0.68-1) unstable; urgency=medium * New upstream release * Look for OpenJDK 17 and up to 21 when starting the server (Closes: #1020948) * Simplified the Maven rules -- Emmanuel Bourg <email address hidden> Sat, 08 Oct 2022 13:53:36 +0200
tomcat9 (9.0.67-1) unstable; urgency=medium
* Team upload.
[ Thorsten Glaser ]
* Fix a Policy violation in the Depends of bin:tomcat9
[ Emmanuel Bourg ]
* New upstream release
- Refreshed the patches
-- Emmanuel Bourg <email address hidden> Tue, 27 Sep 2022 00:49:00 +0200
tomcat9 (9.0.65-1) unstable; urgency=medium * Team upload. * New upstream version 9.0.65. -- Markus Koschany <email address hidden> Fri, 12 Aug 2022 12:56:06 +0200
tomcat9 (9.0.64-2) unstable; urgency=medium * Fallback to the default log formatter when systemd isn't used * Depend on systemd-sysusers and systemd-tmpfiles instead of systemd * Depend on libeclipse-jdt-core-java (>= 3.26.0) -- Emmanuel Bourg <email address hidden> Tue, 21 Jun 2022 14:59:03 +0200
Available diffs
- diff from 9.0.64-1 to 9.0.64-2 (1.4 KiB)
tomcat9 (9.0.64-1) unstable; urgency=medium
* New upstream release
- Refreshed the patches
* Standards-Version updated to 4.6.1
-- Emmanuel Bourg <email address hidden> Mon, 20 Jun 2022 15:17:59 +0200
Available diffs
- diff from 9.0.63-1 to 9.0.64-1 (38.4 KiB)
tomcat9 (9.0.63-1) unstable; urgency=medium
* Team upload.
* New upstream version 9.0.63.
- Fix CVE-2022-29885: Improve documentation for the EncryptInterceptor and
do not claim it protects against all risks associated with running over
any untrusted network.
-- Markus Koschany <email address hidden> Fri, 13 May 2022 14:04:35 +0200
Available diffs
- diff from 9.0.62-1 to 9.0.63-1 (60.1 KiB)
tomcat9 (9.0.62-1) unstable; urgency=medium
* Team upload.
* New upstream version 9.0.62.
* Drop 0027-java11-compilation.patch because it is apparently no longer
required.
* Refresh disable-jacoco.patch for new release.
* Depend on java11-runtime-headless because Java 8 is no longer supported.
Thanks to Per Lundberg for the report. (Closes: #1006647)
-- Markus Koschany <email address hidden> Fri, 29 Apr 2022 23:10:59 +0200
Available diffs
- diff from 9.0.58-1 to 9.0.62-1 (141.3 KiB)
| Published in buster-release |
tomcat9 (9.0.31-1~deb10u6) buster-security; urgency=high
* Team upload.
* CVE-2021-30640: Fix NullPointerException.
If no userRoleAttribute is specified in the user's Realm configuration its
default value will be null. This will cause a NPE in the methods
doFilterEscaping and doAttributeValueEscaping. This is upstream bug
https://bz.apache.org/bugzilla/show_bug.cgi?id=65308
* Fix CVE-2021-41079:
Apache Tomcat did not properly validate incoming TLS packets. When Tomcat
was configured to use NIO+OpenSSL or NIO2+OpenSSL for TLS, a specially
crafted packet could be used to trigger an infinite loop resulting in a
denial of service.
-- Markus Koschany <email address hidden> Sat, 25 Sep 2021 22:17:13 +0200
tomcat9 (9.0.58-1) unstable; urgency=medium
* Team upload.
* New upstream version 9.0.58.
* Add disable-jacoco.patch and remove the dependency on jacoco when running
the test suite.
-- Markus Koschany <email address hidden> Wed, 09 Feb 2022 15:51:20 +0100
Available diffs
- diff from 9.0.55-1 to 9.0.58-1 (182.7 KiB)
| Superseded in bullseye-release |
tomcat9 (9.0.43-2~deb11u3) bullseye-security; urgency=high
* Team upload.
* Fix CVE-2021-42340:
Apache Tomcat did not properly release an HTTP upgrade connection for
WebSocket connections once the WebSocket connection was closed. This
created a memory leak that, over time, could lead to a denial of service
via an OutOfMemoryError.
