--- tomcat6-6.0.18.orig/debian/tomcat6.cron.daily
+++ tomcat6-6.0.18/debian/tomcat6.cron.daily
@@ -0,0 +1,21 @@
+#!/bin/sh
+
+NAME=tomcat6
+DEFAULT=/etc/default/$NAME
+
+# The following variables can be overwritten in $DEFAULT
+
+# Default for number of days to keep old log files in /var/log/tomcatN/
+LOGFILE_DAYS=14
+
+# End of variables that can be overwritten in $DEFAULT
+
+# overwrite settings from default file
+if [ -f "$DEFAULT" ]; then
+	. "$DEFAULT"
+fi
+
+if [ -d /var/log/$NAME ]; then
+	find /var/log/$NAME/ -name \*.log -mtime +$LOGFILE_DAYS -print0 \
+		| xargs --no-run-if-empty -0 rm --
+fi
--- tomcat6-6.0.18.orig/debian/tomcat6.default
+++ tomcat6-6.0.18/debian/tomcat6.default
@@ -0,0 +1,32 @@
+# Run Tomcat as this user ID. Not setting this or leaving it blank will use the
+# default of tomcat6.
+#TOMCAT6_USER=tomcat6
+
+# The home directory of the Java development kit (JDK). You need at least
+# JDK version 1.5. If JAVA_HOME is not set, some common directories for 
+# OpenJDK, the Sun JDK, and various J2SE 1.5 versions are tried.
+#JAVA_HOME=/usr/lib/jvm/openjdk-6-jdk
+
+# Directory for per-instance configuration files and webapps. It contains the
+# directories conf, logs, webapps, work and temp. See RUNNING.txt for details.
+# Default: /var/lib/tomcat6
+#CATALINA_BASE=/var/lib/tomcat6
+
+# Arguments to pass to the Java virtual machine (JVM).
+#JAVA_OPTS="-Djava.awt.headless=true -Xmx128M"
+
+# Java compiler to use for translating JavaServer Pages (JSPs). You can use all
+# compilers that are accepted by Ant's build.compiler property.
+#JSP_COMPILER=jikes
+
+# Use the Java security manager? (yes/no, default: yes)
+# WARNING: Do not disable the security manager unless you understand
+# the consequences!
+#TOMCAT6_SECURITY=yes
+
+# Number of days to keep logfiles in /var/log/tomcat6. Default is 14 days.
+#LOGFILE_DAYS=14
+
+# Location of the JVM temporary directory
+# WARNING: This directory will be destroyed and recreated at every startup !
+#JVM_TMP=/tmp/tomcat6-temp
--- tomcat6-6.0.18.orig/debian/tomcat6.links
+++ tomcat6-6.0.18/debian/tomcat6.links
@@ -0,0 +1,3 @@
+/etc/tomcat6 /var/lib/tomcat6/conf
+/var/cache/tomcat6 /var/lib/tomcat6/work
+/var/log/tomcat6 /var/lib/tomcat6/logs
--- tomcat6-6.0.18.orig/debian/tomcat6-user.install
+++ tomcat6-6.0.18/debian/tomcat6-user.install
@@ -0,0 +1,5 @@
+conf/*.xml /usr/share/tomcat6/skel/conf/
+conf/catalina.properties /usr/share/tomcat6/skel/conf/
+debian/logging.properties /usr/share/tomcat6/skel/conf/
+debian/tomcat6-instance-create /usr/bin/
+debian/setenv.sh /usr/share/tomcat6/skel/bin/
--- tomcat6-6.0.18.orig/debian/tomcat6.dirs
+++ tomcat6-6.0.18/debian/tomcat6.dirs
@@ -0,0 +1,4 @@
+var/log/tomcat6
+var/lib/tomcat6/webapps
+var/cache/tomcat6
+etc/tomcat6/Catalina/localhost
--- tomcat6-6.0.18.orig/debian/tomcat6-docs.install
+++ tomcat6-6.0.18/debian/tomcat6-docs.install
@@ -0,0 +1,2 @@
+debian/context/docs.xml /etc/tomcat6/Catalina/localhost/
+output/build/webapps/docs /usr/share/tomcat6-docs/
--- tomcat6-6.0.18.orig/debian/tomcat6-instance-create
+++ tomcat6-6.0.18/debian/tomcat6-instance-create
@@ -0,0 +1,139 @@
+#!/bin/sh
+# Script to create a CATALINA_BASE directory for your own tomcat
+
+PROG=`basename $0`
+TARGET=""
+HPORT=8080
+CPORT=8005
+CWORD="SHUTDOWN"
+warned=0
+warnlowport=0
+
+usage() {
+  echo "Usage: $PROG [options] <directoryname>"
+  echo "  directoryname: name of the tomcat instance directory to create"
+  echo "Options:"
+  echo "  -h, --help       Display this help message"
+  echo "  -p httpport      HTTP port to be used by Tomcat (default is $HPORT)"
+  echo "  -c controlport   Server shutdown control port (default is $CPORT)"
+  echo "  -w magicword     Word to send to trigger shutdown (default is $CWORD)"
+}
+
+checkport() {
+  type=$1
+  port=$2
+  # Fail if port is non-numeric
+  num=`expr ${port} + 1 2> /dev/null`
+  if [ $? != 0 ] || [ $num -lt 2 ]; then
+    echo "Error: ${type} port '${port}' is not a valid TCP port number."
+    exit 1
+  fi
+
+  # Fail if port is above 65535
+  if [ ${port} -gt 65535 ]; then
+    echo "Error: ${type} port ${port} is above TCP port numbers (> 65535)."
+    exit 1
+  fi
+
+  # Warn if port is below 1024 (once)
+  if [ ${warnlowport} -eq 0 ]; then 
+    if [ ${port} -lt 1024 ]; then
+      echo "Warning: ports below 1024 are reserved to the super-user."
+      warnlowport=1
+      warned=1
+    fi
+  fi
+
+  # Warn if port appears to be in use
+  if nc localhost "${port}" -z > /dev/null; then
+	echo "Warning: ${type} port ${port} appears to be in use."
+	warned=1
+  fi
+}
+
+if [ "$#" -lt 1 ]; then
+  usage
+  exit 1
+fi
+if [ "$1" = "-h" ] || [ "$1" = "--help" ]; then
+  usage
+  exit 0
+fi
+
+
+
+while getopts ":p:c:w:h" options; do
+  case $options in
+    p ) HPORT=$OPTARG
+	shift; shift ;;
+    c ) CPORT=$OPTARG
+	shift; shift ;;
+    w ) CWORD=$OPTARG
+	shift; shift ;;
+    h ) usage;;
+    * ) echo "Error: Unknown parameter '$OPTARG'."
+        exit 1;;
+  esac
+done
+
+TARGET=$1
+shift
+echo "You are about to create a Tomcat instance in directory '$TARGET'"
+
+# Fail if no target specified
+if [ -z "${TARGET}" ]; then
+  echo "Error: No target directory specified (use -d)."
+  exit 1
+fi
+
+# Fail if ports are the same
+if [ "${HPORT}" = "${CPORT}" ]; then
+  echo "Error: HTTP port and control port must be different."
+  exit 1
+fi
+
+# Fail if target directory already exists
+if [ -d "${TARGET}" ]; then
+  echo "Error: Target directory already exists."
+  exit 1
+fi
+
+# Check ports
+checkport HTTP "${HPORT}"
+checkport Control "${CPORT}"
+
+# Ask for confirmation if warnings were printed out
+if [ ${warned} -eq 1 ]; then 
+  echo "Type <ENTER> to continue, <CTRL-C> to abort."
+  read answer
+fi
+
+mkdir -p ${TARGET}
+
+FULLTARGET=`cd ${TARGET}; pwd`
+
+mkdir ${TARGET}/conf
+mkdir ${TARGET}/logs
+mkdir ${TARGET}/webapps
+mkdir ${TARGET}/work
+mkdir ${TARGET}/temp
+cp -r /usr/share/tomcat6/skel/* ${TARGET}
+
+sed -i -e "s/Connector port=\"8080\"/Connector port=\"${HPORT}\"/;s/Server port=\"8005\" shutdown=\"SHUTDOWN\"/Server port=\"${CPORT}\" shutdown=\"${CWORD}\"/" ${TARGET}/conf/server.xml
+
+cat > ${TARGET}/bin/startup.sh << EOT
+#!/bin/sh
+export CATALINA_BASE=${FULLTARGET}
+/usr/share/tomcat6/bin/startup.sh
+EOT
+
+cat > ${TARGET}/bin/shutdown.sh << EOT
+#!/bin/sh
+export CATALINA_BASE=${FULLTARGET}
+/usr/share/tomcat6/bin/shutdown.sh
+EOT
+
+chmod a+x ${TARGET}/bin/startup.sh ${TARGET}/bin/shutdown.sh
+echo "* New Tomcat instance created in ${TARGET}"
+echo "* You might want to edit default configuration in ${TARGET}/conf"
+echo "* Run ${TARGET}/bin/startup.sh to start your Tomcat instance"
--- tomcat6-6.0.18.orig/debian/tomcat6-instance-create.1
+++ tomcat6-6.0.18/debian/tomcat6-instance-create.1
@@ -0,0 +1,24 @@
+.TH "TOMCAT6-INSTANCE-CREATE" "1" "Dec 2008" "" ""
+.SH "NAME"
+tomcat6\-instance\-create \- creates a Tomcat6 instance
+.SH "SYNOPSIS"
+.B tomcat6\-instance\-create [\fIOPTIONS\fR] \fIDIRECTORYNAME\fR
+.SH "DESCRIPTION"
+The
+.B tomcat6\-instance\-create
+script creates a directory with all required Tomcat6 CATALINA_BASE elements so that a separate Tomcat 6 instance with its own configuration, libraries or web applications can be run by a user. bin/startup.sh and bin/shutdown.sh scripts are also generated to allow the instance to be started and stopped.
+.TP 
+.B DIRECTORYNAME
+The name of the directory where the instance will be created. It should not exist and will be created automatically.
+.SH "OPTIONS"
+.TP 
+.B \-p HTTPPORT
+The TCP port to use for the default HTTP connector in the instance. The default port is 8080.
+.TP 
+.B \-c CONTROLPORT
+The TCP port to use for Tomcat shutdown control port. The default port is 8005.
+.TP 
+.B \-w MAGICWORD
+The magic word that sent to the control port will trigger the shutdown of the Tomcat instance. The default word is SHUTDOWN.
+.SH "AUTHOR"
+This man page was written by Thierry Carrez <thierry.carrez@ubuntu.com> and is copyright (C) 2008 Canonical Ltd.
--- tomcat6-6.0.18.orig/debian/tomcat6-common.install
+++ tomcat6-6.0.18/debian/tomcat6-common.install
@@ -0,0 +1,2 @@
+output/build/bin/* /usr/share/tomcat6/bin/
+bin/* /usr/share/tomcat6/bin/
--- tomcat6-6.0.18.orig/debian/setenv.sh
+++ tomcat6-6.0.18/debian/setenv.sh
@@ -0,0 +1,26 @@
+#!/bin/sh
+#
+
+CATALINA_HOME=/usr/share/tomcat6
+
+# The first existing directory is used for JAVA_HOME (if JAVA_HOME is not
+# defined in $DEFAULT)
+JDK_DIRS="/usr/lib/jvm/java-6-openjdk /usr/lib/jvm/java-6-sun /usr/lib/jvm/java-1.5.0-sun /usr/lib/j2sdk1.5-sun /usr/lib/j2sdk1.5-ibm"
+
+# Look for the right JVM to use
+for jdir in $JDK_DIRS; do
+    if [ -r "$jdir/bin/java" -a -z "${JAVA_HOME}" ]; then
+	JAVA_HOME_TMP="$jdir"
+	# checks for a real JDK like environment, needed to check if 
+	# really the java-gcj-compat-dev package is installed
+	if [ -r "$jdir/bin/jdb" ]; then
+	    JAVA_HOME="$JAVA_HOME_TMP"
+	fi
+    fi
+done
+
+# Default Java options
+if [ -z "$JAVA_OPTS" ]; then
+	JAVA_OPTS="-Djava.awt.headless=true -Xmx128M"
+fi
+
--- tomcat6-6.0.18.orig/debian/tomcat6.init
+++ tomcat6-6.0.18/debian/tomcat6.init
@@ -0,0 +1,227 @@
+#!/bin/sh
+#
+# /etc/init.d/tomcat6 -- startup script for the Tomcat 6 servlet engine
+#
+# Written by Miquel van Smoorenburg <miquels@cistron.nl>.
+# Modified for Debian GNU/Linux	by Ian Murdock <imurdock@gnu.ai.mit.edu>.
+# Modified for Tomcat by Stefan Gybas <sgybas@debian.org>.
+# Modified for Tomcat6 by Thierry Carrez <thierry.carrez@ubuntu.com>.
+#
+### BEGIN INIT INFO
+# Provides:          tomcat
+# Required-Start:    $local_fs $remote_fs $network
+# Required-Stop:     $local_fs $remote_fs $network
+# Should-Start:      $named
+# Should-Stop:       $named
+# Default-Start:     2 3 4 5
+# Default-Stop:      0 1 6
+# Short-Description: Start Tomcat.
+# Description:       Start the Tomcat servlet engine.
+### END INIT INFO
+
+set -e
+
+PATH=/bin:/usr/bin:/sbin:/usr/sbin
+NAME=tomcat6
+DESC="Tomcat servlet engine"
+DAEMON=/usr/bin/jsvc
+CATALINA_HOME=/usr/share/$NAME
+DEFAULT=/etc/default/$NAME
+JVM_TMP=/tmp/tomcat6-temp
+
+if [ `id -u` -ne 0 ]; then
+	echo "You need root privileges to run this script"
+	exit 1
+fi
+ 
+# Make sure tomcat is started with system locale
+if [ -r /etc/default/locale ]; then
+	. /etc/default/locale
+	export LANG
+fi
+
+. /lib/lsb/init-functions
+. /etc/default/rcS
+
+
+# The following variables can be overwritten in $DEFAULT
+
+# Run Tomcat 6 as this user ID
+TOMCAT6_USER=tomcat6
+
+# The first existing directory is used for JAVA_HOME (if JAVA_HOME is not
+# defined in $DEFAULT)
+JDK_DIRS="/usr/lib/jvm/java-6-openjdk /usr/lib/jvm/java-6-sun /usr/lib/jvm/java-1.5.0-sun /usr/lib/j2sdk1.5-sun /usr/lib/j2sdk1.5-ibm"
+
+# Look for the right JVM to use
+for jdir in $JDK_DIRS; do
+    if [ -r "$jdir/bin/java" -a -z "${JAVA_HOME}" ]; then
+	JAVA_HOME="$jdir"
+    fi
+done
+export JAVA_HOME
+
+# Directory for per-instance configuration files and webapps
+CATALINA_BASE=/var/lib/$NAME
+
+# Use the Java security manager? (yes/no)
+TOMCAT6_SECURITY=yes
+
+# Default Java options
+# Set java.awt.headless=true if JAVA_OPTS is not set so the
+# Xalan XSL transformer can work without X11 display on JDK 1.4+
+# It also looks like the default heap size of 64M is not enough for most cases
+# so the maximum heap size is set to 128M
+if [ -z "$JAVA_OPTS" ]; then
+	JAVA_OPTS="-Djava.awt.headless=true -Xmx128M"
+fi
+
+# End of variables that can be overwritten in $DEFAULT
+
+# overwrite settings from default file
+if [ -f "$DEFAULT" ]; then
+	. "$DEFAULT"
+fi
+
+if [ ! -f "$CATALINA_HOME/bin/bootstrap.jar" ]; then
+	log_failure_msg "$NAME is not installed"
+	exit 1
+fi
+
+if [ ! -f "$DAEMON" ]; then
+	log_failure_msg "missing $DAEMON"
+	exit 1
+fi
+
+POLICY_CACHE="$CATALINA_BASE/work/catalina.policy"
+
+JAVA_OPTS="$JAVA_OPTS -Djava.endorsed.dirs=$CATALINA_HOME/endorsed -Dcatalina.base=$CATALINA_BASE -Dcatalina.home=$CATALINA_HOME -Djava.io.tmpdir=$JVM_TMP"
+
+# Set the JSP compiler if set in the tomcat6.default file
+if [ -n "$JSP_COMPILER" ]; then
+	JAVA_OPTS="$JAVA_OPTS -Dbuild.compiler=$JSP_COMPILER"
+fi
+
+if [ "$TOMCAT6_SECURITY" = "yes" ]; then
+	JAVA_OPTS="$JAVA_OPTS -Djava.security.manager -Djava.security.policy=$POLICY_CACHE"
+fi
+
+# Set juli LogManager if logging.properties is provided
+if [ -r "$CATALINA_BASE"/conf/logging.properties ]; then
+  JAVA_OPTS="$JAVA_OPTS "-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager" "-Djava.util.logging.config.file="$CATALINA_BASE/conf/logging.properties"
+fi
+
+# Define other required variables
+CATALINA_PID="/var/run/$NAME.pid"
+BOOTSTRAP_CLASS=org.apache.catalina.startup.Bootstrap
+JSVC_CLASSPATH="/usr/share/java/commons-daemon.jar:$CATALINA_HOME/bin/bootstrap.jar"
+
+# Look for Java Secure Sockets Extension (JSSE) JARs
+if [ -z "${JSSE_HOME}" -a -r "${JAVA_HOME}/jre/lib/jsse.jar" ]; then
+    JSSE_HOME="${JAVA_HOME}/jre/"
+fi
+export JSSE_HOME
+
+case "$1" in
+  start)
+	if [ -z "$JAVA_HOME" ]; then
+		log_failure_msg "no JDK found - please set JAVA_HOME"
+		exit 1
+	fi
+
+	if [ ! -d "$CATALINA_BASE/conf" ]; then
+		log_failure_msg "invalid CATALINA_BASE: $CATALINA_BASE"
+		exit 1
+	fi
+
+	log_daemon_msg "Starting $DESC" "$NAME"
+	if start-stop-daemon --test --start --pidfile "$CATALINA_PID" \
+		--user $TOMCAT6_USER --startas "$JAVA_HOME/bin/java" \
+		>/dev/null; then
+
+		# Regenerate POLICY_CACHE file
+		umask 022
+		echo "// AUTO-GENERATED FILE from /etc/tomcat6/policy.d/" \
+			> "$POLICY_CACHE"
+		echo ""  >> "$POLICY_CACHE"
+		cat $CATALINA_BASE/conf/policy.d/*.policy \
+			>> "$POLICY_CACHE"
+
+		# Remove / recreate JVM_TMP directory
+		rm -rf "$JVM_TMP"
+		mkdir "$JVM_TMP" || {
+			log_failure_msg "could not create JVM temporary directory"
+			exit 1
+		}
+		chown $TOMCAT6_USER "$JVM_TMP"
+		cd "$JVM_TMP"
+
+		$DAEMON -user "$TOMCAT6_USER" -cp "$JSVC_CLASSPATH" \
+		    -outfile SYSLOG -errfile SYSLOG \
+		    -pidfile "$CATALINA_PID" $JAVA_OPTS "$BOOTSTRAP_CLASS"
+
+		sleep 5
+        	if start-stop-daemon --test --start --pidfile "$CATALINA_PID" \
+			--user $TOMCAT6_USER --startas "$JAVA_HOME/bin/java" \
+			>/dev/null; then
+			log_end_msg 1
+		else
+			log_end_msg 0
+		fi
+	else
+	        log_progress_msg "(already running)"
+		log_end_msg 0
+	fi
+	;;
+  stop)
+	log_daemon_msg "Stopping $DESC" "$NAME"
+        if start-stop-daemon --test --start --pidfile "$CATALINA_PID" \
+		--user "$TOMCAT6_USER" --startas "$JAVA_HOME/bin/java" \
+		>/dev/null; then
+		log_progress_msg "(not running)"
+	else
+		$DAEMON -cp "$JSVC_CLASSPATH" -pidfile "$CATALINA_PID" \
+		     -stop "$BOOTSTRAP_CLASS"
+	fi
+	rm -rf "$JVM_TMP"
+	log_end_msg 0
+	;;
+   status)
+        if start-stop-daemon --test --start --pidfile "$CATALINA_PID" \
+		--user $TOMCAT6_USER --startas "$JAVA_HOME/bin/java" \
+		>/dev/null; then
+
+		if [ -f "$CATALINA_PID" ]; then
+		    log_success_msg "$DESC is not running, but pid file exists."
