-
tomcat7 (7.0.56-3+deb8u11) jessie-security; urgency=high
* Team upload.
* Fix CVE-2017-5664.
The error page mechanism of the Java Servlet Specification requires that,
when an error occurs and an error page is configured for the error that
occurred, the original request and response are forwarded to the error
page. This means that the request is presented to the error page with the
original HTTP method. If the error page is a static file, expected
behaviour is to serve content of the file as if processing a GET request,
regardless of the actual HTTP method. The Default Servlet in Apache Tomcat
did not do this. Depending on the original request this could lead to
unexpected and undesirable results for static error pages including, if the
DefaultServlet is configured to permit writes, the replacement or removal
of the custom error page. (Closes: #864447)
-- Markus Koschany <email address hidden> Tue, 20 Jun 2017 20:10:32 +0200
-
tomcat7 (7.0.56-3+deb8u9) jessie-security; urgency=high
* Team upload.
* Add BZ57544-infinite-loop-part2.patch.
Fix regression due to an incomplete fix for CVE-2017-6056.
See #854551 for further information.
-- Markus Koschany <email address hidden> Sat, 18 Feb 2017 19:16:13 +0100
-
tomcat7 (7.0.56-3+deb8u7) jessie-security; urgency=high
* Fixed CVE-2016-8745: A bug in the error handling of the send file code for
the NIO HTTP connector resulted in the current Processor object being added
to the Processor cache multiple times. This in turn meant that the same
Processor could be used for concurrent requests. Sharing a Processor can
result in information leakage between requests including, not not limited
to, session ID and the response body.
-- Emmanuel Bourg <email address hidden> Thu, 05 Jan 2017 18:15:56 +0100
-
tomcat7 (7.0.56-3+deb8u3) jessie-security; urgency=high
* Fixed CVE-2016-3092: Denial-of-Service vulnerability with file uploads
-- Emmanuel Bourg <email address hidden> Wed, 22 Jun 2016 11:48:45 +0200
-
tomcat7 (7.0.56-3+deb8u2) jessie-security; urgency=high
* Team upload.
* Fix CVE-2015-5174:
Directory traversal vulnerability in RequestUtil.java allows remote
authenticated users to bypass intended SecurityManager restrictions and
list a parent directory via a /.. (slash dot dot) in a pathname used by a
web application in a getResource, getResourceAsStream, or getResourcePaths
call, as demonstrated by the $CATALINA_BASE/webapps directory.
* Fix CVE-2015-5345:
The Mapper component in Apache Tomcat processes redirects before
considering security constraints and Filters, which allows remote attackers
to determine the existence of a directory via a URL that lacks a trailing /
(slash) character.
* Fix CVE-2015-5346:
Session fixation vulnerability in Apache Tomcat when different session
settings are used for deployments of multiple versions of the same web
application, might allow remote attackers to hijack web sessions by
leveraging use of a requestedSessionSSL field for an unintended request,
related to CoyoteAdapter.java and Request.java.
* Fix CVE-2015-5351:
The Manager and Host Manager applications in Apache Tomcat establish
sessions and send CSRF tokens for arbitrary new requests, which allows
remote attackers to bypass a CSRF protection mechanism by using a token.
* Fix CVE-2016-0706:
Apache Tomcat does not place
org.apache.catalina.manager.StatusManagerServlet on the
org/apache/catalina/core/RestrictedServlets.properties list, which allows
remote authenticated users to bypass intended SecurityManager restrictions
and read arbitrary HTTP requests, and consequently discover session ID
values, via a crafted web application.
* Fix CVE-2016-0714:
The session-persistence implementation in Apache Tomcat mishandles session
attributes, which allows remote authenticated users to bypass intended
SecurityManager restrictions and execute arbitrary code in a privileged
context via a web application that places a crafted object in a session.
* Fix CVE-2016-0763:
The setGlobalContext method in
org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat does
not consider whether ResourceLinkFactory.setGlobalContext callers are
authorized, which allows remote authenticated users to bypass intended
SecurityManager restrictions and read or write to arbitrary application
data, or cause a denial of service (application disruption), via a web
application that sets a crafted global context.
-- Markus Koschany <email address hidden> Sat, 16 Apr 2016 09:10:22 +0000
-
tomcat7 (7.0.56-3+deb8u1) jessie-security; urgency=medium
* Fixed CVE-2014-7810: Malicious web applications could use expression
language to bypass the protections of a Security Manager as expressions
were evaluated within a privileged code section.
-- Emmanuel Bourg <email address hidden> Fri, 18 Dec 2015 12:42:53 +0100
-
tomcat7 (7.0.56-3) unstable; urgency=medium
* Provide a fix for #780519 more clear/maintainable and with an approach
similar to used one by Emmanuel to fix an issue similar in stable in
the past.