-- Markus Koschany <email address hidden> Fri, 12 Nov 2021 10:45:54 +0100
tomcat9 (9.0.55-1) unstable; urgency=medium * Team upload. * New upstream version 9.0.55. -- Markus Koschany <email address hidden> Mon, 15 Nov 2021 22:12:42 +0100
Available diffs
- diff from 9.0.54-1 to 9.0.55-1 (46.8 KiB)
tomcat9 (9.0.54-1) unstable; urgency=medium
* Team upload.
* New upstream version 9.0.54.
- Fix CVE-2021-42340:
The fix for bug 63362 introduced a memory leak. The object introduced to
collect metrics for HTTP upgrade connections was not released for
WebSocket connections once the connection was closed. This created a
memory leak that, over time, could lead to a denial of service via an
OutOfMemoryError.
* Update 0010-debianize-build-xml.patch and depend on the setup-bnd task to
prevent a FTBFS when building the tests. This replaces the workaround by
setting addOSGi to false.
Thanks to Aurimas Fišeras for the report.
-- Markus Koschany <email address hidden> Fri, 22 Oct 2021 21:59:08 +0200
Available diffs
- diff from 9.0.43-3 to 9.0.54-1 (744.7 KiB)
- diff from 9.0.53-1 to 9.0.54-1 (42.3 KiB)
| Superseded in buster-release |
tomcat9 (9.0.31-1~deb10u5) buster-security; urgency=high
* Team upload.
* Fix CVE-2021-30640:
A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to
authenticate using variations of a valid user name and/or to bypass some of
the protection provided by the LockOut Realm.
* Fix CVE-2021-33037:
Apache Tomcat did not correctly parse the HTTP transfer-encoding request
header in some circumstances leading to the possibility to request
smuggling when used with a reverse proxy. Specifically: - Tomcat
incorrectly ignored the transfer encoding header if the client declared it
would only accept an HTTP/1.0 response; - Tomcat honoured the identify
encoding; and - Tomcat did not ensure that, if present, the chunked
encoding was the final encoding. (Closes: #991046)
-- Markus Koschany <email address hidden> Sat, 07 Aug 2021 18:25:15 +0200
| Superseded in bullseye-release |
tomcat9 (9.0.43-2~deb11u1) bullseye-security; urgency=medium * Team upload. * Rebuild for bullseye-security. -- Markus Koschany <email address hidden> Sun, 08 Aug 2021 15:19:44 +0200
tomcat9 (9.0.53-1) unstable; urgency=medium
* Team upload.
* New upstream version 9.0.53.
- Drop security patches. Fixed upstream.
- Fix CVE-2021-41079:
Apache Tomcat did not properly validate incoming TLS packets. When Tomcat
was configured to use NIO+OpenSSL or NIO2+OpenSSL for TLS, a specially
crafted packet could be used to trigger an infinite loop resulting in a
denial of service.
* Declare compliance with Debian Policy 4.6.0.
* Set the fileOwner of catalina.out to tomcat explicitly.
Thanks to Adam Cecile for the report. (Closes: #987179)
* Refresh 0021-dont-test-unsupported-ciphers.patch
* tomcat9.cron.daily: Set maxdepth to 1 so that log files of custom
applications in subdirectories of /var/log/tomcat9 are not compressed.
Thanks to Ludovic Pouzenc for the report. (Closes: #982961)
* Exclude TestJNDIRealmIntegration because of missing dependencies.
* d/rules: dh_auto_test override: Set addOSGi to false when building the
tests to prevent a FTBFS.
-- Markus Koschany <email address hidden> Fri, 24 Sep 2021 15:37:51 +0200
tomcat9 (9.0.43-3) unstable; urgency=medium
* Team upload.
* CVE-2021-30640: Fix NullPointerException.
If no userRoleAttribute is specified in the user's Realm configuration its
default value will be null. This will cause a NPE in the methods
doFilterEscaping and doAttributeValueEscaping. This is upstream bug
https://bz.apache.org/bugzilla/show_bug.cgi?id=65308
-- Markus Koschany <email address hidden> Tue, 10 Aug 2021 17:17:56 +0200
Available diffs
- diff from 9.0.43-2 to 9.0.43-3 (1.1 KiB)
tomcat9 (9.0.43-2) unstable; urgency=medium
* Team upload.
