Change log for tomcat6 package in Ubuntu

175 of 101 results
Published in precise-updates on 2016-09-19
Published in precise-security on 2016-09-19
tomcat6 (6.0.35-1ubuntu3.8) precise-security; urgency=medium

  * SECURITY UPDATE: privilege escalation via insecure init script
    - debian/tomcat6.init: don't follow symlinks when handling the
      catalina.out file.
    - CVE-2016-1240
  * SECURITY REGRESSION: change in behaviour after security update
    - debian/patches/CVE-2015-5345-2.patch: change
      mapperContextRootRedirectEnabled default to true in
      java/org/apache/catalina/core/StandardContext.java,
      webapps/docs/config/context.xml. This reverts the change in behaviour
      following the CVE-2015-5345 security update and was also done
      upstream in later releases.

 -- Marc Deslauriers <email address hidden>  Fri, 16 Sep 2016 09:34:48 -0400
Superseded in precise-updates on 2016-09-19
Superseded in precise-security on 2016-09-19
tomcat6 (6.0.35-1ubuntu3.7) precise-security; urgency=medium

  * SECURITY UPDATE: directory traversal vulnerability in RequestUtil.java
    - debian/patches/CVE-2015-5174.patch: fix normalization edge cases in
      java/org/apache/tomcat/util/http/RequestUtil.java.
    - CVE-2015-5174
  * SECURITY UPDATE: information disclosure via redirects by mapper
    - debian/patches/CVE-2015-5345.patch: fix redirect logic in
      java/org/apache/catalina/Context.java,
      java/org/apache/catalina/authenticator/FormAuthenticator.java,
      java/org/apache/catalina/connector/MapperListener.java,
      java/org/apache/catalina/core/StandardContext.java,
      java/org/apache/catalina/core/mbeans-descriptors.xml,
      java/org/apache/catalina/servlets/DefaultServlet.java,
      java/org/apache/catalina/servlets/WebdavServlet.java,
      java/org/apache/tomcat/util/http/mapper/Mapper.java,
      webapps/docs/config/context.xml.
    - CVE-2015-5345
  * SECURITY UPDATE: securityManager restrictions bypass via
    StatusManagerServlet
    - debian/patches/CVE-2016-0706.patch: place servlet in restricted list
      in java/org/apache/catalina/core/RestrictedServlets.properties.
    - CVE-2016-0706
  * SECURITY UPDATE: securityManager restrictions bypass via
    session-persistence implementation
    - debian/patches/CVE-2016-0714.patch: extend the session attribute
      filtering options in
      java/org/apache/catalina/ha/session/mbeans-descriptors.xml,
      java/org/apache/catalina/session/LocalStrings.properties,
      java/org/apache/catalina/session/ManagerBase.java,
      java/org/apache/catalina/session/mbeans-descriptors.xml,
      webapps/docs/config/cluster-manager.xml,
      webapps/docs/config/manager.xml,
      java/org/apache/catalina/session/StandardManager.java,
      java/org/apache/catalina/util/CustomObjectInputStream.java.
    - CVE-2016-0714
  * SECURITY UPDATE: securityManager restrictions bypass via crafted global
    context
    - debian/patches/CVE-2016-0763.patch: protect initialization in
      java/org/apache/naming/factory/ResourceLinkFactory.java.
    - CVE-2016-0763
  * SECURITY UPDATE: denial of service in FileUpload
    - debian/patches/CVE-2016-3092.patch: properly handle size in
      java/org/apache/tomcat/util/http/fileupload/MultipartStream.java.
    - CVE-2016-3092

 -- Marc Deslauriers <email address hidden>  Wed, 29 Jun 2016 14:00:46 -0400
Deleted in yakkety-release (Reason: (From Debian) ROM; No longer used; Debian bug #832023)
Published in xenial-release on 2016-02-28
Deleted in xenial-proposed (Reason: moved to release)
tomcat6 (6.0.45+dfsg-1) unstable; urgency=medium