+			exit 1
+		else
+		    log_success_msg "$DESC is not running."
+			exit 3
+		fi
+	else
+		log_success_msg "$DESC is running with pid `cat $CATALINA_PID`"
+	fi
+        ;;
+  restart|force-reload)
+        if start-stop-daemon --test --stop --pidfile "$CATALINA_PID" \
+		--user $TOMCAT6_USER --startas "$JAVA_HOME/bin/java" \
+		>/dev/null; then
+		$0 stop
+		sleep 1
+	fi
+	$0 start
+	;;
+  try-restart)
+        if start-stop-daemon --test --start --pidfile "$CATALINA_PID" \
+		--user $TOMCAT6_USER --startas "$JAVA_HOME/bin/java" \
+		>/dev/null; then
+		$0 start
+	fi
+        ;;
+  *)
+	log_success_msg "Usage: $0 {start|stop|restart|try-restart|force-reload|status}"
+	exit 1
+	;;
+esac
+
+exit 0
--- tomcat6-6.0.18.orig/debian/README.Debian
+++ tomcat6-6.0.18/debian/README.Debian
@@ -0,0 +1,33 @@
+Differences introduced in the tomcat6-6.0.18-0ubuntu4 release:
+
+- The default JVM temporary directory (java.io.tmpdir), which originally was
+  located in /var/lib/tomcat6/temp, was moved to /tmp/tomcat6-temp. You can
+  change its location by editing the JVM_TMP setting in /etc/default/tomcat6.
+  This directory will get purged every time Tomcat starts (or stops). The
+  default security policy was modified to allow webapps to use that directory
+  for temporary file creation.
+
+-- Thierry Carrez <thierry.carrez@ubuntu.com>  Wed, 26 Nov 2008 15:54:17 +0000
+
+Main differences with the Tomcat 5.5 packages:
+
+- These packages conform to the CATALINA_BASE spec described in RUNNING.txt,
+  in order to be able to run multiple instances of Tomcat on the same
+  machine.
+- The tomcat6 package installs the system instance and init scripts with
+  CATALINA_BASE in /var/lib/tomcat6. It installs a minimal ROOT webapp to
+  check that everything works correctly.
+- A new tomcat6-user package has been created. This package allows users to
+  create their own user instance of tomcat (CATALINA_BASE) by calling the
+  create-user-tomcat.sh script located in /usr/share/tomcat6/bin. It does not
+  require to install the system instance (tomcat6 package).
+- The new package tomcat6-common contains files common to tomcat6-user and
+  tomcat6. It implements the common CATALINA_HOME in /usr/share/tomcat6.
+- The docs (and associated webapp) have been put in a separate tomcat6-docs
+  package.
+- The -webapps package has been replaced by a tomcat6-examples package that
+  just contains the examples webapp.
+- The catalina.policy file for the system instance is now autogenerated in
+  /var/cache/tomcat6.
+
+-- Thierry Carrez <thierry.carrez@ubuntu.com>  Thu, 24 Jul 2008 09:52:31 +0200
--- tomcat6-6.0.18.orig/debian/rules
+++ tomcat6-6.0.18/debian/rules
@@ -0,0 +1,106 @@
+#!/usr/bin/make -f
+
+include /usr/share/quilt/quilt.make
+
+JAVA_HOME := /usr/lib/jvm/default-java
+JAVA_CMD := $(JAVA_HOME)/bin/java
+BLDLIB := output/build/lib
+DEB_JARS_BASE := /usr/share/java
+DEB_JARS := ant ant-launcher ant-trax
+DEB_CLASSPATH = $(shell for jar in $(DEB_JARS); do \
+	if [ -f "$$jar" ]; then echo -n "$${jar}:"; fi; \
+	if [ -f "$$jar".jar ]; then echo -n "$${jar}.jar:"; fi; \
+	if [ -f $(DEB_JARS_BASE)/"$$jar" ]; then \
+		echo -n "$(DEB_JARS_BASE)/$${jar}:"; fi; \
+	if [ -f $(DEB_JARS_BASE)/"$$jar".jar ]; then \
+		echo -n "$(DEB_JARS_BASE)/$${jar}.jar:"; fi; \
+	done; \
+	if [ -f "$(JAVA_HOME)/lib/tools.jar" ]; then \
+		echo -n "$(JAVA_HOME)/lib/tools.jar"; fi)
+
+T_VER := $(shell dpkg-parsechangelog | egrep '^Version:' \
+	| cut -f 2 -d ' ' | cut -f 2 -d ' '|sed 's/-[^-]*$$//')
+T_JARS := jasper-el annotations-api catalina-tribes tomcat-i18n-fr tomcat-i18n-es tomcat-i18n-ja tomcat-coyote jasper catalina-ha catalina-ant catalina
+
+ANT_ARGS := -Dcompile.debug=true \
+	-Dant.build.javac.source=1.5 \
+	-Dant.build.javac.target=1.5 \
+	-Djdt.jar=/usr/share/java/ecj.jar \
+	-Dversion=$(T_VER)
+
+ifneq (,$(findstring noopt,$(DEB_BUILD_OPTIONS)))
+	ANT_ARGS += -Dcompile.optimize=false
+else
+	ANT_ARGS += -Dcompile.optimize=true
+endif
+
+ANT_INVOKE := $(JAVA_CMD) -classpath "$(DEB_CLASSPATH)" \
+	org.apache.tools.ant.Main $(ANT_ARGS)
+
+build: patch build-stamp
+build-stamp:
+	dh_testdir
+	$(ANT_INVOKE) build-only
+	$(ANT_INVOKE) build-docs
+	$(ANT_INVOKE) deploy-webapps
+	javadoc -subpackages "javax.servlet" -d "output/api" \
+		-sourcepath "java" -author -version -breakiterator \
+		-windowtitle "Tomcat API Documentation" -doctitle "Tomcat API" \
+		-bottom "Copyright &#169; 2000-2008 Apache Software Foundation. All Rights Reserved."
+	touch build-stamp
+
+clean: unpatch
+	dh_testdir
+	dh_testroot
+	-$(ANT_INVOKE) clean
+	rm -rf "output/"
+	rm -f build-stamp
+	dh_clean
+
+install: build
+	dh_testdir
+	dh_testroot
+	dh_clean -k 
+	dh_installdirs
+
+binary-indep: build install
+	dh_testdir
+	dh_testroot
+	mv $(BLDLIB)/servlet-api.jar $(BLDLIB)/servlet-api-2.5.jar
+	mv $(BLDLIB)/jsp-api.jar $(BLDLIB)/jsp-api-2.1.jar
+	mv $(BLDLIB)/el-api.jar $(BLDLIB)/el-api-2.1.jar
+	for i in $(T_JARS); do \
+		mv $(BLDLIB)/$$i.jar $(BLDLIB)/$$i-$(T_VER).jar; done
+	dh_installchangelogs
+	dh_installdocs
+	dh_installman -ptomcat6-user debian/tomcat6-instance-create.1
+	dh_installexamples
+	dh_installinit --error-handler=true -- defaults 92 08
+	dh_installcron
+	for i in $(T_JARS); do \
+		dh_install -plibtomcat6-java \
+			$(BLDLIB)/$$i-$(T_VER).jar usr/share/java && \
+		dh_link -plibtomcat6-java usr/share/java/$$i-$(T_VER).jar \
+			usr/share/java/$$i.jar && \
+		dh_link -ptomcat6-common usr/share/java/$$i-$(T_VER).jar \
+			usr/share/tomcat6/lib/$$i.jar; done
+	dh_install --exclude=.bat --exclude=Thumbs.db
+	dh_link
+	chmod a+x debian/tomcat6-common/usr/share/tomcat6/bin/*.sh
+	chmod a+x debian/tomcat6-user/usr/bin/tomcat6-instance-create
+	chmod a+x debian/tomcat6-user/usr/share/tomcat6/skel/bin/*.sh
+	dh_compress
+	dh_fixperms
+	dh_installdeb
+	dh_gencontrol
+	dh_md5sums
+	dh_builddeb
+
+binary-arch: build install
+
+binary: binary-indep binary-arch
+
+get-orig-source:
+	-uscan --upstream-version 0
+
+.PHONY: build clean binary-indep binary-arch binary install get-orig-source
--- tomcat6-6.0.18.orig/debian/logging.properties
+++ tomcat6-6.0.18/debian/logging.properties
@@ -0,0 +1,49 @@
+# Licensed to the Apache Software Foundation (ASF) under one or more
+# contributor license agreements.  See the NOTICE file distributed with
+# this work for additional information regarding copyright ownership.
+# The ASF licenses this file to You under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with
+# the License.  You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+handlers = 1catalina.org.apache.juli.FileHandler, 2localhost.org.apache.juli.FileHandler, java.util.logging.ConsoleHandler
+
+.handlers = 1catalina.org.apache.juli.FileHandler, java.util.logging.ConsoleHandler
+
+############################################################
+# Handler specific properties.
+# Describes specific configuration info for Handlers.
+############################################################
+
+1catalina.org.apache.juli.FileHandler.level = FINE
+1catalina.org.apache.juli.FileHandler.directory = ${catalina.base}/logs
+1catalina.org.apache.juli.FileHandler.prefix = catalina.
+
+2localhost.org.apache.juli.FileHandler.level = FINE
+2localhost.org.apache.juli.FileHandler.directory = ${catalina.base}/logs
+2localhost.org.apache.juli.FileHandler.prefix = localhost.
+
+java.util.logging.ConsoleHandler.level = FINE
+java.util.logging.ConsoleHandler.formatter = java.util.logging.SimpleFormatter
+
+############################################################
+# Facility specific properties.
+# Provides extra control for each logger.
+############################################################
+
+org.apache.catalina.core.ContainerBase.[Catalina].[localhost].level = INFO
+org.apache.catalina.core.ContainerBase.[Catalina].[localhost].handlers = 2localhost.org.apache.juli.FileHandler
+
+# For example, set the com.xyz.foo logger to only log SEVERE
+# messages:
+#org.apache.catalina.startup.ContextConfig.level = FINE
+#org.apache.catalina.startup.HostConfig.level = FINE
+#org.apache.catalina.session.ManagerBase.level = FINE
+#org.apache.catalina.core.AprLifecycleListener.level=FINE
--- tomcat6-6.0.18.orig/debian/tomcat6-common.links
+++ tomcat6-6.0.18/debian/tomcat6-common.links
@@ -0,0 +1,6 @@
+/usr/share/java/commons-dbcp.jar /usr/share/tomcat6/lib/commons-dbcp.jar
+/usr/share/java/commons-pool.jar /usr/share/tomcat6/lib/commons-pool.jar
+/usr/share/java/el-api-2.1.jar /usr/share/tomcat6/lib/el-api.jar
+/usr/share/java/ecj.jar /usr/share/tomcat6/lib/jasper-jdt.jar
+/usr/share/java/jsp-api-2.1.jar /usr/share/tomcat6/lib/jsp-api.jar
+/usr/share/java/servlet-api-2.5.jar /usr/share/tomcat6/lib/servlet-api.jar
--- tomcat6-6.0.18.orig/debian/tomcat6.install
+++ tomcat6-6.0.18/debian/tomcat6.install
@@ -0,0 +1,5 @@
+conf/catalina.properties /etc/tomcat6/
+debian/logging.properties /etc/tomcat6/
+conf/*.xml /etc/tomcat6/
+debian/policy/*.policy /etc/tomcat6/policy.d/
+debian/default_root /usr/share/tomcat6/webapps/
--- tomcat6-6.0.18.orig/debian/tomcat6.postinst
+++ tomcat6-6.0.18/debian/tomcat6.postinst
@@ -0,0 +1,25 @@
+#!/bin/sh -e
+
+case "$1" in
+    configure)
+	if ! id tomcat6 > /dev/null 2>&1 ; then
+	    adduser --system --home /usr/share/tomcat6 --no-create-home \
+		--group --disabled-password --shell /bin/false \
+		tomcat6
+	fi
+	chown -R tomcat6:adm /var/log/tomcat6 /var/cache/tomcat6
+	chmod 750 /var/log/tomcat6 /var/cache/tomcat6
+	chgrp tomcat6 /etc/tomcat6/tomcat-users.xml
+	chmod 640 /etc/tomcat6/tomcat-users.xml
+	chgrp tomcat6 /var/lib/tomcat6/webapps
+	chmod 775 /var/lib/tomcat6/webapps
+	chgrp tomcat6 /etc/tomcat6/Catalina /etc/tomcat6/Catalina/localhost
+	chmod 775 /etc/tomcat6/Catalina /etc/tomcat6/Catalina/localhost
+    ;;
+esac
+
+if [ ! -d /var/lib/tomcat6/webapps/ROOT ]; then
+    cp -r /usr/share/tomcat6/webapps/default_root /var/lib/tomcat6/webapps/ROOT
+fi
+
+#DEBHELPER#
--- tomcat6-6.0.18.orig/debian/tomcat6.postrm
+++ tomcat6-6.0.18/debian/tomcat6.postrm
@@ -0,0 +1,46 @@
+#!/bin/sh -e
+
+#DEBHELPER#
+
+# Remove cached files and auto-generated catalina.policy
+rm -rf /var/cache/tomcat6/*
+
+case "$1" in
+    remove)
+        # Remove ROOT webapp if not modified
+        RWLOC="/var/lib/tomcat6/webapps/ROOT"
+        RWFILES="$RWLOC/index.html $RWLOC/META-INF/context.xml"
+        if [ "`(cat $RWFILES | md5sum -) 2>/dev/null | cut -d ' ' -f 1`" \
+	    = "a8cd8f5f80f5a36b7565c0e8817f86a3" ] ; then
+	    rm $RWFILES
+	    rmdir --ignore-fail-on-non-empty \
+                /var/lib/tomcat6/webapps/ROOT/META-INF \
+                /var/lib/tomcat6/webapps/ROOT \
+                /var/lib/tomcat6/webapps \
+                /var/lib/tomcat6 || true
+	fi
+	if [ -d "/var/cache/tomcat6" ] ; then
+            rm -rf /var/cache/tomcat6
+        fi
+    ;;
+
+    purge)
+        # Remove user/group and log files (don't remove everything under
+        # /var/lib/tomcat6 because there might be user-installed webapps)
+        deluser tomcat6 || true
+        rm -rf /var/log/tomcat6 /var/lib/tomcat6/temp
+	if [ -d "/var/lib/tomcat6" ] ; then
+            rmdir --ignore-fail-on-non-empty /var/lib/tomcat6 || true
+        fi
+        rmdir --ignore-fail-on-non-empty /etc/tomcat6/policy.d /etc/tomcat6 || true
+    ;;
+
+    upgrade|failed-upgrade|abort-install|abort-upgrade|disappear)
+        # Nothing to do here
+    ;;
+
+    *)
+        echo "$0 called with unknown argument \`$1'" >&2
+        exit 1
+    ;;
+esac
--- tomcat6-6.0.18.orig/debian/libservlet2.5-java-doc.install
+++ tomcat6-6.0.18/debian/libservlet2.5-java-doc.install
@@ -0,0 +1 @@
+output/api /usr/share/doc/libservlet2.5-java/
--- tomcat6-6.0.18.orig/debian/tomcat6-admin.install
+++ tomcat6-6.0.18/debian/tomcat6-admin.install
@@ -0,0 +1,4 @@
+debian/context/manager.xml /etc/tomcat6/Catalina/localhost/
+output/build/webapps/manager /usr/share/tomcat6-admin/
+debian/context/host-manager.xml /etc/tomcat6/Catalina/localhost/
+output/build/webapps/host-manager /usr/share/tomcat6-admin/
--- tomcat6-6.0.18.orig/debian/tomcat6-docs.links
+++ tomcat6-6.0.18/debian/tomcat6-docs.links
@@ -0,0 +1 @@
+/usr/share/tomcat6-docs/docs /usr/share/doc/tomcat6-docs/docs
--- tomcat6-6.0.18.orig/debian/libservlet2.5-java.install
+++ tomcat6-6.0.18/debian/libservlet2.5-java.install
@@ -0,0 +1,3 @@
+output/build/lib/servlet-api-2.5.jar /usr/share/java
+output/build/lib/jsp-api-2.1.jar /usr/share/java
+output/build/lib/el-api-2.1.jar /usr/share/java
--- tomcat6-6.0.18.orig/debian/tomcat6-common.docs
+++ tomcat6-6.0.18/debian/tomcat6-common.docs
@@ -0,0 +1,2 @@
+RELEASE-NOTES
+RUNNING.txt
--- tomcat6-6.0.18.orig/debian/changelog
+++ tomcat6-6.0.18/debian/changelog
@@ -0,0 +1,181 @@
+tomcat6 (6.0.18-0ubuntu6.3) jaunty-security; urgency=low
+
+  * SECURITY UPDATE: denial of service and possible information disclosure
+    via crafted header
+    - debian/patches/CVE-2010-2227.patch: fix filter logic in
+      java/org/apache/coyote/http11/{Http11AprProcessor,Http11NioProcessor,
+      Http11Processor,filters/BufferedInputFilter}.java. 