[ mirabilos ]
* fix /var/log/tomcat9 permissions
fixup for commit 51128fe9fb2d4d0b56be675d845cf92e4301a6c3
[ Markus Koschany ]
* Fix CVE-2021-30640:
A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to
authenticate using variations of a valid user name and/or to bypass some of
the protection provided by the LockOut Realm.
* Fix CVE-2021-33037:
Apache Tomcat did not correctly parse the HTTP transfer-encoding request
header in some circumstances leading to the possibility to request
smuggling when used with a reverse proxy. Specifically: - Tomcat
incorrectly ignored the transfer encoding header if the client declared it
would only accept an HTTP/1.0 response; - Tomcat honoured the identify
encoding; and - Tomcat did not ensure that, if present, the chunked
encoding was the final encoding.
(Closes: #991046)
-- Markus Koschany <email address hidden> Sat, 07 Aug 2021 00:11:43 +0200
Available diffs
- diff from 9.0.43-1 to 9.0.43-2 (6.8 KiB)
| Superseded in buster-release |
tomcat9 (9.0.31-1~deb10u4) buster-security; urgency=medium * CVE-2021-25122 * CVE-2021-25329 -- Moritz Mühlenhoff <email address hidden> Mon, 12 Apr 2021 16:45:06 +0200
| Superseded in buster-release |
tomcat9 (9.0.31-1~deb10u3) buster-security; urgency=medium
* Fixed CVE-2020-13943: HTTP/2 request mix-up. If an HTTP/2 client exceeded
the agreed maximum number of concurrent streams for a connection (in
violation of the HTTP/2 protocol), it was possible that a subsequent
request made on that connection could contain HTTP headers - including
HTTP/2 pseudo headers - from a previous request rather than the intended
headers. This could lead to users seeing responses for unexpected resources.
* Fixed CVE-2020-17527: HTTP/2 request header mix-up. It was discovered that
Apache Tomcat could re-use an HTTP request header value from the previous
stream received on an HTTP/2 connection for the request associated with
the subsequent stream. While this would most likely lead to an error and
the closure of the HTTP/2 connection, it is possible that information could
leak between requests.
-- Emmanuel Bourg <email address hidden> Tue, 19 Jan 2021 23:31:47 +0100
tomcat9 (9.0.43-1) unstable; urgency=medium
* New upstream release
- Refreshed the patches
* Rotate the catalina.out log file with the tomcat user (Closes: #971583)
* Switch to debhelper level 13
-- Emmanuel Bourg <email address hidden> Tue, 02 Feb 2021 20:23:51 +0100
Available diffs
- diff from 9.0.41-1 to 9.0.43-1 (157.4 KiB)
tomcat9 (9.0.41-1) unstable; urgency=medium
* New upstream release
- Refreshed the patches
* Standards-Version updated to 4.5.1
-- Emmanuel Bourg <email address hidden> Wed, 09 Dec 2020 16:03:00 +0100
Available diffs
- diff from 9.0.40-1 to 9.0.41-1 (19.3 KiB)
tomcat9 (9.0.40-1) unstable; urgency=medium
[ Emmanuel Bourg ]
* New upstream release
- Refreshed the patches
* Changed the home directory of the tomcat user to /var/lib/tomcat
(Closes: #926338)
[ Vincent McIntyre ]
* Automatically export the JAVA_HOME environment variable when the value
is defined in /etc/defaults/tomcat9 (Closes: #966338)
-- Emmanuel Bourg <email address hidden> Tue, 24 Nov 2020 08:21:29 +0100
Available diffs
- diff from 9.0.39-1 to 9.0.40-1 (110.2 KiB)
tomcat9 (9.0.39-1) unstable; urgency=medium
* New upstream release
- Refreshed the patches
* tomcat9-user now depends on netcat-openbsd instead of netcat
(Closes: #966158)
-- Emmanuel Bourg <email address hidden> Mon, 12 Oct 2020 17:16:57 +0200
Available diffs
- diff from 9.0.37-3 to 9.0.39-1 (339.9 KiB)
tomcat9 (9.0.38-1) unstable; urgency=medium
* New upstream release
- Refreshed the patches
-- Emmanuel Bourg <email address hidden> Wed, 16 Sep 2020 16:04:03 +0200
tomcat9 (9.0.37-3) unstable; urgency=medium
* control: Bump build-dep on bnd, drop bnd compat and re-export patches.