  * Team upload.
  * Imported Upstream version 6.0.45+dfsg.
    - Remove all prebuilt jar files.
  * Declare compliance with Debian Policy 3.9.7.
  * Vcs-fields: Use https.
  * This update fixes the following security vulnerabilities in the source
    package. Since src:tomcat6 only builds libservlet2.5-java and
    documentation, users are not directly affected.
    - CVE-2015-5174: Directory traversal vulnerability in RequestUtil.java.
    - CVE-2015-5345: The Mapper component in Apache Tomcat before 6.0.45
      processes redirects before considering security constraints and Filters.
    - CVE-2016-0706: Apache Tomcat before 6.0.45 does not place
      org.apache.catalina.manager.StatusManagerServlet on the
      org/apache/catalina/core/RestrictedServlets.properties list which allows
      remote authenticated users to bypass intended SecurityManager
      restrictions.
    - CVE-2016-0714: The session-persistence implementation in Apache Tomcat
      before 6.0.45 mishandles session attributes, which allows remote
      authenticated users to bypass intended SecurityManager restrictions.
    - CVE-2016-0763: The setGlobalContext method in
      org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat does
      not consider whether ResourceLinkFactory.setGlobalContext callers are
      authorized, which allows remote authenticated users to bypass intended
      SecurityManager restrictions and read or write to arbitrary application
      data, or cause a denial of service (application disruption), via a web
      application that sets a crafted global context.
    - CVE-2015-5351: The Manager and Host Manager applications in
      Apache Tomcat establish sessions and send CSRF tokens for arbitrary new
      requests, which allows remote attackers to bypass a CSRF protection
      mechanism by using a token.

 -- Markus Koschany <email address hidden>  Sat, 27 Feb 2016 19:32:00 +0100

Available diffs

Superseded in precise-updates on 2016-07-05
Superseded in precise-security on 2016-07-05
tomcat6 (6.0.35-1ubuntu3.6) precise-security; urgency=medium

  * SECURITY UPDATE: HTTP request smuggling or denial of service via
    streaming with malformed chunked transfer encoding (LP: #1449975)
    - debian/patches/CVE-2014-0227.patch: add error flag and improve i18n
      in java/org/apache/coyote/http11/filters/ChunkedInputFilter.java,
      java/org/apache/coyote/http11/filters/LocalStrings.properties.
    - CVE-2014-0227
  * SECURITY UPDATE: denial of service via aborted upload attempts
    (LP: #1449975)
    - debian/patches/CVE-2014-0230.patch: limit amount of data in
      java/org/apache/coyote/Constants.java,
      java/org/apache/coyote/http11/filters/ChunkedInputFilter.java,
      java/org/apache/coyote/http11/filters/IdentityInputFilter.java,
      java/org/apache/coyote/http11/filters/LocalStrings.properties,
      webapps/docs/config/systemprops.xml.
    - CVE-2014-0230
  * SECURITY UPDATE: SecurityManager bypass via Expression Language
    - debian/patches/CVE-2014-7810.patch: handle classes that may not be
      accessible but have accessible interfaces in
      java/javax/el/BeanELResolver.java, remove unnecessary code in
      java/org/apache/jasper/runtime/PageContextImpl.java,
      java/org/apache/jasper/security/SecurityClassLoad.java.
    - CVE-2014-7810

 -- Marc Deslauriers <email address hidden>  Mon, 22 Jun 2015 08:16:23 -0400
Superseded in xenial-release on 2016-02-28
Published in wily-release on 2015-08-17
Deleted in wily-proposed (Reason: moved to release)
tomcat6 (6.0.41-4) unstable; urgency=medium

  * Removed the timstamp from the Javadoc of the Servlet API
    to make the build reproducible

 -- Emmanuel Bourg <email address hidden>  Wed, 06 May 2015 09:35:37 +0200

Available diffs

Superseded in wily-proposed on 2015-05-06
Deleted in vivid-proposed on 2015-05-08 (Reason: Moved to wily-proposed)
tomcat6 (6.0.41-3) unstable; urgency=medium


  * Build only the libservlet2.5-java and libservlet2.5-java-doc packages.
    Tomcat 6 will not be supported in Jessie, but the Servlet API is still
    useful as a build dependency for other packages.
  * Standards-Version updated to 3.9.6 (no changes)

 -- Emmanuel Bourg <email address hidden>  Wed, 22 Oct 2014 09:48:54 +0200
Superseded in precise-updates on 2015-06-25
Superseded in precise-security on 2015-06-25
tomcat6 (6.0.35-1ubuntu3.5) precise-security; urgency=medium