+    - CVE-2010-2227
+
+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Thu, 19 Aug 2010 11:04:50 -0400
+
+tomcat6 (6.0.18-0ubuntu6.2) jaunty-security; urgency=low
+
+  * SECURITY UPDATE: arbitrary file creation or overwrite from directory
+    traversal via a .. entry in a WAR file.
+    - CVE-2009-2693
+  * SECURITY UPDATE: authentication bypass via autodeployment process
+    - CVE-2009-2901
+  * SECURITY UPDATE: work-directory file deletion via directory traversal
+    sequences in a WAR filename.
+    - CVE-2009-2902
+    - debian/patches/security_CVE-2009-2693_2901_2902.patch: validate file
+      names and paths in java/org/apache/catalina/loader/
+      {LocalStrings.properties,WebappClassLoader.java},
+      java/org/apache/catalina/startup/{ContextConfig.java,ExpandWar.java,
+      HostConfig.java,LocalStrings.properties}
+
+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Thu, 11 Feb 2010 08:41:39 -0500
+
+tomcat6 (6.0.18-0ubuntu6.1) jaunty-security; urgency=low
+
+  * SECURITY UPDATE: security bypass via specially crafted request
+    - debian/patches/security-CVE-2008-5515.patch: use only a single
+      normalise implementation in:
+      java/org/apache/catalina/connector/Request.java,
+      java/org/apache/catalina/core/{ApplicationContext,ApplicationHttpRequest}.java,
+      java/org/apache/catalina/servlets/WebdavServlet.java,
+      java/org/apache/catalina/ssi/{SSIServletExternalResolver,SSIServletRequestUtil}.java,
+      java/org/apache/catalina/util/RequestUtil.java,
+      java/org/apache/naming/resources/FileDirContext.java      
+    - CVE-2008-5515
+  * SECURITY UPDATE: denial of service via request with invalid headers
+    - debian/patches/security-CVE-2009-0033.patch: make sure we return
+      400 to the browser in
+      java/org/apache/jk/common/{ChannelNioSocket,ChannelSocket,HandlerRequest}.java
+    - CVE-2009-0033
+  * SECURITY UPDATE: valid username enumeration via improper error checking
+    - debian/patches/security-CVE-2009-0580.patch: make sure we have valid
+      credentials in java/org/apache/catalina/realm/{DataSourceRealm,JDBCRealm,MemoryRealm}.java
+    - CVE-2009-0580
+  * SECURITY UPDATE: cross-site scripting in calendar example application
+    (LP: #341278)
+    - debian/patches/security-CVE-2009-0781.patch: properly quote value in
+      webapps/examples/jsp/cal/cal2.jsp
+    - CVE-2009-0781
+  * SECURITY UPDATE: information disclosure via XML parser replacement
+    - debian/patches/security-CVE-2009-0783.patch: create digesters and
+      parsers earlier and don't use xml-parser from web-app in
+      java/org/apache/catalina/core/StandardContext.java,
+      java/org/apache/catalina/startup/{LocalStrings.properties,TldConfig.java}
+    - CVE-2009-0783
+
+ -- Marc Deslauriers <marc.deslauriers@ubuntu.com>  Wed, 10 Jun 2009 08:31:31 -0400
+
+tomcat6 (6.0.18-0ubuntu6) jaunty; urgency=low
+
+  * Added debian/patches/tcnative-ipv6-fix-43327.patch to fix incompatibility
+    between libtcnative-1 and ipv6 (fixes LP: #287645)
+  * No longer create confusing /var/lib/tomcat6/lib or lib subdirectory in
+    private instances, since they are ignored (LP: #324212)
+
+ -- Thierry Carrez <thierry.carrez@ubuntu.com>  Mon, 23 Feb 2009 10:16:37 +0000
+
+tomcat6 (6.0.18-0ubuntu5) jaunty; urgency=low
+
+  [ Thierry Carrez ]
+  * Removed tomcat6-[admin,docs,examples].post[inst,rm] and let Tomcat webapp
+    autodeployment features handle application load/unload (LP: #302914)
+  * tomcat6-instance-create, tomcat6-instance-create.1, control:
+    Allow to change the HTTP port, control port and shutdown word on the
+    tomcat6-instance-create command line (LP: #300691).
+
+  [ Mathias Gug]
+  * debian/tomcat6-instance-create: move directoryname from an option to 
+    an argument.
+  * debian/tomcat6-instance-create.1: some updates to the man page.
+  * debian/control: update maintainer field to Ubuntu Core Developers now that
+    tomcat6 is in main.
+
+ -- Mathias Gug <mathiaz@ubuntu.com>  Wed, 07 Jan 2009 18:44:39 -0500
+
+tomcat6 (6.0.18-0ubuntu4) jaunty; urgency=low
+
+  * tomcat6.init, tomcat6.postinst, tomcat6.dirs, tomcat6.default,
+    README.debian: Use /tmp/tomcat6-temp instead of /var/lib/tomcat6/temp as
+    the JVM temporary directory and clean it at each restart (LP: #287452)
+  * policy/04webapps.policy: add rules to allow usage of java.io.tmpdir
+  * tomcat6.init, rules: Do not use TearDown, as this results in
+    LifecycleListener callbacks in webapps being bypassed (LP: #299436)
+  * rules: Compile at Java 1.5 level to allow usage of Java 5 JREs
+    (LP: #286427)
+  * control, rules, libservlet2.5-java-doc.install,
+    libservlet2.5-java-doc.links: New libservlet2.5-java-doc package ships
+    missing Servlet/JSP API documentation (LP: #279645)
+  * patches/use-commons-dbcp.patch: Change default DBCP factory class
+    to org.apache.commons.dbcp.BasicDataSourceFactory (LP: #283852)
+  * tomcat6.dirs, tomcat6.postinst, default_root/index.html: Create
+    Catalina/localhost in /etc/tomcat6 and make it writeable by the tomcat6
+    group, so that autodeploy and admin webapps work as expected (LP: #294277)
+  * patches/disable-apr-loading.patch: Disable APR library loading until we
+    properly provide it.
+  * patches/disable-ajp-connector: Do not load AJP13 connector by default
+    (LP: #300697)
+  * rules: minor fixes to prevent build being called twice.
+
+ -- Thierry Carrez <thierry.carrez@ubuntu.com>  Thu, 27 Nov 2008 12:47:42 +0000
+
+tomcat6 (6.0.18-0ubuntu3) intrepid; urgency=low
+
+  * debian/tomcat6.postinst:
+    - Make /var/lib/tomcat6/temp writeable by the tomcat6 user (LP: #287126)
+    - Make /var/lib/tomcat6/webapps writeable by tomcat6 group (LP: #287447)
+  * debian/tomcat6.init: make status return nonzero if tomcat6 is not running
+    (fixes LP: #288218)
+
+ -- Thierry Carrez <thierry.carrez@ubuntu.com>  Thu, 23 Oct 2008 18:19:15 +0200
+
+tomcat6 (6.0.18-0ubuntu2) intrepid; urgency=low
+
+  * debian/rules: call dh_installinit with --error-handler so that install
+    doesn't fail if Tomcat cannot be started during configure (LP: #274365)
+
+ -- Thierry Carrez <thierry.carrez@ubuntu.com>  Mon, 06 Oct 2008 13:55:21 +0200
+
+tomcat6 (6.0.18-0ubuntu1) intrepid; urgency=low
+
+  * New upstream version (LP: #260016)
+    - Fixes CVE-2008-2938: Directory traversal vulnerability (LP: #256802)
+    - Fixes CVE-2008-2370: Information disclosure vulnerability (LP: #256922)
+    - Fixes CVE-2008-1232: XSS through sendError vulnerability (LP: #256926)
+  * Dropped CVE-2008-1947.patch (fix is shipped in this upstream release)
+  * control: Improve short descriptions for the binary packages
+  * copyright: Added link to /usr/share/common-licenses/Apache-2.0
+  * control: To pull the right JRE, libtomcat6-java now depends on
+    default-jre-headless | java6-runtime-headless
+
+ -- Thierry Carrez <thierry.carrez@ubuntu.com>  Fri, 22 Aug 2008 09:15:11 +0200
+
+tomcat6 (6.0.16-1ubuntu1) intrepid; urgency=low
+
+  * Adding full Tomcat 6 server stack support (LP: #256052)
+    - tomcat6 handles the system instance (/var/lib/tomcat6)
+    - tomcat6-user allows users to create their own private instances
+    - tomcat6-common installs common files in /usr/share/tomcat6
+    - libtomcat6-java installs Tomcat 6 java libs in /usr/share/java
+    - tomcat6-docs installs the documentation webapp
+    - tomcat6-examples installs the examples webapp
+    - tomcat6-admin installs the manager and host-manager webapps
+  * Other key differences with the tomcat5.5 packages:
+    - default-jdk build support
+    - OpenJDK-6 JRE runtime support
+    - tomcat6 installs a minimal ROOT webapp
+    - new webapp locations follow Debian webapp policy
+    - webapps restart tomcat6 in postrm rather than in prerm
+    - added a doc-base entry
+    - use standard upstream server.xml
+    - initscript: try to check if Tomcat is really running before returning OK
+    - removed transitional configuration migration code
+    - autogenerate policy in /var/cache/tomcat6 rather than /etc/tomcat6
+    - logging.properties is customized to remove -webapps-related lines
+    - initscript: implement TearDown spec
+  * CVE-2008-1947 fix (cross-site-scripting issue in host-manager webapp)
+
+ -- Thierry Carrez <thierry.carrez@ubuntu.com>  Fri, 08 Aug 2008 15:37:48 +0200
+
+tomcat6 (6.0.16-1) unstable; urgency=low
+
+  * Initial release.
+    (Closes: #480964).
+
+ -- Paul Cager <paul-debian@home.paulcager.org>  Mon, 12 May 2008 23:04:49 +0000
--- tomcat6-6.0.18.orig/debian/libservlet2.5-java-doc.links
+++ tomcat6-6.0.18/debian/libservlet2.5-java-doc.links
@@ -0,0 +1 @@
+/usr/share/doc/libservlet2.5-java/api /usr/share/doc/libservlet2.5-java-doc/api
--- tomcat6-6.0.18.orig/debian/compat
+++ tomcat6-6.0.18/debian/compat
@@ -0,0 +1 @@
+6
--- tomcat6-6.0.18.orig/debian/tomcat6-examples.install
+++ tomcat6-6.0.18/debian/tomcat6-examples.install
@@ -0,0 +1,3 @@
+debian/context/examples.xml /etc/tomcat6/Catalina/localhost/
+output/build/webapps/examples /usr/share/tomcat6-examples/
+debian/policy/examples/*.policy /etc/tomcat6/policy.d/
--- tomcat6-6.0.18.orig/debian/copyright
+++ tomcat6-6.0.18/debian/copyright
@@ -0,0 +1,138 @@
+This package was debianized by Paul Cager <paul-debian@home.paulcager.org>
+Wed, 14 May 2008 10:29:00 +0100.
+
+It was heavily modified to support the full Tomcat6 server stack by
+Thierry Carrez <thierry.carrez@ubuntu.com>, based on the great work done by
+the Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
+on Tomcat 5.5 and initial packaging by David Pashley <david@davidpashley.com>.
+
+It was downloaded from http://tomcat.apache.org
+
+Copyright: 
+  Copyright (C) 2000-2007 Apache Software Foundation.
+  Copyright (C) International Business Machines Corporation 2002
+
+Authors:
+    Alex Chaffee
+    Alex Cruikshank [alex@epitonic.com]
+    Amy Roh
+    Andre de Jesus
+    Andrew R. Jaquith
+    Andy Clark
+    Aner Perez
+    Anil V (akv@eng.sun.com)
+    Anselm Baird-Smith
+    Arnaud  Le Hors, IBM
+    Bela Ban (modifications for synchronous replication)
+    Bill Barker
+    Bill Burke
+    Bip Thelin
+    Cedrik LIME
+    Carson McDonald
+    Costin@eng.sun.com
+    Craig R. McClanahan
+    Dan Milstein [danmil@shore.net]
+    Dan Sandberg
+    Daniel Rall
+    Danno Ferrin
+    David Becker
+    Denis Benoit
+    Eric Rescorla
+    Eric Ye, IBM
+    Fabien Carrion
+    Fabrizio Giustina
+    Filip Hanik
+    Gabriele Garuglieri
+    Gal Shachor [shachor@il.ibm.com]
+    Glenn L. Nielsen
+    Glenn Marcy, IBM
+    Greg Murray
+    Gunnar Rjnning
+    Hans Bergsten <hans@gefionsoftware.com>
+    Harish Prabandham
+    Henri Gomez [hgomez@apache.org]
+    Ignacio J. Ortega
+    Jacek Laskowski
+    Jacob Hookom [jacob@hookom.net]
+    James Duncan Davidson [duncan@eng.sun.com]
+    James Todd [gonzo@sun.com]
+    Jan Luehe
+    Jason Brittain
+    Jason Hunter [jch@eng.sun.com]
+    Jason van Zyl
+    Jayson Falkner
+    Jean-Francois Arcand
+    Jean-Frederic Clere
+    Jeffrey Rodriguez
+    John Holman
+    John McNally
+    Jon S. Stevens
+    Justyna Horwat
+    Keith Wannamaker [Keith@Wannamaker.org]
+    Kevin Seguin
+    Kief Morris (kief@kief.com)
+    Kin-man Chung
+    Larry Cable
+    Larry Isaacs
+    Malcolm Edgar
+    Mandar Raje
+    Mark Roth
+    Mark Thomas
+    Martin Cooper
+    Martin T Dengler [root@martindengler.com]
+    Mel Martinez [mmartinez@g1440.com]
+    Michael Glavassevich, IBM
+    Mladen Turk
+    Neil Graham, IBM
+    Nicola Ken Barozzi
+    Paul Speed
+    Peter Donald
+    Peter Lin
+    Peter Rossbach (pero@apache.org)
+    Pierre Delisle
+    Rafal Krzewski Rafal.Krzewski@e-point.pl
+    Rahul Srivastava, Sun Microsystems Inc.
+    Rainer Jung
+    Rajiv Mordani
+    Remy Maucharat
+    Remy Maucherat
+    Richard A. Sitze
+    Robert Field (inner SDEInstaller class)
+    Rod Waldhoff
+    Scott Sanders
+    Sean C. Sullivan
+    Sean Legassick
+    Sean Legassick
+    Shawn Bayern
+    Stan Bailes
+    Stefan Freyr Stefansson
+    Stefano Mazzocchi
+    TAMURA Kent, IBM
+    Takayuki Kaneko
+    Tim Fennell
+    Tim Funk
+    Tim Tye
+    Vivek Chopra
+    Yoav Shapira <yoavs@apache.org>
+
+License:
+
+    Licensed under the Apache License, Version 2.0 (the "License");
+    you may not use this file except in compliance with the License.