(Closes: #964433)
-- Timo Aaltonen <email address hidden> Thu, 06 Aug 2020 18:59:11 +0300
Available diffs
- diff from 9.0.36-1 to 9.0.37-3 (53.6 KiB)
- diff from 9.0.37-2 to 9.0.37-3 (1.4 KiB)
| Superseded in buster-release |
tomcat9 (9.0.31-1~deb10u2) buster-security; urgency=high
* Team upload.
[ Emmanuel Bourg ]
* Fixed CVE-2020-13935: WebSocket Denial of Service. The payload length
in a WebSocket frame was not correctly validated. Invalid payload lengths
could trigger an infinite loop. Multiple requests with invalid payload
lengths could lead to a denial of service.
* Fixed CVE-2020-13934: HTTP/2 Denial of Service. An h2c direct connection
did not release the HTTP/1.1 processor after the upgrade to HTTP/2. If a
sufficient number of such requests were made, an OutOfMemoryException
could occur leading to a denial of service.
[ Markus Koschany ]
* Fix CVE-2020-9484:
When using Apache Tomcat an attacker is able to control the contents and
name of a file on the server; and b) the server is configured to use the
PersistenceManager with a FileStore; and c) the PersistenceManager is
configured with sessionAttributeValueClassNameFilter="null" (the default
unless a SecurityManager is used) or a sufficiently lax filter to allow the
attacker provided object to be deserialized; and d) the attacker knows the
relative file path from the storage location used by FileStore to the file
the attacker has control over; then, using a specifically crafted request,
the attacker will be able to trigger remote code execution via
deserialization of the file under their control. Note that all of
conditions a) to d) must be true for the attack to succeed.
* Fix CVE-2020-11996:
A specially crafted sequence of HTTP/2 requests sent to Apache Tomcat could
trigger high CPU usage for several seconds. If a sufficient number of such
requests were made on concurrent HTTP/2 connections, the server could
become unresponsive.
-- Markus Koschany <email address hidden> Wed, 15 Jul 2020 13:43:33 +0200
tomcat9 (9.0.37-2) unstable; urgency=medium
* d/p/0029-fix-regression-in-bz64540.patch: Re-export util.net.jsse
and util.modeler.modules. (Closes: #964433)
-- Timo Aaltonen <email address hidden> Tue, 28 Jul 2020 14:09:13 +0300
Available diffs
- diff from 9.0.37-1 to 9.0.37-2 (892 bytes)
tomcat9 (9.0.37-1) unstable; urgency=medium
* New upstream release
- Refreshed the patches
- Fixed the compatibility with the version of bnd in Debian
* Restored execute permission on /var/log/tomcat9 to the adm group
-- Emmanuel Bourg <email address hidden> Mon, 06 Jul 2020 22:39:32 +0200
Available diffs
- diff from 9.0.36-1 to 9.0.37-1 (53.7 KiB)
tomcat9 (9.0.36-1) unstable; urgency=medium
* New upstream release
- Refreshed the patches
* Grant write access on /var/log/tomcat9 to the adm group (LP: #1861881)
-- Emmanuel Bourg <email address hidden> Tue, 23 Jun 2020 11:47:47 +0200
Available diffs
- diff from 9.0.35-1 to 9.0.36-1 (39.4 KiB)
tomcat9 (9.0.35-1) unstable; urgency=medium
* New upstream release
- Fixes CVE-2020-9484: Remote Code Execution via session persistence (Closes: #961209)
- Refreshed the patches
-- Emmanuel Bourg <email address hidden> Thu, 21 May 2020 15:50:03 +0200
Available diffs
- diff from 9.0.34-1 to 9.0.35-1 (254.8 KiB)
tomcat9 (9.0.34-1) unstable; urgency=medium
* New upstream release
- Refreshed the patches
* Depend on libeclipse-jdt-core-java (>= 3.18.0)
* Switch to debhelper level 12
-- Emmanuel Bourg <email address hidden> Mon, 27 Apr 2020 00:36:59 +0200
Available diffs
- diff from 9.0.31-1 to 9.0.34-1 (156.2 KiB)