-- Miguel Landaeta <email address hidden> Sat, 28 Mar 2015 13:14:04 -0300
-
tomcat7 (7.0.56-1) unstable; urgency=medium
* New upstream release
* Install the extra jar catalina-jmx-remote.jar (Closes: #719921)
* Removed the note about the authbind IPv6 incompatibility
in /etc/defaults/tomcat7
* Added the SimpleInstanceManager class from Tomcat 8 to help integrating
the JSP compiler into Jetty 8
-- Emmanuel Bourg <email address hidden> Mon, 06 Oct 2014 10:25:48 +0200
-
tomcat7 (7.0.55-1) unstable; urgency=medium
* New upstream release
* Refreshed the patches
-- Emmanuel Bourg <email address hidden> Tue, 29 Jul 2014 17:25:50 +0200
-
tomcat7 (7.0.54-2) unstable; urgency=medium
[ Emmanuel Bourg ]
* debian/defaults.template: Bumped the required version of Java mentioned
in the comment on the JAVA_HOME variable
* debian/tomcat7.init: Search for OpenJDK 8 and Oracle JDKs when starting
the server (Closes: #714349)
* Updated the version required for libtcnative-1 (>= 1.1.30)
(Closes: #750454)
-- tony mancill <email address hidden> Sat, 14 Jun 2014 08:09:02 -0700
-
tomcat7 (7.0.54-1) unstable; urgency=medium
* New upstream release
* Refreshed the patches
* Use XZ compression for the upstream tarball
-- Emmanuel Bourg <email address hidden> Thu, 22 May 2014 10:27:10 +0200
-
tomcat7 (7.0.53-1) unstable; urgency=low
* New upstream release.
* Refresh patches:
- debian/patches/0011-fix-classpath-lintian-warnings.patch.
- debian/patches/0015_disable_test_TestCometProcessor.patch.
* Add new patch:
- Disabled Java 8 support in JSPs (requires an Eclipse compiler update).
* Update my email address in Uploaders list.
-- Miguel Landaeta <email address hidden> Thu, 01 May 2014 23:33:35 -0300
-
tomcat7 (7.0.52-1) unstable; urgency=low
* Team upload.
* New upstream release.
- Addresses security issue: CVE-2014-0050
-- Gianfranco Costamagna <email address hidden> Wed, 19 Feb 2014 14:09:48 +0100
-
tomcat7 (7.0.50-1) unstable; urgency=medium
* New upstream release.
-- James Page <email address hidden> Tue, 14 Jan 2014 18:09:28 +0000
-
tomcat7 (7.0.47-1) unstable; urgency=low
[ Gianfranco Costamagna ]
* Team upload.
* New upstream release, patch refresh.
* Renamed patch fix-manager-webapp.path
to fix-manager-webapp.patch (extension typo).
* Refresh patches for upstream release.
* Removed -Djava.net.preferIPv4Stack=true
from init script (lp: #1088681),
thanks Hendrik Haddorp.
* Added webapp manager path patch (lp: #1128067)
thanks TJ.
[ tony mancill ]
* Bump Standards-Version to 3.9.5.
* Change copyright year in javadocs to 2013.
* Add patch to include the distribution name in error pages.
(Closes: #729840)
-- tony mancill <email address hidden> Tue, 24 Dec 2013 16:46:34 +0000
-
tomcat7 (7.0.42-1) unstable; urgency=low
[ Gianfranco Costamagna ]
* Team upload.
* New upstream release.
* Added libhamcrest-java >= 1.3 as build-dep,
tweaked debian/rules.
* Bumped compat level to 9.
* Removed some version checks, newer releases already in oldstable.
* Refresh patches.
* debian/control: changed Vcs-Git and Vcs-Browser fields,
now they are canonical.
* Fixed error message in Tomcat init script,
patch by Thijs Kinkhorst (Closes: #714348)
-- Gianfranco Costamagna <email address hidden> Tue, 16 Jul 2013 17:34:58 +0200
-
tomcat7 (7.0.40-2) unstable; urgency=low
* Fix deployment of POMs for libservlet-3.0-java JARs into javax
coordinates.
- JARs were deployed into maven-repo, but not POMs.
* Fix servlet-api groupId in d/javaxpoms/jsp-api.pom.
-- Jakub Adam <email address hidden> Thu, 16 May 2013 17:35:52 +0200
-
tomcat7 (7.0.28-4) unstable; urgency=high
* Acknowledge NMU: 7.0.28-3+nmu1 (Closes: #692440)
- Thank you to Michael Gilbert.
* Add patches for the following security issues: (Closes: #695251)
- CVE-2012-4431, CVE-2012-3546
-- tony mancill <email address hidden> Thu, 06 Dec 2012 22:25:07 -0800