+    You may obtain a copy of the License at
+ 
+         http://www.apache.org/licenses/LICENSE-2.0
+ 
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+
+On Debian GNU/Linux and Ubuntu systems, the complete text of the Apache 2.0 
+License can be found in the /usr/share/common-licenses/Apache-2.0 file.
+
+The Debian packaging is (C) 2008, Paul Cager <paul-debian@home.paulcager.org>
+and is licensed under the Apache License version 2.
+
+Ubuntu full server stack repackaging is Copyright (C) 2008 Canonical Ltd.
--- tomcat6-6.0.18.orig/debian/watch
+++ tomcat6-6.0.18/debian/watch
@@ -0,0 +1,2 @@
+version=3
+http://www.apache.org/dist/tomcat/tomcat-6/v(6[0-9.]*). debian debian/orig-tar.sh
--- tomcat6-6.0.18.orig/debian/control
+++ tomcat6-6.0.18/debian/control
@@ -0,0 +1,114 @@
+Source: tomcat6
+Section: web
+Priority: optional
+Maintainer: Ubuntu Core Developers <ubuntu-devel-discuss@lists.ubuntu.com>
+XSBC-Original-Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
+Uploaders: Paul Cager <paul-debian@home.paulcager.org>
+Build-Depends: default-jdk,
+	ant,
+	ant-optional,
+	debhelper (>=6),
+	quilt
+Build-Depends-Indep: libecj-java
+Standards-Version: 3.8.0
+Homepage: http://tomcat.apache.org
+
+Package: tomcat6-common
+Architecture: all
+Depends: libtomcat6-java (>= ${source:Version})
+Description: Servlet and JSP engine -- common files
+ Apache Tomcat 6 is the reference implementation for the Java Servlet 2.5
+ and JavaServer Pages 2.1 technologies.
+ .
+ This package contains common files needed by the tomcat6 and tomcat6-user
+ packages (Tomcat 6 scripts and libraries). 
+
+Package: tomcat6
+Architecture: all
+Depends: tomcat6-common (>= ${source:Version}),
+	adduser,
+	jsvc
+Suggests: tomcat6-docs (>= ${source:Version}),
+	tomcat6-admin (>= ${source:Version}),
+	tomcat6-examples (>= ${source:Version})
+Description: Servlet and JSP engine
+ Apache Tomcat 6 is the reference implementation for the Java Servlet 2.5
+ and JavaServer Pages 2.1 technologies.
+ .
+ This package just contains the startup scripts for the system-wide daemon.
+ No documentation or web applications are included here, please install
+ the tomcat6-webapps package if you want them.
+
+Package: tomcat6-user
+Architecture: all
+Depends: tomcat6-common (>= ${source:Version}), netcat
+Description: Servlet and JSP engine -- tools to create user instances
+ Apache Tomcat 6 is the reference implementation for the Java Servlet 2.5
+ and JavaServer Pages 2.1 technologies.
+ .
+ This package contains files needed to create a user Tomcat instance.
+
+Package: libtomcat6-java
+Architecture: all
+Depends: default-jre-headless | java6-runtime-headless,
+	libecj-java,
+	libcommons-dbcp-java,
+	libcommons-pool-java,
+	libservlet2.5-java (>= ${source:Version})
+Suggests: tomcat6 (>= ${source:Version})
+Description: Servlet and JSP engine -- core libraries
+ Apache Tomcat 6 is the reference implementation for the Java Servlet 2.5
+ and JavaServer Pages 2.1 technologies.
+ .
+ This package contains the Tomcat core classes which can be used by other
+ Java applications to embed Tomcat.
+
+Package: libservlet2.5-java
+Architecture: all
+Depends: default-jre-headless | java2-runtime-headless
+Description: Servlet 2.5 and JSP 2.1 Java API classes
+ For more information about Java servlets please take a look at the Tomcat
+ home page at http://jakarta.apache.org/tomcat/index.html.
+ .
+ The official Servlet 2.5 and JSP 2.1 specifications can be found at
+ http://java.sun.com/products/servlet/ and http://java.sun.com/products/jsp/.
+
+Package: libservlet2.5-java-doc
+Section: doc
+Architecture: all
+Depends: libservlet2.5-java (>= ${source:Version})
+Description: Servlet 2.5 and JSP 2.1 Java API documentation
+ For more information about Java servlets please take a look at the Tomcat
+ home page at http://jakarta.apache.org/tomcat/index.html.
+ .
+ The official Servlet 2.5 and JSP 2.1 specifications can be found at
+ http://java.sun.com/products/servlet/ and http://java.sun.com/products/jsp/.
+
+Package: tomcat6-admin
+Architecture: all
+Depends: tomcat6 (>= ${source:Version})
+Description: Servlet and JSP engine -- admin web applications
+ Apache Tomcat 6 is the reference implementation for the Java Servlet 2.5
+ and JavaServer Pages 2.1 technologies.
+ .
+ This package contains the administrative web interfaces.
+
+Package: tomcat6-examples
+Architecture: all
+Depends: tomcat6 (>= ${source:Version})
+Description: Servlet and JSP engine -- example web applications
+ Apache Tomcat 6 is the reference implementation for the Java Servlet 2.5
+ and JavaServer Pages 2.1 technologies.
+ .
+ This package contains the default Tomcat example webapps.
+
+Package: tomcat6-docs
+Section: doc
+Architecture: all
+Depends: tomcat6 (>= ${source:Version})
+Description: Servlet and JSP engine -- example web applications
+ Apache Tomcat 6 is the reference implementation for the Java Servlet 2.5
+ and JavaServer Pages 2.1 technologies.
+ .
+ This package contains the online documentation web application.
+
--- tomcat6-6.0.18.orig/debian/orig-tar.sh
+++ tomcat6-6.0.18/debian/orig-tar.sh
@@ -0,0 +1,12 @@
+#!/bin/sh -e
+
+# $2 = version
+
+URL=http://www.apache.org/dist/tomcat/tomcat-6/v$2/src/apache-tomcat-$2-src.tar.gz
+
+wget $URL || exit 2
+
+mv apache-tomcat-$2-src.tar.gz tomcat6_$2.orig.tar.gz || exit 2
+
+
+
--- tomcat6-6.0.18.orig/debian/tomcat6-docs.doc-base
+++ tomcat6-6.0.18/debian/tomcat6-docs.doc-base
@@ -0,0 +1,10 @@
+Document: tomcat6
+Title: Apache Tomcat 6.0 Documentation
+Author: Apache Software Foundation
+Abstract: Documentation bundle for Apache Tomcat 6.0 Servlet/JSP container.
+Section: System/Administration
+
+Format: HTML
+Index: /usr/share/doc/tomcat6-docs/docs/index.html
+Files: /usr/share/doc/tomcat6-docs/docs/*
+
--- tomcat6-6.0.18.orig/debian/patches/series
+++ tomcat6-6.0.18/debian/patches/series
@@ -0,0 +1,12 @@
+disable-ajp-connector.patch
+disable-apr-loading.patch
+deploy-webapps-build-xml.patch
+use-commons-dbcp.patch
+tcnative-ipv6-fix-43327.patch
+security-CVE-2008-5515.patch
+security-CVE-2009-0033.patch
+security-CVE-2009-0580.patch
+security-CVE-2009-0781.patch
+security-CVE-2009-0783.patch
+security_CVE-2009-2693_2901_2902.patch
+CVE-2010-2227.patch
--- tomcat6-6.0.18.orig/debian/patches/security-CVE-2009-0580.patch
+++ tomcat6-6.0.18/debian/patches/security-CVE-2009-0580.patch
@@ -0,0 +1,49 @@
+#
+# Description: fix valid username enumeration via improper error checking
+# Patch: http://svn.apache.org/viewvc?view=rev&revision=747840
+# Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=532362
+#
+diff -Nur tomcat6-6.0.18/java/org/apache/catalina/realm/DataSourceRealm.java tomcat6-6.0.18.new/java/org/apache/catalina/realm/DataSourceRealm.java
+--- tomcat6-6.0.18/java/org/apache/catalina/realm/DataSourceRealm.java	2008-07-21 20:01:29.000000000 -0400
++++ tomcat6-6.0.18.new/java/org/apache/catalina/realm/DataSourceRealm.java	2009-06-09 16:36:25.000000000 -0400
+@@ -270,8 +270,9 @@
+      */
+     public Principal authenticate(String username, String credentials) {
+     	
+-    	// No user - can't possibly authenticate, don't bother the database then
+-    	if (username == null) {
++    	// No user or no credentials
++        // Can't possibly authenticate, don't bother the database then
++    	if (username == null || credentials == null) {
+     		return null;
+     	}
+         
+diff -Nur tomcat6-6.0.18/java/org/apache/catalina/realm/JDBCRealm.java tomcat6-6.0.18.new/java/org/apache/catalina/realm/JDBCRealm.java
+--- tomcat6-6.0.18/java/org/apache/catalina/realm/JDBCRealm.java	2008-07-21 20:01:29.000000000 -0400
++++ tomcat6-6.0.18.new/java/org/apache/catalina/realm/JDBCRealm.java	2009-06-09 16:36:27.000000000 -0400
+@@ -392,9 +392,10 @@
+                                                String username,
+                                                String credentials) {
+ 
+-        // No user - can't possibly authenticate
+-        if (username == null) {
+-            return (null);
++        // No user or no credentials
++        // Can't possibly authenticate, don't bother the database then
++        if (username == null || credentials == null) {
++            return null;
+         }
+ 
+         // Look up the user's credentials
+diff -Nur tomcat6-6.0.18/java/org/apache/catalina/realm/MemoryRealm.java tomcat6-6.0.18.new/java/org/apache/catalina/realm/MemoryRealm.java
+--- tomcat6-6.0.18/java/org/apache/catalina/realm/MemoryRealm.java	2008-07-21 20:01:28.000000000 -0400
++++ tomcat6-6.0.18.new/java/org/apache/catalina/realm/MemoryRealm.java	2009-06-09 16:36:30.000000000 -0400
+@@ -148,7 +148,7 @@
+             (GenericPrincipal) principals.get(username);
+ 
+         boolean validated = false;
+-        if (principal != null) {
++        if (principal != null && credentials != null) {
+             if (hasMessageDigest()) {
+                 // Hex hashes should be compared case-insensitive
+                 validated = (digest(credentials)
--- tomcat6-6.0.18.orig/debian/patches/disable-ajp-connector.patch
+++ tomcat6-6.0.18/debian/patches/disable-ajp-connector.patch
@@ -0,0 +1,14 @@
+Index: tomcat6-6.0.18/conf/server.xml
+===================================================================
+--- tomcat6-6.0.18.orig/conf/server.xml	2008-11-26 15:24:50.000000000 +0000
++++ tomcat6-6.0.18/conf/server.xml	2008-11-26 15:25:29.000000000 +0000
+@@ -85,7 +85,9 @@
+     -->
+ 
+     <!-- Define an AJP 1.3 Connector on port 8009 -->
++    <!--
+     <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
++    -->
+ 
+ 
+     <!-- An Engine represents the entry point (within Catalina) that processes
--- tomcat6-6.0.18.orig/debian/patches/CVE-2010-2227.patch
+++ tomcat6-6.0.18/debian/patches/CVE-2010-2227.patch
@@ -0,0 +1,129 @@
+Description: fix denial of service and possible information disclosure
+ via crafted header
+Origin: upstream, http://svn.apache.org/viewvc?view=revision&revision=958977
+Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=588813
+
+diff -Nur tomcat6-6.0.18/java/org/apache/coyote/http11/filters/BufferedInputFilter.java tomcat6-6.0.18.new/java/org/apache/coyote/http11/filters/BufferedInputFilter.java
+--- tomcat6-6.0.18/java/org/apache/coyote/http11/filters/BufferedInputFilter.java	2008-07-21 20:01:29.000000000 -0400
++++ tomcat6-6.0.18.new/java/org/apache/coyote/http11/filters/BufferedInputFilter.java	2010-08-19 11:04:46.000000000 -0400
+@@ -102,10 +102,12 @@
+     }
+ 
+     public void recycle() {
+-        if (buffered.getBuffer().length > 65536) {
+-            buffered = null;
+-        } else {
+-            buffered.recycle();
++        if (buffered != null) {
++            if (buffered.getBuffer().length > 65536) {
++                buffered = null;
++            } else {
++                buffered.recycle();
++            }
+         }
+         tempRead.recycle();
+         hasRead = false;
+diff -Nur tomcat6-6.0.18/java/org/apache/coyote/http11/Http11AprProcessor.java tomcat6-6.0.18.new/java/org/apache/coyote/http11/Http11AprProcessor.java
+--- tomcat6-6.0.18/java/org/apache/coyote/http11/Http11AprProcessor.java	2008-07-21 20:01:29.000000000 -0400
++++ tomcat6-6.0.18.new/java/org/apache/coyote/http11/Http11AprProcessor.java	2010-08-19 11:04:46.000000000 -0400
+@@ -78,6 +78,12 @@
+     protected static StringManager sm =
+         StringManager.getManager(Constants.Package);
+ 
++    /*
++     * Tracks how many internal filters are in the filter library so they
++     * are skipped when looking for pluggable filters. 
++     */
++    private int pluggableFilterIndex = Integer.MAX_VALUE;
++
+ 
+     // ----------------------------------------------------------- Constructors
+ 
+@@ -1716,6 +1722,8 @@
+         //inputBuffer.addFilter(new GzipInputFilter());
+         outputBuffer.addFilter(new GzipOutputFilter());
+ 
++        pluggableFilterIndex = inputBuffer.filterLibrary.length;
++
+     }
+ 
+ 
+@@ -1734,7 +1742,7 @@
+                 (inputFilters[Constants.CHUNKED_FILTER]);
+             contentDelimitation = true;
+         } else {
+-            for (int i = 2; i < inputFilters.length; i++) {
++            for (int i = pluggableFilterIndex; i < inputFilters.length; i++) {
+                 if (inputFilters[i].getEncodingName()
+                     .toString().equals(encodingName)) {
+                     inputBuffer.addActiveFilter(inputFilters[i]);
+diff -Nur tomcat6-6.0.18/java/org/apache/coyote/http11/Http11NioProcessor.java tomcat6-6.0.18.new/java/org/apache/coyote/http11/Http11NioProcessor.java
+--- tomcat6-6.0.18/java/org/apache/coyote/http11/Http11NioProcessor.java	2008-07-21 20:01:28.000000000 -0400
++++ tomcat6-6.0.18.new/java/org/apache/coyote/http11/Http11NioProcessor.java	2010-08-19 11:04:46.000000000 -0400
+@@ -81,6 +81,13 @@
+      */
+     protected SSLSupport sslSupport;
+ 
++    /*
++     * Tracks how many internal filters are in the filter library so they
++     * are skipped when looking for pluggable filters. 
++     */
++    private int pluggableFilterIndex = Integer.MAX_VALUE;
++
++
+     // ----------------------------------------------------------- Constructors
+ 
+ 
+@@ -1736,6 +1743,8 @@
+         //inputBuffer.addFilter(new GzipInputFilter());
+         outputBuffer.addFilter(new GzipOutputFilter());
+ 
++        pluggableFilterIndex = inputBuffer.filterLibrary.length;
++
+     }
+ 
+ 
+@@ -1754,7 +1763,7 @@
+                 (inputFilters[Constants.CHUNKED_FILTER]);
+             contentDelimitation = true;
+         } else {
+-            for (int i = 2; i < inputFilters.length; i++) {
++            for (int i = pluggableFilterIndex; i < inputFilters.length; i++) {
+                 if (inputFilters[i].getEncodingName()
+                     .toString().equals(encodingName)) {
+                     inputBuffer.addActiveFilter(inputFilters[i]);
+diff -Nur tomcat6-6.0.18/java/org/apache/coyote/http11/Http11Processor.java tomcat6-6.0.18.new/java/org/apache/coyote/http11/Http11Processor.java
+--- tomcat6-6.0.18/java/org/apache/coyote/http11/Http11Processor.java	2008-07-21 20:01:28.000000000 -0400
++++ tomcat6-6.0.18.new/java/org/apache/coyote/http11/Http11Processor.java	2010-08-19 11:04:46.000000000 -0400
+@@ -74,6 +74,13 @@
+         StringManager.getManager(Constants.Package);
+ 
+ 
++    /*
++     * Tracks how many internal filters are in the filter library so they
++     * are skipped when looking for pluggable filters. 