tomcat9 (9.0.31-1) unstable; urgency=medium
* New upstream release
- Fixes CVE-2019-10072: Denial of Service (Closes: #930872)
- Fixes CVE-2019-12418: Local Privilege Escalation
- Fixes CVE-2019-17563: Session fixation attack
- Fixes CVE-2019-17569: HTTP Request Smuggling
- Fixes CVE-2020-1935: HTTP Request Smuggling
- Fixes CVE-2020-1938: AJP Request Injection (Closes: #952437)
- Fixes CATALINA_PID handling in catalina.sh (Closes: #948553)
- Refreshed the patches
- Fixed the compilation with Java 11
* Moved the RequiresMountsFor directive in the service file
to the Unit section (Closes: #942316)
* Tightened the dependency on systemd (Closes: #931997)
* Standards-Version updated to 4.5.0
-- Emmanuel Bourg <email address hidden> Mon, 24 Feb 2020 23:37:00 +0100
Available diffs
- diff from 9.0.27-1 to 9.0.31-1 (215.1 KiB)
tomcat9 (9.0.27-1) unstable; urgency=medium
* New upstream release
- Refreshed the patches
* Standards-Version updated to 4.4.1
-- Emmanuel Bourg <email address hidden> Mon, 14 Oct 2019 11:31:50 +0200
Available diffs
- diff from 9.0.24-1 to 9.0.27-1 (181.1 KiB)
tomcat9 (9.0.24-1) unstable; urgency=medium
* New upstream release
- Refreshed the patches
-- Emmanuel Bourg <email address hidden> Thu, 22 Aug 2019 13:55:14 +0200
Available diffs
- diff from 9.0.22-1 to 9.0.24-1 (118.7 KiB)
tomcat9 (9.0.22-1) unstable; urgency=medium
* New upstream release
- Refreshed the patches
* Track and download the new releases from GitHub
* Standards-Version updated to 4.4.0
-- Emmanuel Bourg <email address hidden> Fri, 12 Jul 2019 15:01:28 +0200
Available diffs
- diff from 9.0.16-4 to 9.0.22-1 (317.2 KiB)
| Deleted in experimental-release (Reason: None provided.) |
tomcat9 (9.0.16-5) experimental; urgency=low
* Team upload.
* Upload to experimental to get wider testing and availability
* debian/logging.properties: Add commented-out non-systemd configuration
* Make tomcat9 installable without systemd:
- Readd logic to create the system user via adduser
- Add sysvinit script, for init independence (Closes: #925473)
* debian/README.Debian: Document non-systemd risks
* Do not read /etc/default/tomcat9 twice
-- Thorsten Glaser <email address hidden> Fri, 21 Jun 2019 18:38:08 +0200
tomcat9 (9.0.16-4) unstable; urgency=medium
* Team upload.
[ Emmanuel Bourg ]
* Fixed CVE-2019-0221: The SSI printenv command echoes user provided data
without escaping and is, therefore, vulnerable to XSS. SSI is disabled
by default (Closes: #929895)
[ Thorsten Glaser ]
* Remove -XX:+UseG1GC from standard JAVA_OPTS; the JRE chooses
a suitable GC automatically anyway (Closes: #925928)
* Correct the ownership and permissions on the log directory:
group adm and setgid (Closes: #925929)
* Make the startup script honour the (renamed) $SECURITY_MANAGER
* debian/libexec/tomcat-locate-java.sh: Remove shebang and make
not executable as this is only ever sourced (makes no sense otherwise)
[ Christian Hänsel ]
* Restored the variable expansion in /etc/default/tomcat9 (Closes: #926319)
-- Emmanuel Bourg <email address hidden> Thu, 13 Jun 2019 23:26:12 +0200
Available diffs
- diff from 9.0.16-3 to 9.0.16-4 (2.3 KiB)
tomcat9 (9.0.16-3) unstable; urgency=medium
* Removed read/write access to /var/lib/solr (Closes: #923299)
* Removed the broken catalina-ws.jar and catalina-jmx-remote.jar
symlinks in /usr/share/tomcat9/lib/
-- Emmanuel Bourg <email address hidden> Tue, 26 Feb 2019 09:31:13 +0100
Available diffs
- diff from 9.0.16-2 to 9.0.16-3 (640 bytes)
tomcat9 (9.0.16-2) unstable; urgency=medium
* Team upload.
