Comment 4 for bug 1166649

Thanks for the debdiff!

Since Marc just updated precise, I compared your patches to his and noticed a few things:
 * 0016-CVE-2012-3439.patch should be renamed 0013-CVE-2012-588x.patch since CVE-2012-3439 was split out into CVE-2012-5885, CVE-2012-5886 and CVE-2012-5887 (as mentioned in the changelog)
 * 0016-CVE-2012-3439.patch had some additional whitespace changes not in the upstream patch
 * 0016-CVE-2012-3439.patch does not match the changes in http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/authenticator/DigestAuthenticator.java?r1=1380829&r2=1380828&pathrev=1380829. Specifically, your patch retains 'this.' in this chunk, but it should not (ie, you use !this.opaque.equals):
@@ -587,7 +623,7 @@
             }

             // Validate the opaque string
- if (!this.opaque.equals(opaque)) {
+ if (!opaque.equals(opaqueReceived)) {
                 return false;
             }
 * 0014-CVE-2012-4431.patch has additional whitespace changes
 * 0015-CVE-2012-4534.patch has additional whitespace and typo changes
 * debian/changelog is not formatted in the normal manner, with one stanza per CVE

It seems like you might have applied the patches by hand. If so, I encourage you to use the 'patch' utility. At this point, since there are now additional fixes, I think I am going to pull Marc's new patches and where the patches differ, update the changelog, run through QRT and publish. Thanks for your work on this!