++     */
++    private int pluggableFilterIndex = Integer.MAX_VALUE;
++
++
+     // ------------------------------------------------------------ Constructor
+ 
+ 
+@@ -1628,6 +1635,8 @@
+         //inputBuffer.addFilter(new GzipInputFilter());
+         outputBuffer.addFilter(new GzipOutputFilter());
+ 
++        pluggableFilterIndex = inputBuffer.filterLibrary.length;
++
+     }
+ 
+ 
+@@ -1646,7 +1655,7 @@
+                 (inputFilters[Constants.CHUNKED_FILTER]);
+             contentDelimitation = true;
+         } else {
+-            for (int i = 2; i < inputFilters.length; i++) {
++            for (int i = pluggableFilterIndex; i < inputFilters.length; i++) {
+                 if (inputFilters[i].getEncodingName()
+                     .toString().equals(encodingName)) {
+                     inputBuffer.addActiveFilter(inputFilters[i]);
--- tomcat6-6.0.18.orig/debian/patches/security-CVE-2008-5515.patch
+++ tomcat6-6.0.18/debian/patches/security-CVE-2008-5515.patch
@@ -0,0 +1,388 @@
+#
+# Description: fix security bypass via specially crafted request
+# Patch: http://svn.apache.org/viewvc?view=rev&revision=734734
+#
+diff -Nur tomcat6-6.0.18/java/org/apache/catalina/connector/Request.java tomcat6-6.0.18.new/java/org/apache/catalina/connector/Request.java
+--- tomcat6-6.0.18/java/org/apache/catalina/connector/Request.java	2008-07-21 20:01:29.000000000 -0400
++++ tomcat6-6.0.18.new/java/org/apache/catalina/connector/Request.java	2009-06-09 16:32:53.000000000 -0400
+@@ -1278,10 +1278,9 @@
+         int pos = requestPath.lastIndexOf('/');
+         String relative = null;
+         if (pos >= 0) {
+-            relative = RequestUtil.normalize
+-                (requestPath.substring(0, pos + 1) + path);
++            relative = requestPath.substring(0, pos + 1) + path;
+         } else {
+-            relative = RequestUtil.normalize(requestPath + path);
++            relative = requestPath + path;
+         }
+ 
+         return (context.getServletContext().getRequestDispatcher(relative));
+diff -Nur tomcat6-6.0.18/java/org/apache/catalina/core/ApplicationContext.java tomcat6-6.0.18.new/java/org/apache/catalina/core/ApplicationContext.java
+--- tomcat6-6.0.18/java/org/apache/catalina/core/ApplicationContext.java	2008-07-21 20:01:28.000000000 -0400
++++ tomcat6-6.0.18.new/java/org/apache/catalina/core/ApplicationContext.java	2009-06-09 16:32:55.000000000 -0400
+@@ -44,6 +44,7 @@
+ import org.apache.catalina.Wrapper;
+ import org.apache.catalina.deploy.ApplicationParameter;
+ import org.apache.catalina.util.Enumerator;
++import org.apache.catalina.util.RequestUtil;
+ import org.apache.catalina.util.ResourceSet;
+ import org.apache.catalina.util.ServerInfo;
+ import org.apache.catalina.util.StringManager;
+@@ -378,7 +379,7 @@
+             path = path.substring(0, pos);
+         }
+ 
+-        path = normalize(path);
++        path = RequestUtil.normalize(path);
+         if (path == null)
+             return (null);
+ 
+@@ -463,7 +464,7 @@
+             throw new MalformedURLException(sm.getString("applicationContext.requestDispatcher.iae", path));
+ 
+         
+-        path = normalize(path);
++        path = RequestUtil.normalize(path);
+         if (path == null)
+             return (null);
+ 
+@@ -512,13 +513,16 @@
+      */
+     public InputStream getResourceAsStream(String path) {
+ 
+-        path = normalize(path);
+         if (path == null)
+             return (null);
+ 
+         if (!path.startsWith("/") && Globals.STRICT_SERVLET_COMPLIANCE)
+             return null;
+-        
++
++        path = RequestUtil.normalize(path);
++        if (path == null)
++            return (null);
++
+         DirContext resources = context.getResources();
+         if (resources != null) {
+             try {
+@@ -551,7 +555,7 @@
+                 (sm.getString("applicationContext.resourcePaths.iae", path));
+         }
+ 
+-        path = normalize(path);
++        path = RequestUtil.normalize(path);
+         if (path == null)
+             return (null);
+ 
+@@ -858,45 +862,6 @@
+ 
+ 
+     /**
+-     * Return a context-relative path, beginning with a "/", that represents
+-     * the canonical version of the specified path after ".." and "." elements
+-     * are resolved out.  If the specified path attempts to go outside the
+-     * boundaries of the current context (i.e. too many ".." path elements
+-     * are present), return <code>null</code> instead.
+-     *
+-     * @param path Path to be normalized
+-     */
+-    private String normalize(String path) {
+-
+-        if (path == null) {
+-            return null;
+-        }
+-
+-        String normalized = path;
+-
+-        // Normalize the slashes
+-        if (normalized.indexOf('\\') >= 0)
+-            normalized = normalized.replace('\\', '/');
+-
+-        // Resolve occurrences of "/../" in the normalized path
+-        while (true) {
+-            int index = normalized.indexOf("/../");
+-            if (index < 0)
+-                break;
+-            if (index == 0)
+-                return (null);  // Trying to go outside our context
+-            int index2 = normalized.lastIndexOf('/', index - 1);
+-            normalized = normalized.substring(0, index2) +
+-                normalized.substring(index + 3);
+-        }
+-
+-        // Return the normalized path that we have completed
+-        return (normalized);
+-
+-    }
+-
+-
+-    /**
+      * Merge the context initialization parameters specified in the application
+      * deployment descriptor with the application parameters described in the
+      * server configuration, respecting the <code>override</code> property of
+diff -Nur tomcat6-6.0.18/java/org/apache/catalina/core/ApplicationHttpRequest.java tomcat6-6.0.18.new/java/org/apache/catalina/core/ApplicationHttpRequest.java
+--- tomcat6-6.0.18/java/org/apache/catalina/core/ApplicationHttpRequest.java	2008-07-21 20:01:29.000000000 -0400
++++ tomcat6-6.0.18.new/java/org/apache/catalina/core/ApplicationHttpRequest.java	2009-06-09 16:32:57.000000000 -0400
+@@ -318,10 +318,9 @@
+         int pos = requestPath.lastIndexOf('/');
+         String relative = null;
+         if (pos >= 0) {
+-            relative = RequestUtil.normalize
+-                (requestPath.substring(0, pos + 1) + path);
++            relative = requestPath.substring(0, pos + 1) + path;
+         } else {
+-            relative = RequestUtil.normalize(requestPath + path);
++            relative = requestPath + path;
+         }
+ 
+         return (context.getServletContext().getRequestDispatcher(relative));
+diff -Nur tomcat6-6.0.18/java/org/apache/catalina/servlets/WebdavServlet.java tomcat6-6.0.18.new/java/org/apache/catalina/servlets/WebdavServlet.java
+--- tomcat6-6.0.18/java/org/apache/catalina/servlets/WebdavServlet.java	2008-07-21 20:01:28.000000000 -0400
++++ tomcat6-6.0.18.new/java/org/apache/catalina/servlets/WebdavServlet.java	2009-06-09 16:35:04.000000000 -0400
+@@ -1413,71 +1413,6 @@
+ 
+     }
+ 
+-    /**
+-     * Return a context-relative path, beginning with a "/", that represents
+-     * the canonical version of the specified path after ".." and "." elements
+-     * are resolved out.  If the specified path attempts to go outside the
+-     * boundaries of the current context (i.e. too many ".." path elements
+-     * are present), return <code>null</code> instead.
+-     *
+-     * @param path Path to be normalized
+-     */
+-    protected String normalize(String path) {
+-
+-        if (path == null)
+-            return null;
+-
+-        // Create a place for the normalized path
+-        String normalized = path;
+-
+-        if (normalized == null)
+-            return (null);
+-
+-        if (normalized.equals("/."))
+-            return "/";
+-
+-        // Normalize the slashes and add leading slash if necessary
+-        if (normalized.indexOf('\\') >= 0)
+-            normalized = normalized.replace('\\', '/');
+-        if (!normalized.startsWith("/"))
+-            normalized = "/" + normalized;
+-
+-        // Resolve occurrences of "//" in the normalized path
+-        while (true) {
+-            int index = normalized.indexOf("//");
+-            if (index < 0)
+-                break;
+-            normalized = normalized.substring(0, index) +
+-                normalized.substring(index + 1);
+-        }
+-
+-        // Resolve occurrences of "/./" in the normalized path
+-        while (true) {
+-            int index = normalized.indexOf("/./");
+-            if (index < 0)
+-                break;
+-            normalized = normalized.substring(0, index) +
+-                normalized.substring(index + 2);
+-        }
+-
+-        // Resolve occurrences of "/../" in the normalized path
+-        while (true) {
+-            int index = normalized.indexOf("/../");
+-            if (index < 0)
+-                break;
+-            if (index == 0)
+-                return (null);  // Trying to go outside our context
+-            int index2 = normalized.lastIndexOf('/', index - 1);
+-            normalized = normalized.substring(0, index2) +
+-                normalized.substring(index + 3);
+-        }
+-
+-        // Return the normalized path that we have completed
+-        return (normalized);
+-
+-    }
+-
+-
+     // -------------------------------------------------------- Private Methods
+ 
+     /**
+@@ -1632,7 +1567,7 @@
+         }
+ 
+         // Normalise destination path (remove '.' and '..')
+-        destinationPath = normalize(destinationPath);
++        destinationPath = RequestUtil.normalize(destinationPath);
+ 
+         String contextPath = req.getContextPath();
+         if ((contextPath != null) &&
+@@ -2384,7 +2319,8 @@
+         if (!toAppend.startsWith("/"))
+             toAppend = "/" + toAppend;
+ 
+-        generatedXML.writeText(rewriteUrl(normalize(absoluteUri + toAppend)));
++        generatedXML.writeText(rewriteUrl(RequestUtil.normalize(
++                absoluteUri + toAppend)));
+ 
+         generatedXML.writeElement(null, "href", XMLWriter.CLOSING);
+ 
+diff -Nur tomcat6-6.0.18/java/org/apache/catalina/ssi/SSIServletExternalResolver.java tomcat6-6.0.18.new/java/org/apache/catalina/ssi/SSIServletExternalResolver.java
+--- tomcat6-6.0.18/java/org/apache/catalina/ssi/SSIServletExternalResolver.java	2008-07-21 20:01:56.000000000 -0400
++++ tomcat6-6.0.18.new/java/org/apache/catalina/ssi/SSIServletExternalResolver.java	2009-06-09 16:33:01.000000000 -0400
+@@ -31,6 +31,7 @@
+ import javax.servlet.http.HttpServletRequest;
+ import javax.servlet.http.HttpServletResponse;
+ import org.apache.catalina.connector.Request;
++import org.apache.catalina.util.RequestUtil;
+ import org.apache.coyote.Constants;
+ 
+ /**
+@@ -372,7 +373,7 @@
+                     + pathWithoutContext);
+         }
+         String fullPath = prefix + path;
+-        String retVal = SSIServletRequestUtil.normalize(fullPath);
++        String retVal = RequestUtil.normalize(fullPath);
+         if (retVal == null) {
+             throw new IOException("Normalization yielded null on path: "
+                     + fullPath);
+@@ -405,7 +406,7 @@
+             return new ServletContextAndPath(context,
+                     getAbsolutePath(virtualPath));
+         } else {
+-            String normalized = SSIServletRequestUtil.normalize(virtualPath);
++            String normalized = RequestUtil.normalize(virtualPath);
+             if (isVirtualWebappRelative) {
+                 return new ServletContextAndPath(context, normalized);
+             } else {
+diff -Nur tomcat6-6.0.18/java/org/apache/catalina/ssi/SSIServletRequestUtil.java tomcat6-6.0.18.new/java/org/apache/catalina/ssi/SSIServletRequestUtil.java
+--- tomcat6-6.0.18/java/org/apache/catalina/ssi/SSIServletRequestUtil.java	2008-07-21 20:01:56.000000000 -0400
++++ tomcat6-6.0.18.new/java/org/apache/catalina/ssi/SSIServletRequestUtil.java	2009-06-09 16:33:05.000000000 -0400
+@@ -47,7 +47,7 @@
+         if ((result == null) || (result.equals(""))) {
+             result = "/";
+         }
+-        return normalize(result);
++        return RequestUtil.normalize(result);
+     }
+ 
+ 
+@@ -63,15 +63,9 @@
+      * 
+      * @param path
+      *            Path to be normalized
++     * @deprecated
+      */
+     public static String normalize(String path) {
+-        if (path == null) return null;
+-        String normalized = path;
+-        //Why doesn't RequestUtil do this??
+-        // Normalize the slashes and add leading slash if necessary
+-        if (normalized.indexOf('\\') >= 0)
+-            normalized = normalized.replace('\\', '/');
+-        normalized = RequestUtil.normalize(path);
+-        return normalized;
++        return RequestUtil.normalize(path);
+     }
+ }
+diff -Nur tomcat6-6.0.18/java/org/apache/catalina/util/RequestUtil.java tomcat6-6.0.18.new/java/org/apache/catalina/util/RequestUtil.java
+--- tomcat6-6.0.18/java/org/apache/catalina/util/RequestUtil.java	2008-07-21 20:01:29.000000000 -0400
++++ tomcat6-6.0.18.new/java/org/apache/catalina/util/RequestUtil.java	2009-06-09 16:33:08.000000000 -0400
+@@ -93,6 +93,19 @@
+      * @param path Relative path to be normalized
+      */
+     public static String normalize(String path) {
++        return normalize(path, true);
++    }
++
++    /**
++     * Normalize a relative URI path that may have relative values ("/./",
++     * "/../", and so on ) it it.  <strong>WARNING</strong> - This method is
++     * useful only for normalizing application-generated paths.  It does not
++     * try to perform security checks for malicious input.
++     *
++     * @param path Relative path to be normalized
++     * @param replaceBackSlash Should '\\' be replaced with '/'
++     */
++    public static String normalize(String path, boolean replaceBackSlash) {
+ 
+         if (path == null)
+             return null;
+@@ -100,6 +113,9 @@
+         // Create a place for the normalized path
+         String normalized = path;
+ 
++        if (replaceBackSlash && normalized.indexOf('\\') >= 0)
++            normalized = normalized.replace('\\', '/');
++
+         if (normalized.equals("/."))
+             return "/";
+ 
+diff -Nur tomcat6-6.0.18/java/org/apache/naming/resources/FileDirContext.java tomcat6-6.0.18.new/java/org/apache/naming/resources/FileDirContext.java
+--- tomcat6-6.0.18/java/org/apache/naming/resources/FileDirContext.java	2008-07-21 20:01:28.000000000 -0400
++++ tomcat6-6.0.18.new/java/org/apache/naming/resources/FileDirContext.java	2009-06-09 16:33:12.000000000 -0400
+@@ -37,6 +37,7 @@
+ import javax.naming.directory.ModificationItem;
+ import javax.naming.directory.SearchControls;
+ 
++import org.apache.catalina.util.RequestUtil;
+ import org.apache.naming.NamingContextBindingsEnumeration;
+ import org.apache.naming.NamingContextEnumeration;
+ import org.apache.naming.NamingEntry;
+@@ -765,50 +766,10 @@
+      */
+     protected String normalize(String path) {
+ 
+-    String normalized = path;
++        return RequestUtil.normalize(path, File.separatorChar == '\\');
+ 
+-    // Normalize the slashes and add leading slash if necessary
+-    if (File.separatorChar == '\\' && normalized.indexOf('\\') >= 0)
+-        normalized = normalized.replace('\\', '/');
+-    if (!normalized.startsWith("/"))
+-        normalized = "/" + normalized;
+-
+-    // Resolve occurrences of "//" in the normalized path
+-    while (true) {
+-        int index = normalized.indexOf("//");
+-        if (index < 0)
+-        break;
+-        normalized = normalized.substring(0, index) +
+-        normalized.substring(index + 1);
+-    }
+-
+-    // Resolve occurrences of "/./" in the normalized path
+-    while (true) {
+-        int index = normalized.indexOf("/./");
+-        if (index < 0)
+-        break;
+-        normalized = normalized.substring(0, index) +
+-        normalized.substring(index + 2);
+-    }
+-
+-    // Resolve occurrences of "/../" in the normalized path
+-    while (true) {
+-        int index = normalized.indexOf("/../");
+-        if (index < 0)
+-        break;
+-        if (index == 0)
+-        return (null);  // Trying to go outside our context
+-        int index2 = normalized.lastIndexOf('/', index - 1);
+-        normalized = normalized.substring(0, index2) +
+-        normalized.substring(index + 3);
+     }
+ 
+-    // Return the normalized path that we have completed
+-    return (normalized);
+-
+-    }
+-
+-
+     /**
+      * Return a File object representing the specified normalized
+      * context-relative path if it exists and is readable.  Otherwise,
--- tomcat6-6.0.18.orig/debian/patches/security-CVE-2009-0783.patch
+++ tomcat6-6.0.18/debian/patches/security-CVE-2009-0783.patch
@@ -0,0 +1,199 @@
+#
+# Description: fix information disclosure via XML parser replacement
+# Patch: http://svn.apache.org/viewvc?view=rev&revision=652592
+# Patch: http://svn.apache.org/viewvc?view=rev&revision=739522
+# Upstream: https://issues.apache.org/bugzilla/show_bug.cgi?id=29936
+# Upstream: https://issues.apache.org/bugzilla/show_bug.cgi?id=45933
+#
+diff -Nur tomcat6-6.0.18/java/org/apache/catalina/core/StandardContext.java tomcat6-6.0.18.new/java/org/apache/catalina/core/StandardContext.java
+--- tomcat6-6.0.18/java/org/apache/catalina/core/StandardContext.java	2008-07-21 20:01:28.000000000 -0400
++++ tomcat6-6.0.18.new/java/org/apache/catalina/core/StandardContext.java	2009-06-09 16:37:03.000000000 -0400
+@@ -4244,10 +4244,6 @@
+                     ((Lifecycle) pipeline).start();
+                 }
+                 
+-                if(getProcessTlds()) {
+-                    processTlds();
+-                }
+-                
+                 // Notify our interested LifecycleListeners
+                 lifecycle.fireLifecycleEvent(START_EVENT, null);
+                 
+@@ -4418,39 +4414,6 @@
+         //cacheContext();
+     }
+ 
+-    /**
+-     * Processes TLDs.