* tomcat9.service: Permit read and write access to /var/lib/solr too.
(Closes: #919638)
-- Markus Koschany <email address hidden> Mon, 18 Feb 2019 20:58:51 +0100
Available diffs
- diff from 9.0.16-1 to 9.0.16-2 (473 bytes)
tomcat9 (9.0.16-1) unstable; urgency=medium
* New upstream release
- Refreshed the patches
- Install the new Chinese, Czech, German, Korean and Portuguese translations
- No longer build the extra WS and JMX jars
* Standards-Version updated to 4.3.0
-- Emmanuel Bourg <email address hidden> Fri, 08 Feb 2019 08:26:48 +0100
Available diffs
- diff from 9.0.14-1 to 9.0.16-1 (470.9 KiB)
tomcat9 (9.0.14-1) unstable; urgency=medium
* New upstream release
- Refreshed the patches
* Create the /var/log/tomcat9/ and /var/cache/tomcat9/ directories
at install time (Closes: #915791)
* Tightened the dependency on systemd
-- Emmanuel Bourg <email address hidden> Wed, 12 Dec 2018 13:45:52 +0100
Available diffs
- diff from 9.0.13-2 to 9.0.14-1 (441.7 KiB)
tomcat9 (9.0.13-2) unstable; urgency=medium
* Install the tomcat-embed-* artifacts with the 9.x version (Closes: #915578)
* Modified the dependencies required for creating the tomcat user
(adduser is replaced by systemd) (Closes: #915586)
* Fixed the tomcat-jasper pom to reference the ECJ dependency
from libeclipse-jdt-core-java
* Removed the redundant ReadWritePaths options in the service file for the log
and cache directories (Thanks to Lennart Poettering for the suggestion)
-- Emmanuel Bourg <email address hidden> Wed, 05 Dec 2018 10:04:52 +0100
Available diffs
- diff from 9.0.13-1 to 9.0.13-2 (945 bytes)
tomcat9 (9.0.13-1) unstable; urgency=medium
* New upstream release
- Refreshed the patches
- Renamed the package to tomcat9
- Removed the libservlet3.1-java package. From now on the Servlet API
is packaged in a separate package independent from Tomcat.
- Depend on libeclipse-jdt-core-java (>= 3.14.0) instead of libecj-java
- Updated the policy files in /etc/tomcat8/policy.d/
- Use the OSGi metadata generated by the upstream build
- Deploy the Tomcat artifacts in the Maven repository with the 9.x version
- Updated the README file
* Removed the SysV init script
* Restart the server automatically on failures
* Use a fixed non-configurable user 'tomcat' to run the server
* Removed the debconf integration. The user being now unmodifiable,
the remaining configuration parameter JAVA_OPTS can be edited in
/etc/default/tomcat9
* No longer add the 'common', 'server' and 'shared' directories under
CATALINA_HOME and CATALINA_BASE to the classpath. Extra jar files should go
to the 'lib' directory.
* Let Tomcat handle the rotation of its log files with the maxDays parameter
of the valves and log handlers instead of relying on a cron job
* Renamed the TOMCAT_SECURITY parameter to SECURITY_MANAGER in the service
configuration file
* Simplified the postinst script by using systemd-sysusers to create
the 'tomcat' user
* No longer create the /etc/tomcat9/Catalina/localhost directory at install
time and let Tomcat create it automatically
* Let systemd automatically create /var/log/tomcat9 and /var/cache/tomcat9
* Prevent Tomcat from writing outside of /var/log/tomcat9, /var/cache/tomcat9,
/var/lib/tomcat9/webapps and /etc/tomcat9/Catalina by default. This can be
overridden (see the README file).
* Build and install the extra jar catalina-ws.jar
* No longer recommend libcommons-pool-java and libcommons-dbcp-java since
Tomcat already embeds its own version of these libraries
* Support three-way merge when upgrading the configuration files
* Use the G1 garbage collector by default instead of Concurrent Mark Sweep
* The setenv.sh script in tomcat9-user and the service startup script now
share the same JDK detection logic
-- Emmanuel Bourg <email address hidden> Wed, 28 Nov 2018 15:06:00 +0100
| 1 → 49 of 49 results | First • Previous • Next • Last |