+-     *
+-     * @throws LifecycleException If an error occurs
+-     */
+-     protected void processTlds() throws LifecycleException {
+-       TldConfig tldConfig = new TldConfig();
+-       tldConfig.setContext(this);
+-
+-       // (1)  check if the attribute has been defined
+-       //      on the context element.
+-       tldConfig.setTldValidation(tldValidation);
+-       tldConfig.setTldNamespaceAware(tldNamespaceAware);
+-
+-       // (2) if the attribute wasn't defined on the context
+-       //     try the host.
+-       if (!tldValidation) {
+-         tldConfig.setTldValidation
+-           (((StandardHost) getParent()).getXmlValidation());
+-       }
+-
+-       if (!tldNamespaceAware) {
+-         tldConfig.setTldNamespaceAware
+-           (((StandardHost) getParent()).getXmlNamespaceAware());
+-       }
+-                    
+-       try {
+-         tldConfig.execute();
+-       } catch (Exception ex) {
+-         log.error("Error reading tld listeners " 
+-                    + ex.toString(), ex); 
+-       }
+-     }
+     
+     private void cacheContext() {
+         try {
+@@ -5332,6 +5295,10 @@
+                 return;
+             }
+         }
++        if (processTlds) {
++            this.addLifecycleListener(new TldConfig());
++        }
++
+         super.init();
+         
+         // Notify our interested LifecycleListeners
+diff -Nur tomcat6-6.0.18/java/org/apache/catalina/startup/LocalStrings.properties tomcat6-6.0.18.new/java/org/apache/catalina/startup/LocalStrings.properties
+--- tomcat6-6.0.18/java/org/apache/catalina/startup/LocalStrings.properties	2008-07-21 20:01:29.000000000 -0400
++++ tomcat6-6.0.18.new/java/org/apache/catalina/startup/LocalStrings.properties	2009-06-09 16:37:07.000000000 -0400
+@@ -87,6 +87,8 @@
+ hostConfig.undeploy=Undeploying context [{0}]
+ hostConfig.undeploy.error=Error undeploying web application at context path {0}
+ hostConfig.undeploying=Undeploying deployed web applications
++tldConfig.cce=Lifecycle event data object {0} is not a Context
++tldConfig.execute=Error processing TLD files for context path {0}
+ userConfig.database=Exception loading user database
+ userConfig.deploy=Deploying web application for user {0}
+ userConfig.deploying=Deploying user web applications
+diff -Nur tomcat6-6.0.18/java/org/apache/catalina/startup/TldConfig.java tomcat6-6.0.18.new/java/org/apache/catalina/startup/TldConfig.java
+--- tomcat6-6.0.18/java/org/apache/catalina/startup/TldConfig.java	2008-07-21 20:01:29.000000000 -0400
++++ tomcat6-6.0.18.new/java/org/apache/catalina/startup/TldConfig.java	2009-06-09 16:37:10.000000000 -0400
+@@ -48,20 +48,24 @@
+ 
+ import org.apache.catalina.Context;
+ import org.apache.catalina.Globals;
++import org.apache.catalina.Lifecycle;
++import org.apache.catalina.LifecycleEvent;
++import org.apache.catalina.LifecycleListener;
+ import org.apache.catalina.core.StandardContext;
++import org.apache.catalina.core.StandardHost;
+ import org.apache.catalina.util.StringManager;
+ import org.apache.tomcat.util.digester.Digester;
+ import org.xml.sax.InputSource;
+ 
+ /**
+- * Startup event listener for a <b>Context</b> that configures the properties
+- * of that Context, and the associated defined servlets.
++ * Startup event listener for a <b>Context</b> that configures application
++ * listeners configured in any TLD files.
+  *
+  * @author Craig R. McClanahan
+  * @author Jean-Francois Arcand
+  * @author Costin Manolache
+  */
+-public final class TldConfig  {
++public final class TldConfig  implements LifecycleListener {
+ 
+     // Names of JARs that are known not to contain any TLDs
+     private static HashSet<String> noTldJars;
+@@ -393,20 +397,6 @@
+     }
+ 
+     /**
+-     * Create (if necessary) and return a Digester configured to process a tag
+-     * library descriptor, looking for additional listener classes to be
+-     * registered.
+-     */
+-    private static Digester createTldDigester() {
+-
+-        return DigesterFactory.newDigester(tldValidation, 
+-                                           tldNamespaceAware, 
+-                                           new TldRuleSet());
+-
+-    }
+-
+-
+-    /**
+      * Scan the JAR file at the specified resource path for TLDs in the
+      * <code>META-INF</code> subdirectory, and scan each TLD for application
+      * event listeners that need to be registered.
+@@ -508,10 +498,6 @@
+     private void tldScanStream(InputSource resourceStream)
+         throws Exception {
+ 
+-        if (tldDigester == null){
+-            tldDigester = createTldDigester();
+-        }
+-        
+         synchronized (tldDigester) {
+             try {
+                 tldDigester.push(this);
+@@ -736,4 +722,51 @@
+ 
+         return jarPathMap;
+     }
++
++    public void lifecycleEvent(LifecycleEvent event) {
++        // Identify the context we are associated with
++        try {
++            context = (Context) event.getLifecycle();
++        } catch (ClassCastException e) {
++            log.error(sm.getString("tldConfig.cce", event.getLifecycle()), e);
++            return;
++        }
++        
++        if (event.getType().equals(Lifecycle.INIT_EVENT)) {
++            init();
++        } else if (event.getType().equals(Lifecycle.START_EVENT)) {
++            try {
++                execute();
++            } catch (Exception e) {
++                log.error(sm.getString(
++                        "tldConfig.execute", context.getPath()), e);
++            }
++        } // Ignore the other event types - nothing to do 
++    }
++    
++    private void init() {
++        if (tldDigester == null){
++            // (1)  check if the attribute has been defined
++            //      on the context element.
++            setTldValidation(context.getTldValidation());
++            setTldNamespaceAware(context.getTldNamespaceAware());
++    
++            // (2) if the attribute wasn't defined on the context
++            //     try the host.
++            if (!tldValidation) {
++              setTldValidation(
++                      ((StandardHost) context.getParent()).getXmlValidation());
++            }
++    
++            if (!tldNamespaceAware) {
++              setTldNamespaceAware(
++                      ((StandardHost) context.getParent()).getXmlNamespaceAware());
++            }
++
++            tldDigester = DigesterFactory.newDigester(tldValidation, 
++                    tldNamespaceAware, 
++                    new TldRuleSet());
++            tldDigester.getParser();
++        }
++    }
+ }
--- tomcat6-6.0.18.orig/debian/patches/tcnative-ipv6-fix-43327.patch
+++ tomcat6-6.0.18/debian/patches/tcnative-ipv6-fix-43327.patch
@@ -0,0 +1,15 @@
+Index: tomcat6-6.0.18/java/org/apache/tomcat/util/net/AprEndpoint.java
+===================================================================
+--- tomcat6-6.0.18.orig/java/org/apache/tomcat/util/net/AprEndpoint.java	2009-02-16 16:05:35.000000000 +0000
++++ tomcat6-6.0.18/java/org/apache/tomcat/util/net/AprEndpoint.java	2009-02-16 16:06:38.000000000 +0000
+@@ -599,8 +599,8 @@
+         long inetAddress = Address.info(addressStr, family,
+                 port, 0, rootPool);
+         // Create the APR server socket
+-        serverSock = Socket.create(family, Socket.SOCK_STREAM,
+-                Socket.APR_PROTO_TCP, rootPool);
++        serverSock = Socket.create(Address.getInfo(inetAddress).family,
++                Socket.SOCK_STREAM, Socket.APR_PROTO_TCP, rootPool);
+         if (OS.IS_UNIX) {
+             Socket.optSet(serverSock, Socket.APR_SO_REUSEADDR, 1);
+         }
--- tomcat6-6.0.18.orig/debian/patches/security-CVE-2009-0033.patch
+++ tomcat6-6.0.18/debian/patches/security-CVE-2009-0033.patch
@@ -0,0 +1,63 @@
+#
+# Description: fix denial of service via request with invalid headers
+# Patch: http://svn.apache.org/viewvc?view=rev&revision=742915
+# Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=532362
+#
+diff -Nur tomcat6-6.0.18/java/org/apache/jk/common/ChannelNioSocket.java tomcat6-6.0.18.new/java/org/apache/jk/common/ChannelNioSocket.java
+--- tomcat6-6.0.18/java/org/apache/jk/common/ChannelNioSocket.java	2008-07-21 20:01:29.000000000 -0400
++++ tomcat6-6.0.18.new/java/org/apache/jk/common/ChannelNioSocket.java	2009-06-09 16:36:01.000000000 -0400
+@@ -56,6 +56,7 @@
+ import org.apache.coyote.Request;
+ import org.apache.coyote.RequestGroupInfo;
+ import org.apache.coyote.RequestInfo;
++import org.apache.coyote.ActionCode;
+ import org.apache.tomcat.util.threads.ThreadPool;
+ import org.apache.tomcat.util.threads.ThreadPoolRunnable;
+ 
+@@ -854,6 +855,7 @@
+                     status= invoke( recv, ep );
+                     if( status != JkHandler.OK ) {
+                         log.warn("processCallbacks status " + status );
++                        ep.action(ActionCode.ACTION_CLOSE, ep.getRequest().getResponse());
+                         return false;
+                     }
+                     synchronized(this) {
+diff -Nur tomcat6-6.0.18/java/org/apache/jk/common/ChannelSocket.java tomcat6-6.0.18.new/java/org/apache/jk/common/ChannelSocket.java
+--- tomcat6-6.0.18/java/org/apache/jk/common/ChannelSocket.java	2008-07-21 20:01:29.000000000 -0400
++++ tomcat6-6.0.18.new/java/org/apache/jk/common/ChannelSocket.java	2009-06-09 16:36:06.000000000 -0400
+@@ -45,6 +45,7 @@
+ import org.apache.coyote.Request;
+ import org.apache.coyote.RequestGroupInfo;
+ import org.apache.coyote.RequestInfo;
++import org.apache.coyote.ActionCode;
+ import org.apache.tomcat.util.modeler.Registry;
+ import org.apache.tomcat.util.threads.ThreadPool;
+ import org.apache.tomcat.util.threads.ThreadPoolRunnable;
+@@ -697,6 +698,7 @@
+                 status= this.invoke( recv, ep );
+                 if( status!= JkHandler.OK ) {
+                     log.warn("processCallbacks status " + status );
++                    ep.action(ActionCode.ACTION_CLOSE, ep.getRequest().getResponse());
+                     break;
+                 }
+             }
+diff -Nur tomcat6-6.0.18/java/org/apache/jk/common/HandlerRequest.java tomcat6-6.0.18.new/java/org/apache/jk/common/HandlerRequest.java
+--- tomcat6-6.0.18/java/org/apache/jk/common/HandlerRequest.java	2008-07-21 20:01:29.000000000 -0400
++++ tomcat6-6.0.18.new/java/org/apache/jk/common/HandlerRequest.java	2009-06-09 16:36:08.000000000 -0400
+@@ -265,8 +265,16 @@
+                                  ((Request)ep.getRequest()).unparsedURI());
+                 }
+             } catch( Exception ex ) {
++                /* If we are here it is because we have a bad header or something like that */
+                 log.error( "Error decoding request ", ex );
+                 msg.dump( "Incomming message");
++                Response res=ep.getRequest().getResponse();
++                if ( res==null ) {
++                    res=new Response();
++                    ep.getRequest().setResponse(res);
++                }
++                res.setMessage("Bad Request");
++                res.setStatus(400);
+                 return ERROR;
+             }
+ 
--- tomcat6-6.0.18.orig/debian/patches/disable-apr-loading.patch
+++ tomcat6-6.0.18/debian/patches/disable-apr-loading.patch
@@ -0,0 +1,14 @@
+Index: tomcat6-6.0.18/conf/server.xml
+===================================================================
+--- tomcat6-6.0.18.orig/conf/server.xml	2008-11-26 15:22:41.000000000 +0000
++++ tomcat6-6.0.18/conf/server.xml	2008-11-26 15:24:38.000000000 +0000
+@@ -22,7 +22,9 @@
+ <Server port="8005" shutdown="SHUTDOWN">
+ 
+   <!--APR library loader. Documentation at /docs/apr.html -->
++  <!--
+   <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />
++  -->
+   <!--Initialize Jasper prior to webapps are loaded. Documentation at /docs/jasper-howto.html -->
+   <Listener className="org.apache.catalina.core.JasperListener" />
+   <!-- JMX Support for the Tomcat server. Documentation at /docs/non-existent.html -->
--- tomcat6-6.0.18.orig/debian/patches/security_CVE-2009-2693_2901_2902.patch
+++ tomcat6-6.0.18/debian/patches/security_CVE-2009-2693_2901_2902.patch
@@ -0,0 +1,528 @@
+Description: fix directory traversal issues and autodeployment process
+ incorrect cleanup
+Origin: upstream, http://svn.apache.org/viewvc?view=revision&revision=892815
+
+diff -Nur tomcat6-6.0.18/java/org/apache/catalina/loader/LocalStrings.properties tomcat6-6.0.18.new/java/org/apache/catalina/loader/LocalStrings.properties
+--- tomcat6-6.0.18/java/org/apache/catalina/loader/LocalStrings.properties	2008-07-21 20:01:29.000000000 -0400
++++ tomcat6-6.0.18.new/java/org/apache/catalina/loader/LocalStrings.properties	2010-02-11 08:41:29.000000000 -0500
+@@ -28,7 +28,9 @@
+ standardLoader.removeRepository=Removing repository {0}
+ standardLoader.starting=Starting this Loader
+ standardLoader.stopping=Stopping this Loader
++webappClassLoader.illegalJarPath=Illegal JAR entry detected with name {0}
+ webappClassLoader.stopped=Illegal access: this web application instance has been stopped already.  Could not load {0}.  The eventual following stack trace is caused by an error thrown for debugging purposes as well as to attempt to terminate the thread which caused the illegal access, and has no functional impact.
++webappClassLoader.validationErrorJarPath=Unable to validate JAR entry with name {0}
+ webappClassLoader.wrongVersion=(unable to load class {0})
+ webappLoader.addRepository=Adding repository {0}
+ webappLoader.deploy=Deploying class repositories to work directory {0}
+diff -Nur tomcat6-6.0.18/java/org/apache/catalina/loader/WebappClassLoader.java tomcat6-6.0.18.new/java/org/apache/catalina/loader/WebappClassLoader.java
+--- tomcat6-6.0.18/java/org/apache/catalina/loader/WebappClassLoader.java	2008-07-21 20:01:28.000000000 -0400
++++ tomcat6-6.0.18.new/java/org/apache/catalina/loader/WebappClassLoader.java	2010-02-11 08:41:29.000000000 -0500
+@@ -339,7 +339,7 @@
+      * Path where resources loaded from JARs will be extracted.
+      */
+     protected File loaderDir = null;
+-
++    protected String canonicalLoaderDir = null;
+ 
+     /**
+      * The PermissionCollection for each CodeSource for a web
+@@ -532,6 +532,18 @@
+      */
+     public void setWorkDir(File workDir) {
+         this.loaderDir = new File(workDir, "loader");
++        if (loaderDir == null) {
++            canonicalLoaderDir = null;
++        } else { 
++            try {
++                canonicalLoaderDir = loaderDir.getCanonicalPath();
++                if (!canonicalLoaderDir.endsWith(File.separator)) {
++                    canonicalLoaderDir += File.separator;
++                }
++            } catch (IOException ioe) {
++                canonicalLoaderDir = null;
++            }
++        }
+     }
+ 
+      /**
+@@ -2035,6 +2047,18 @@
+                                         (".class"))) {
+                                     resourceFile = new File
+                                         (loaderDir, jarEntry2.getName());
++                                    try {
++                                        if (!resourceFile.getCanonicalPath().startsWith(
++                                                canonicalLoaderDir)) {
++                                            throw new IllegalArgumentException(
++                                                    sm.getString("webappClassLoader.illegalJarPath",
++                                                jarEntry2.getName()));
++                                        }
++                                    } catch (IOException ioe) {
++                                        throw new IllegalArgumentException(
++                                                sm.getString("webappClassLoader.validationErrorJarPath",
++                                                        jarEntry2.getName()), ioe);
++                                    }                                 
+                                     resourceFile.getParentFile().mkdirs();
+                                     FileOutputStream os = null;
+                                     InputStream is = null;
+diff -Nur tomcat6-6.0.18/java/org/apache/catalina/startup/ContextConfig.java tomcat6-6.0.18.new/java/org/apache/catalina/startup/ContextConfig.java
+--- tomcat6-6.0.18/java/org/apache/catalina/startup/ContextConfig.java	2008-07-21 20:01:28.000000000 -0400
++++ tomcat6-6.0.18.new/java/org/apache/catalina/startup/ContextConfig.java	2010-02-11 08:41:29.000000000 -0500
+@@ -870,35 +870,40 @@
+         file = new File(docBase);
+         String origDocBase = docBase;
+         
+-        String contextPath = context.getPath();
+-        if (contextPath.equals("")) {
+-            contextPath = "ROOT";
++        String pathName = context.getPath();
++        if (pathName.equals("")) {
++            pathName = "ROOT";
+         } else {
+-            if (contextPath.lastIndexOf('/') > 0) {
+-                contextPath = "/" + contextPath.substring(1).replace('/','#');
+-            }
++            // Context path must start with '/'
++            pathName = pathName.substring(1).replace('/', '#');
+         }
+         if (docBase.toLowerCase().endsWith(".war") && !file.isDirectory() && unpackWARs) {
+             URL war = new URL("jar:" + (new File(docBase)).toURI().toURL() + "!/");
+-            docBase = ExpandWar.expand(host, war, contextPath);
++            docBase = ExpandWar.expand(host, war, pathName);
+             file = new File(docBase);
+             docBase = file.getCanonicalPath();
+             if (context instanceof StandardContext) {
+                 ((StandardContext) context).setOriginalDocBase(origDocBase);
+             }
++        } else if (docBase.toLowerCase().endsWith(".war") &&
++                !file.isDirectory() && !unpackWARs) {
++            URL war =
++                new URL("jar:" + (new File (docBase)).toURI().toURL() + "!/");
++            ExpandWar.validate(host, war, pathName);
+         } else {
+             File docDir = new File(docBase);
+             if (!docDir.exists()) {
+                 File warFile = new File(docBase + ".war");
+                 if (warFile.exists()) {
++                    URL war =
++                        new URL("jar:" + warFile.toURI().toURL() + "!/");
+                     if (unpackWARs) {
+-                        URL war =
+-                            new URL("jar:" + warFile.toURI().toURL() + "!/");
+-                        docBase = ExpandWar.expand(host, war, contextPath);
++                        docBase = ExpandWar.expand(host, war, pathName);
+                         file = new File(docBase);
+                         docBase = file.getCanonicalPath();
+                     } else {
+                         docBase = warFile.getCanonicalPath();
++                        ExpandWar.validate(host, war, pathName);
+                     }
+                 }
+                 if (context instanceof StandardContext) {
+@@ -1259,7 +1264,8 @@
+             if (!docBaseFile.isAbsolute()) {
+                 docBaseFile = new File(appBase, docBase);
+             }
+-            ExpandWar.delete(docBaseFile);
++            // No need to log failure - it is expected in this case
++            ExpandWar.delete(docBaseFile, false);
+         }
+         
+         ok = true;
+diff -Nur tomcat6-6.0.18/java/org/apache/catalina/startup/ExpandWar.java tomcat6-6.0.18.new/java/org/apache/catalina/startup/ExpandWar.java
+--- tomcat6-6.0.18/java/org/apache/catalina/startup/ExpandWar.java	2008-07-21 20:01:29.000000000 -0400
++++ tomcat6-6.0.18.new/java/org/apache/catalina/startup/ExpandWar.java	2010-02-11 08:41:29.000000000 -0500
+@@ -105,7 +105,8 @@
+      *  (must start with "jar:")
+      * @param pathname Context path name for web application
+      *
+-     * @exception IllegalArgumentException if this is not a "jar:" URL
++     * @exception IllegalArgumentException if this is not a "jar:" URL or if the
++     *            WAR file is invalid
+      * @exception IOException if an input/output error was encountered
+      *  during expansion
+      */
+@@ -123,6 +124,7 @@
+                 (sm.getString("hostConfig.appBase",
+                               appBase.getAbsolutePath()));
+         }
++        
+         File docBase = new File(appBase, pathname);
+         if (docBase.exists()) {
+             // War file is already installed
+@@ -133,16 +135,29 @@
+         docBase.mkdir();
+ 
+         // Expand the WAR into the new document base directory
++        String canonicalDocBasePrefix = docBase.getCanonicalPath();
++        if (!canonicalDocBasePrefix.endsWith(File.separator)) {
++            canonicalDocBasePrefix += File.separator;
++        }
+         JarURLConnection juc = (JarURLConnection) war.openConnection();
+         juc.setUseCaches(false);
+         JarFile jarFile = null;
+         InputStream input = null;
++        boolean success = false;
+         try {
+             jarFile = juc.getJarFile();
+             Enumeration jarEntries = jarFile.entries();
+             while (jarEntries.hasMoreElements()) {
+                 JarEntry jarEntry = (JarEntry) jarEntries.nextElement();
+                 String name = jarEntry.getName();
++                File expandedFile = new File(docBase, name);
++                if (!expandedFile.getCanonicalPath().startsWith(
++                        canonicalDocBasePrefix)) {
++                    // Trying to expand outside the docBase
++                    // Throw an exception to stop the deployment
++                    throw new IllegalArgumentException(
++                            sm.getString("expandWar.illegalPath",war, name));
++                }
+                 int last = name.lastIndexOf('/');
+                 if (last >= 0) {
+                     File parent = new File(docBase,
+@@ -155,21 +170,24 @@
+                 input = jarFile.getInputStream(jarEntry);
+ 
+                 // Bugzilla 33636
+-                File expandedFile = expand(input, docBase, name);
++                expand(input, expandedFile);
+                 long lastModified = jarEntry.getTime();
+-                if ((lastModified != -1) && (lastModified != 0) && (expandedFile != null)) {
++                if ((lastModified != -1) && (lastModified != 0)) {
+                     expandedFile.setLastModified(lastModified);
+                 }
+ 
+                 input.close();
+                 input = null;
+             }
++            success = true;
+         } catch (IOException e) {
+-            // If something went wrong, delete expanded dir to keep things 
+-            // clean
+-            deleteDir(docBase);
+             throw e;
+         } finally {
++            if (!success) {
++                // If something went wrong, delete expanded dir to keep things 
++                // clean
++                deleteDir(docBase);
++            }
+             if (input != null) {
+                 try {
+                     input.close();
+@@ -195,6 +213,69 @@
+ 
+ 
+     /**
++     * Validate the WAR file found at the specified URL.
++     *
++     * @param host Host war is being installed for
++     * @param war URL of the web application archive to be validated
++     *  (must start with "jar:")
++     * @param pathname Context path name for web application
++     *
++     * @exception IllegalArgumentException if this is not a "jar:" URL or if the
++     *            WAR file is invalid
++     * @exception IOException if an input/output error was encountered
++     *            during validation
++     */
++    public static void validate(Host host, URL war, String pathname)
++        throws IOException {
++
++        // Make the appBase absolute
++        File appBase = new File(host.getAppBase());
++        if (!appBase.isAbsolute()) {
++            appBase = new File(System.getProperty("catalina.base"),
++                               host.getAppBase());
++        }
++        
++        File docBase = new File(appBase, pathname);
++
++        // Calculate the document base directory
++        String canonicalDocBasePrefix = docBase.getCanonicalPath();
++        if (!canonicalDocBasePrefix.endsWith(File.separator)) {
++            canonicalDocBasePrefix += File.separator;
++        }
++        JarURLConnection juc = (JarURLConnection) war.openConnection();
++        juc.setUseCaches(false);
++        JarFile jarFile = null;
++        try {
++            jarFile = juc.getJarFile();
++            Enumeration<JarEntry> jarEntries = jarFile.entries();
++            while (jarEntries.hasMoreElements()) {
++                JarEntry jarEntry = jarEntries.nextElement();
++                String name = jarEntry.getName();
++                File expandedFile = new File(docBase, name);
++                if (!expandedFile.getCanonicalPath().startsWith(
++                        canonicalDocBasePrefix)) {
++                    // Entry located outside the docBase
++                    // Throw an exception to stop the deployment
++                    throw new IllegalArgumentException(
++                            sm.getString("expandWar.illegalPath",war, name));
++                }
++            }
++        } catch (IOException e) {
++            throw e;
++        } finally {
++            if (jarFile != null) {
++                try {
++                    jarFile.close();
++                } catch (Throwable t) {
++                    // Ignore
++                }
++                jarFile = null;
++            }
++        }
++    }
++
++
++    /**
+      * Copy the specified file or directory to the destination.
+      *
+      * @param src File object representing the source
+@@ -254,26 +335,61 @@
+     
+     /**
+      * Delete the specified directory, including all of its contents and
+-     * subdirectories recursively.
++     * sub-directories recursively. Any failure will be logged.
+      *
+      * @param dir File object representing the directory to be deleted
+      */
+     public static boolean delete(File dir) {
++        // Log failure by default
++        return delete(dir, true);
++    }
++
++    /**
++     * Delete the specified directory, including all of its contents and
++     * sub-directories recursively.
++     *
++     * @param dir File object representing the directory to be deleted
++     * @param logFailure <code>true</code> if failure to delete the resource
++     *                   should be logged
++     */
++    public static boolean delete(File dir, boolean logFailure) {
++        boolean result;
+         if (dir.isDirectory()) {
+-            return deleteDir(dir);
++            result = deleteDir(dir, logFailure);
+         } else {
+-            return dir.delete();
++            if (dir.exists()) {
++                result = dir.delete();
++            } else {
++                result = true;
++            }
++        }
++        if (logFailure && !result) {
++            log.error(sm.getString(
++                    "expandWar.deleteFailed", dir.getAbsolutePath()));
+         }
++        return result;
+     }
+     
+     
+     /**
+      * Delete the specified directory, including all of its contents and
+-     * subdirectories recursively.
++     * sub-directories recursively. Any failure will be logged.
+      *
+      * @param dir File object representing the directory to be deleted
+      */
+     public static boolean deleteDir(File dir) {
++        return deleteDir(dir, true);
++    }
++
++    /**
++     * Delete the specified directory, including all of its contents and
++     * sub-directories recursively.
++     *
++     * @param dir File object representing the directory to be deleted
++     * @param logFailure <code>true</code> if failure to delete the resource
++     *                   should be logged
++     */
++    public static boolean deleteDir(File dir, boolean logFailure) {
+ 
+         String files[] = dir.list();
+         if (files == null) {
+@@ -282,12 +398,25 @@
+         for (int i = 0; i < files.length; i++) {
+             File file = new File(dir, files[i]);
+             if (file.isDirectory()) {
+-                deleteDir(file);
++                deleteDir(file, logFailure);
+             } else {
+                 file.delete();
+             }
+         }
+-        return dir.delete();
++
++        boolean result;
++        if (dir.exists()) {
++            result = dir.delete();
++        } else {
++            result = true;
++        }
++        
++        if (logFailure && !result) {
++            log.error(sm.getString(
++                    "expandWar.deleteFailed", dir.getAbsolutePath()));
++        }
++        
++        return result;
+ 
+     }
+ 
+@@ -302,11 +431,27 @@
+      * @return A handle to the expanded File
+      *
+      * @exception IOException if an input/output error occurs
++     * 
++     * @deprecated
+      */
+     protected static File expand(InputStream input, File docBase, String name)
+         throws IOException {
+-
+         File file = new File(docBase, name);
++        expand(input, file);
++        return file;
++    }
++
++
++    /**
++     * Expand the specified input stream into the specified file.
++     *
++     * @param input InputStream to be copied
++     * @param file The file to be created
++     *
++     * @exception IOException if an input/output error occurs
++     */
++    private static void expand(InputStream input, File file)
++        throws IOException {
+         BufferedOutputStream output = null;
+         try {
+             output = 
+@@ -327,8 +472,6 @@
+                 }
+             }
+         }
+-
+-        return file;
+     }
+ 
+ 
+diff -Nur tomcat6-6.0.18/java/org/apache/catalina/startup/HostConfig.java tomcat6-6.0.18.new/java/org/apache/catalina/startup/HostConfig.java
+--- tomcat6-6.0.18/java/org/apache/catalina/startup/HostConfig.java	2008-07-21 20:01:29.000000000 -0400
++++ tomcat6-6.0.18.new/java/org/apache/catalina/startup/HostConfig.java	2010-02-11 08:41:29.000000000 -0500
+@@ -26,7 +26,9 @@
+ import java.io.InputStream;
+ import java.util.ArrayList;
+ import java.util.HashMap;
++import java.util.HashSet;
+ import java.util.LinkedHashMap;
++import java.util.Set;
+ import java.util.jar.JarEntry;
+ import java.util.jar.JarFile;
+ 
+@@ -149,6 +151,11 @@
+      */
+     protected static Digester digester = createDigester();
+ 
++    /**
++     * The list of Wars in the appBase to be ignored because they are invalid
++     * (e.g. contain /../ sequences).
++     */
++    protected Set<String> invalidWars = new HashSet<String>();
+ 
+     // ------------------------------------------------------------- Properties
+ 
+@@ -701,13 +708,22 @@
+             if (files[i].equalsIgnoreCase("WEB-INF"))
+                 continue;
+             File dir = new File(appBase, files[i]);
+-            if (files[i].toLowerCase().endsWith(".war") && dir.isFile()) {
++            if (files[i].toLowerCase().endsWith(".war") && dir.isFile()
++                    && !invalidWars.contains(files[i]) ) {
+                 
+                 // Calculate the context path and make sure it is unique
+                 String contextPath = "/" + files[i].replace('#','/');
+                 int period = contextPath.lastIndexOf(".");
+-                if (period >= 0)
+-                    contextPath = contextPath.substring(0, period);
++                contextPath = contextPath.substring(0, period);
++                
++                // Check for WARs with /../ /./ or similar sequences in the name
++                if (!validateContextPath(appBase, contextPath)) {
++                    log.error(sm.getString(
++                            "hostConfig.illegalWarName", files[i]));
++                    invalidWars.add(files[i]);
++                    continue;
++                }
++
+                 if (contextPath.equals("/ROOT"))
+                     contextPath = "";
+                 
+@@ -725,6 +741,42 @@
+     }
+ 
+ 
++    private boolean validateContextPath(File appBase, String contextPath) {
++        // More complicated than the ideal as the canonical path may or may
++        // not end with File.separator for a directory
++        
++        StringBuilder docBase;
++        String canonicalDocBase = null;
++        
++        try {
++            String canonicalAppBase = appBase.getCanonicalPath();
++            docBase = new StringBuilder(canonicalAppBase);
++            if (canonicalAppBase.endsWith(File.separator)) {
++                docBase.append(contextPath.substring(1).replace(
++                        '/', File.separatorChar));
++            } else {
++                docBase.append(contextPath.replace('/', File.separatorChar));
++            }
++            // At this point docBase should be canonical but will not end
++            // with File.separator
++            
++            canonicalDocBase =
++                (new File(docBase.toString())).getCanonicalPath();
++    
++            // If the canonicalDocBase ends with File.separator, add one to
++            // docBase before they are compared
++            if (canonicalDocBase.endsWith(File.separator)) {
++                docBase.append(File.separator);
++            }
++        } catch (IOException ioe) {
++            return false;
++        }
++        
++        // Compare the two. If they are not the same, the contextPath must
++        // have /../ like sequences in it 
++        return canonicalDocBase.equals(docBase.toString());
++    }
++
+     /**
+      * @param contextPath
+      * @param dir
+diff -Nur tomcat6-6.0.18/java/org/apache/catalina/startup/LocalStrings.properties tomcat6-6.0.18.new/java/org/apache/catalina/startup/LocalStrings.properties
+--- tomcat6-6.0.18/java/org/apache/catalina/startup/LocalStrings.properties	2010-02-11 08:41:13.000000000 -0500
++++ tomcat6-6.0.18.new/java/org/apache/catalina/startup/LocalStrings.properties	2010-02-11 08:41:29.000000000 -0500
+@@ -57,6 +57,8 @@
+ engineConfig.start=EngineConfig: Processing START
+ engineConfig.stop=EngineConfig: Processing STOP
+ expandWar.copy=Error copying {0} to {1}
++expandWar.deleteFailed=[{0}] could not be completely deleted. The presence of the remaining files may cause problems
++expandWar.illegalPath=The archive [{0}] is malformed and will be ignored: an entry contains an illegal path [{1}]
+ hostConfig.appBase=Application base directory {0} does not exist
+ hostConfig.canonicalizing=Error delete redeploy resources from context [{0}]
+ hostConfig.cce=Lifecycle event data object {0} is not a Host
+@@ -76,6 +78,7 @@
+ hostConfig.expand=Expanding web application archive {0}
+ hostConfig.expand.error=Exception while expanding web application archive {0}
+ hostConfig.expanding=Expanding discovered web application archives
++hostConfig.illegalWarName=The war name [{0}] is invalid. The archive will be ignored.
+ hostConfig.jmx.register=Register context [{0}] failed
+ hostConfig.jmx.unregister=Unregister context [{0}] failed
+ hostConfig.reload=Reloading context [{0}]
--- tomcat6-6.0.18.orig/debian/patches/deploy-webapps-build-xml.patch
+++ tomcat6-6.0.18/debian/patches/deploy-webapps-build-xml.patch
@@ -0,0 +1,37 @@
+Index: apache-tomcat-6.0.18-src/build.xml
+===================================================================
+--- apache-tomcat-6.0.18-src.orig/build.xml	2008-07-22 02:01:29.000000000 +0200
++++ apache-tomcat-6.0.18-src/build.xml	2008-08-21 12:16:57.000000000 +0200
+@@ -465,7 +465,7 @@
+ 
+   </target>
+ 
+-  <target name="deploy" depends="build-only,build-docs">
++  <target name="deploy" depends="build-only,build-docs,deploy-webapps">
+ 
+     <copy tofile="${tomcat.build}/bin/tomcat-native.tar.gz"
+             file="${tomcat-native.tar.gz}" />
+@@ -489,6 +489,13 @@
+       </fileset>
+     </copy>
+ 
++    <copy file="${tomcat-dbcp.jar}" todir="${tomcat.build}/lib" />
++    <copy file="${jasper-jdt.jar}" todir="${tomcat.build}/lib" />
++
++  </target>
++
++  <target name="deploy-webapps">
++
+     <!-- Copy other regular webapps -->
+     <copy todir="${tomcat.build}/webapps">
+       <fileset dir="webapps">
+@@ -598,9 +605,6 @@
+       </fileset>
+     </txt2html>
+ 
+-  	<copy file="${tomcat-dbcp.jar}" todir="${tomcat.build}/lib" />
+-    <copy file="${jasper-jdt.jar}" todir="${tomcat.build}/lib" />
+-
+   </target>
+ 	
+   <target name="clean-depend"
--- tomcat6-6.0.18.orig/debian/patches/security-CVE-2009-0781.patch
+++ tomcat6-6.0.18/debian/patches/security-CVE-2009-0781.patch
@@ -0,0 +1,17 @@
+#
+# Description: fix cross-site scripting in calendar example application
+# Patch: http://svn.apache.org/viewvc?view=rev&revision=750924
+# Ubuntu: https://bugs.launchpad.net/ubuntu/+source/tomcat5.5/+bug/341278
+#
+diff -Nur tomcat6-6.0.18/webapps/examples/jsp/cal/cal2.jsp tomcat6-6.0.18.new/webapps/examples/jsp/cal/cal2.jsp
+--- tomcat6-6.0.18/webapps/examples/jsp/cal/cal2.jsp	2008-07-21 20:01:28.000000000 -0400
++++ tomcat6-6.0.18.new/webapps/examples/jsp/cal/cal2.jsp	2009-06-09 16:36:48.000000000 -0400
+@@ -35,7 +35,7 @@
+ <FORM METHOD=POST ACTION=cal1.jsp>
+ <BR> 
+ <BR> <INPUT NAME="date" TYPE=HIDDEN VALUE="current">
+-<BR> <INPUT NAME="time" TYPE=HIDDEN VALUE=<%= util.HTMLFilter.filter(time) %>
++<BR> <INPUT NAME="time" TYPE=HIDDEN VALUE="<%= util.HTMLFilter.filter(time) %>">
+ <BR> <h2> Description of the event <INPUT NAME="description" TYPE=TEXT SIZE=20> </h2>
+ <BR> <INPUT TYPE=SUBMIT VALUE="submit">
+ </FORM>
--- tomcat6-6.0.18.orig/debian/patches/use-commons-dbcp.patch
+++ tomcat6-6.0.18/debian/patches/use-commons-dbcp.patch
@@ -0,0 +1,29 @@
+Index: tomcat6-6.0.18/java/org/apache/naming/factory/Constants.java
+===================================================================
+--- tomcat6-6.0.18.orig/java/org/apache/naming/factory/Constants.java	2008-11-25 10:50:38.000000000 +0000
++++ tomcat6-6.0.18/java/org/apache/naming/factory/Constants.java	2008-11-25 10:51:49.000000000 +0000
+@@ -49,7 +49,7 @@
+         Package + ".HandlerFactory";
+ 
+     public static final String DBCP_DATASOURCE_FACTORY = 
+-        "org.apache.tomcat.dbcp.dbcp.BasicDataSourceFactory";
++        "org.apache.commons.dbcp.BasicDataSourceFactory";
+ 
+     public static final String OPENEJB_EJB_FACTORY = 
+         Package + ".OpenEjbFactory";
+Index: tomcat6-6.0.18/webapps/docs/jndi-resources-howto.xml
+===================================================================
+--- tomcat6-6.0.18.orig/webapps/docs/jndi-resources-howto.xml	2008-11-25 10:52:02.000000000 +0000
++++ tomcat6-6.0.18/webapps/docs/jndi-resources-howto.xml	2008-11-25 10:53:22.000000000 +0000
+@@ -573,9 +573,9 @@
+     <code>driverName</code> parameters to match your actual database's
+     JDBC driver and connection URL.</p>
+ 
+-    <p>The configuration properties for Tomcat's standard data source
++    <p>The configuration properties for our default data source
+     resource factory
+-    (<code>org.apache.tomcat.dbcp.dbcp.BasicDataSourceFactory</code>) are
++    (<code>org.apache.commons.dbcp.BasicDataSourceFactory</code>) are
+     as follows:</p>
+     <ul>
+     <li><strong>driverClassName</strong> - Fully qualified Java class name
--- tomcat6-6.0.18.orig/debian/default_root/index.html
+++ tomcat6-6.0.18/debian/default_root/index.html
@@ -0,0 +1,29 @@
+<?xml version="1.0" encoding="ISO-8859-1"?>
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
+   "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
+<head>
+    <title>Apache Tomcat</title>
+</head>
+
+<body>
+<h1>It works !</h1>
+
+<p>If you're seeing this page via a web browser, it means you've setup Tomcat successfully. Congratulations!</p>
+ 
+<p>This is the default Tomcat home page. It can be found on the local filesystem at: <code>/var/lib/tomcat6/webapps/ROOT/index.html</code></p>
+
+<p>Tomcat6 veterans might be pleased to learn that this system instance of Tomcat is installed with <code>CATALINA_HOME</code> in <code>/usr/share/tomcat6</code> and <code>CATALINA_BASE</code> in <code>/var/lib/tomcat6</code>, following the rules from <code>/usr/share/doc/tomcat6-common/RUNNING.txt.gz</code>.</p>
+
+<p>You might consider installing the following packages, if you haven't already done so:</p>
+
+<p><b>tomcat6-docs</b>: This package installs a web application that allows to browse the Tomcat 6 documentation locally. Once installed, you can access it by clicking <a href="docs/">here</a>.</p>
+
+<p><b>tomcat6-examples</b>: This package installs a web application that allows to access the Tomcat 6 Servlet and JSP examples. Once installed, you can access it by clicking <a href="examples/">here</a>.</p>
+
+<p><b>tomcat6-admin</b>: This package installs two web applications that can help managing this Tomcat instance. Once installed, you can access the <a href="manager/html">manager webapp</a> and the <a href="host-manager/html">host-manager webapp</a>.<p>
+
+<p>NOTE: For security reasons, using the manager webapp is restricted to users with role "manager". The host-manager webapp is restricted to users with role "admin". Users are defined in <code>/etc/tomcat6/tomcat-users.xml</code>.</p>
+
+</body>
+</html>
--- tomcat6-6.0.18.orig/debian/default_root/META-INF/context.xml
+++ tomcat6-6.0.18/debian/default_root/META-INF/context.xml
@@ -0,0 +1,2 @@
+<Context path="/" 
+	antiResourceLocking="false" />
--- tomcat6-6.0.18.orig/debian/policy/03catalina.policy
+++ tomcat6-6.0.18/debian/policy/03catalina.policy
@@ -0,0 +1,31 @@
+// ========== CATALINA CODE PERMISSIONS =======================================
+
+
+// These permissions apply to the logging API
+grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" {
+        permission java.util.PropertyPermission "java.util.logging.config.class", "read";
+        permission java.util.PropertyPermission "java.util.logging.config.file", "read";
+        permission java.lang.RuntimePermission "shutdownHooks";
+        permission java.io.FilePermission "${catalina.base}${file.separator}conf${file.separator}logging.properties", "read";
+        permission java.util.PropertyPermission "catalina.base", "read";
+        permission java.util.logging.LoggingPermission "control";
+        permission java.io.FilePermission "${catalina.base}${file.separator}logs", "read, write";
+        permission java.io.FilePermission "${catalina.base}${file.separator}logs${file.separator}*", "read, write";
+        permission java.lang.RuntimePermission "getClassLoader";
+        // To enable per context logging configuration, permit read access to the appropriate file.
+        // Be sure that the logging configuration is secure before enabling such access
+        // eg for the examples web application:
+        // permission java.io.FilePermission "${catalina.base}${file.separator}webapps${file.separator}examples${file.separator}WEB-INF${file.separator}classes${file.separator}logging.properties", "read";
+};
+
+// These permissions apply to the server startup code
+grant codeBase "file:${catalina.home}/bin/bootstrap.jar" {
+        permission java.security.AllPermission;
+};
+
+// These permissions apply to the servlet API classes
+// and those that are shared across all class loaders
+// located in the "lib" directory
+grant codeBase "file:${catalina.home}/lib/-" {
+        permission java.security.AllPermission;
+};
--- tomcat6-6.0.18.orig/debian/policy/04webapps.policy
+++ tomcat6-6.0.18/debian/policy/04webapps.policy
@@ -0,0 +1,59 @@
+// ========== WEB APPLICATION PERMISSIONS =====================================
+
+
+// These permissions are granted by default to all web applications
+// In addition, a web application will be given a read FilePermission
+// and JndiPermission for all files and directories in its document root.
+grant { 
+    // Required for JNDI lookup of named JDBC DataSource's and
+    // javamail named MimePart DataSource used to send mail
+    permission java.util.PropertyPermission "java.home", "read";
+    permission java.util.PropertyPermission "java.naming.*", "read";
+    permission java.util.PropertyPermission "javax.sql.*", "read";
+
+    // OS Specific properties to allow read access
+    permission java.util.PropertyPermission "os.name", "read";
+    permission java.util.PropertyPermission "os.version", "read";
+    permission java.util.PropertyPermission "os.arch", "read";
+    permission java.util.PropertyPermission "file.separator", "read";
+    permission java.util.PropertyPermission "path.separator", "read";
+    permission java.util.PropertyPermission "line.separator", "read";
+
+    // JVM properties to allow read access
+    permission java.util.PropertyPermission "java.version", "read";
+    permission java.util.PropertyPermission "java.vendor", "read";
+    permission java.util.PropertyPermission "java.vendor.url", "read";
+    permission java.util.PropertyPermission "java.class.version", "read";
+    permission java.util.PropertyPermission "java.specification.version", "read";
+    permission java.util.PropertyPermission "java.specification.vendor", "read";
+    permission java.util.PropertyPermission "java.specification.name", "read";
+
+    permission java.util.PropertyPermission "java.vm.specification.version", "read";
+    permission java.util.PropertyPermission "java.vm.specification.vendor", "read";
+    permission java.util.PropertyPermission "java.vm.specification.name", "read";
+    permission java.util.PropertyPermission "java.vm.version", "read";
+    permission java.util.PropertyPermission "java.vm.vendor", "read";
+    permission java.util.PropertyPermission "java.vm.name", "read";
+
+    // Required for OpenJMX
+    permission java.lang.RuntimePermission "getAttribute";
+
+    // Allow read of JAXP compliant XML parser debug
+    permission java.util.PropertyPermission "jaxp.debug", "read";
+
+    // Precompiled JSPs need access to this package.
+    permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.runtime";
+    permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.runtime.*";
+
+    // Example JSPs need those to work properly
+    permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.el";
+    permission java.lang.RuntimePermission "accessDeclaredMembers";
+    
+    // Precompiled JSPs need access to this system property.
+    permission java.util.PropertyPermission "org.apache.jasper.runtime.BodyContentImpl.LIMIT_BUFFER", "read";
+
+    // java.io.tmpdir should be usable as a temporary file directory
+    permission java.util.PropertyPermission "java.io.tmpdir", "read";
+    permission java.io.FilePermission "${java.io.tmpdir}/-", "read,write,delete";
+
+};
--- tomcat6-6.0.18.orig/debian/policy/01system.policy
+++ tomcat6-6.0.18/debian/policy/01system.policy
@@ -0,0 +1,52 @@
+// Licensed to the Apache Software Foundation (ASF) under one or more
+// contributor license agreements.  See the NOTICE file distributed with
+// this work for additional information regarding copyright ownership.
+// The ASF licenses this file to You under the Apache License, Version 2.0
+// (the "License"); you may not use this file except in compliance with
+// the License.  You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// ============================================================================
+// catalina.corepolicy - Security Policy Permissions for Tomcat 6
+//
+// This file contains a default set of security policies to be enforced (by the
+// JVM) when Catalina is executed with the "-security" option.  In addition
+// to the permissions granted here, the following additional permissions are
+// granted to the codebase specific to each web application:
+//
+// * Read access to the document root directory
+//
+// $Id: catalina.policy 609294 2008-01-06 11:43:46Z markt $
+// ============================================================================
+
+
+// ========== SYSTEM CODE PERMISSIONS =========================================
+
+
+// These permissions apply to javac
+grant codeBase "file:${java.home}/lib/-" {
+        permission java.security.AllPermission;
+};
+
+// These permissions apply to all shared system extensions
+grant codeBase "file:${java.home}/jre/lib/ext/-" {
+        permission java.security.AllPermission;
+};
+
+// These permissions apply to javac when ${java.home] points at $JAVA_HOME/jre
+grant codeBase "file:${java.home}/../lib/-" {
+        permission java.security.AllPermission;
+};
+
+// These permissions apply to all shared system extensions when
+// ${java.home} points at $JAVA_HOME/jre
+grant codeBase "file:${java.home}/lib/ext/-" {
+        permission java.security.AllPermission;
+};
--- tomcat6-6.0.18.orig/debian/policy/02debian.policy
+++ tomcat6-6.0.18/debian/policy/02debian.policy
@@ -0,0 +1,7 @@
+// These permissions apply to all JARs from Debian packages
+grant codeBase "file:/usr/share/java/-" {
+  permission java.security.AllPermission;
+};
+grant codeBase "file:/usr/share/ant/lib/-" {
+  permission java.security.AllPermission;
+};
--- tomcat6-6.0.18.orig/debian/policy/50local.policy
+++ tomcat6-6.0.18/debian/policy/50local.policy
@@ -0,0 +1,32 @@
+// You can assign additional permissions to particular web applications by
+// adding additional "grant" entries here, based on the code base for that
+// application, /WEB-INF/classes/, or /WEB-INF/lib/ jar files.
+//
+// Different permissions can be granted to JSP pages, classes loaded from
+// the /WEB-INF/classes/ directory, all jar files in the /WEB-INF/lib/
+// directory, or even to individual jar files in the /WEB-INF/lib/ directory.
+//
+// For instance, assume that the standard "examples" application
+// included a JDBC driver that needed to establish a network connection to the
+// corresponding database and used the scrape taglib to get the weather from
+// the NOAA web server.  You might create a "grant" entries like this:
+//
+// The permissions granted to the context root directory apply to JSP pages.
+// grant codeBase "file:${catalina.base}/webapps/examples/-" {
+//      permission java.net.SocketPermission "dbhost.mycompany.com:5432", "connect";
+//      permission java.net.SocketPermission "*.noaa.gov:80", "connect";
+// };
+//
+// The permissions granted to the context WEB-INF/classes directory
+// grant codeBase "file:${catalina.base}/webapps/examples/WEB-INF/classes/-" {
+// };
+//
+// The permission granted to your JDBC driver
+// grant codeBase "jar:file:${catalina.base}/webapps/examples/WEB-INF/lib/driver.jar!/-" {
+//      permission java.net.SocketPermission "dbhost.mycompany.com:5432", "connect";
+// };
+// The permission granted to the scrape taglib
+// grant codeBase "jar:file:${catalina.base}/webapps/examples/WEB-INF/lib/scrape.jar!/-" {
+//      permission java.net.SocketPermission "*.noaa.gov:80", "connect";
+// };
+
--- tomcat6-6.0.18.orig/debian/policy/examples/10examples.policy
+++ tomcat6-6.0.18/debian/policy/examples/10examples.policy
@@ -0,0 +1,3 @@
+grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" {
+       permission java.io.FilePermission "/usr/share/tomcat6-examples/examples/WEB-INF/classes/logging.properties", "read";
+};
--- tomcat6-6.0.18.orig/debian/context/host-manager.xml
+++ tomcat6-6.0.18/debian/context/host-manager.xml
@@ -0,0 +1,20 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one or more
+  contributor license agreements.  See the NOTICE file distributed with
+  this work for additional information regarding copyright ownership.
+  The ASF licenses this file to You under the Apache License, Version 2.0
+  (the "License"); you may not use this file except in compliance with
+  the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+-->
+<Context path="/host-manager" 
+	docBase="/usr/share/tomcat6-admin/host-manager" 
+	antiResourceLocking="false" privileged="true" />
--- tomcat6-6.0.18.orig/debian/context/manager.xml
+++ tomcat6-6.0.18/debian/context/manager.xml
@@ -0,0 +1,20 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one or more
+  contributor license agreements.  See the NOTICE file distributed with
+  this work for additional information regarding copyright ownership.
+  The ASF licenses this file to You under the Apache License, Version 2.0
+  (the "License"); you may not use this file except in compliance with
+  the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+-->
+<Context path="/manager" 
+	docBase="/usr/share/tomcat6-admin/manager" 
+	antiResourceLocking="false" privileged="true" />
--- tomcat6-6.0.18.orig/debian/context/docs.xml
+++ tomcat6-6.0.18/debian/context/docs.xml
@@ -0,0 +1,20 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+  Licensed to the Apache Software Foundation (ASF) under one or more
+  contributor license agreements.  See the NOTICE file distributed with
+  this work for additional information regarding copyright ownership.
+  The ASF licenses this file to You under the Apache License, Version 2.0
+  (the "License"); you may not use this file except in compliance with
+  the License.  You may obtain a copy of the License at
+
+      http://www.apache.org/licenses/LICENSE-2.0
+
+  Unless required by applicable law or agreed to in writing, software
+  distributed under the License is distributed on an "AS IS" BASIS,
+  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  See the License for the specific language governing permissions and
+  limitations under the License.
+-->
+<Context path="/docs" 
+	docBase="/usr/share/tomcat6-docs/docs"
+	antiResourceLocking="false" />
--- tomcat6-6.0.18.orig/debian/context/examples.xml
+++ tomcat6-6.0.18/debian/context/examples.xml
@@ -0,0 +1,2 @@
+<Context path="/examples" 
+	docBase="/usr/share/tomcat6-examples/examples" />