  * SECURITY UPDATE: denial of service via malformed chunk size
    - debian/patches/CVE-2014-0075.patch: fix overflow in
      java/org/apache/coyote/http11/filters/ChunkedInputFilter.java.
    - CVE-2014-0075
  * SECURITY UPDATE: file disclosure via XXE issue
    - debian/patches/CVE-2014-0096.patch: change globalXsltFile to be a
      relative path in conf/web.xml,
      java/org/apache/catalina/servlets/DefaultServlet.java,
      java/org/apache/catalina/servlets/LocalStrings.properties,
      webapps/docs/default-servlet.xml.
    - CVE-2014-0096
  * SECURITY UPDATE: HTTP request smuggling attack via crafted
    Content-Length HTTP header
    - debian/patches/CVE-2014-0099.patch: correctly handle long values in
      java/org/apache/tomcat/util/buf/Ascii.java.
    - CVE-2014-0099
 -- Marc Deslauriers <email address hidden>   Thu, 24 Jul 2014 15:38:01 -0400
Obsolete in lucid-updates on 2016-10-26
Obsolete in lucid-security on 2016-10-26
tomcat6 (6.0.24-2ubuntu1.16) lucid-security; urgency=medium

  * SECURITY UPDATE: denial of service via malformed chunk size
    - debian/patches/CVE-2014-0075.patch: fix overflow in
      java/org/apache/coyote/http11/filters/ChunkedInputFilter.java.
    - CVE-2014-0075
  * SECURITY UPDATE: file disclosure via XXE issue
    - debian/patches/CVE-2014-0096.patch: change globalXsltFile to be a
      relative path in conf/web.xml,
      java/org/apache/catalina/servlets/DefaultServlet.java,
      java/org/apache/catalina/servlets/LocalStrings.properties,
      webapps/docs/default-servlet.xml.
    - CVE-2014-0096
  * SECURITY UPDATE: HTTP request smuggling attack via crafted
    Content-Length HTTP header
    - debian/patches/CVE-2014-0099.patch: correctly handle long values in
      java/org/apache/tomcat/util/buf/Ascii.java.
    - CVE-2014-0099
 -- Marc Deslauriers <email address hidden>   Thu, 24 Jul 2014 15:49:36 -0400
Superseded in wily-release on 2015-08-17
Published in vivid-release on 2014-10-23
Obsolete in utopic-release on 2016-11-03
Deleted in utopic-proposed (Reason: moved to release)
tomcat6 (6.0.41-1) unstable; urgency=medium


  * New upstream release.
    - Refreshed the patches

 -- Emmanuel Bourg <email address hidden>  Thu, 22 May 2014 10:03:04 +0200

Available diffs

Superseded in lucid-updates on 2014-07-30
Superseded in lucid-security on 2014-07-30
tomcat6 (6.0.24-2ubuntu1.15) lucid-security; urgency=medium

  * SECURITY UPDATE: request smuggling attack via content-length headers
    - debian/patches/CVE-2013-4286.patch: handle multiple content lengths
      in java/org/apache/coyote/ajp/AbstractAjpProcessor.java,
      java/org/apache/coyote/ajp/AjpProcessor.java, handle content length
      and chunked encoding being both specified in
      java/org/apache/coyote/http11/Http11AprProcessor.java,
      java/org/apache/coyote/http11/Http11NioProcessor.java,
      java/org/apache/coyote/http11/Http11Processor.java.
    - CVE-2013-4286
  * SECURITY UPDATE: denial of service via chunked transfer coding
    - debian/patches/CVE-2013-4322.patch: limit length of extension data in
      java/org/apache/coyote/Constants.java,
      java/org/apache/coyote/http11/filters/ChunkedInputFilter.java,
      webapps/docs/config/systemprops.xml.
    - CVE-2013-4322
 -- Marc Deslauriers <email address hidden>   Wed, 05 Mar 2014 14:53:54 -0500
Superseded in precise-updates on 2014-07-30
Superseded in precise-security on 2014-07-30
tomcat6 (6.0.35-1ubuntu3.4) precise-security; urgency=medium

  * SECURITY UPDATE: request smuggling attack via content-length headers
    - debian/patches/CVE-2013-4286.patch: handle multiple content lengths
      in java/org/apache/coyote/ajp/AbstractAjpProcessor.java,
      java/org/apache/coyote/ajp/AjpProcessor.java, handle content length
      and chunked encoding being both specified in
      java/org/apache/coyote/http11/Http11AprProcessor.java,
      java/org/apache/coyote/http11/Http11NioProcessor.java,
      java/org/apache/coyote/http11/Http11Processor.java.
    - CVE-2013-4286
  * SECURITY UPDATE: denial of service via chunked transfer coding
    - debian/patches/CVE-2013-4322.patch: limit length of extension data in
      java/org/apache/coyote/Constants.java,
      java/org/apache/coyote/http11/filters/ChunkedInputFilter.java,
      webapps/docs/config/systemprops.xml.
    - CVE-2013-4322
  * SECURITY UPDATE: session fixation attack via crafted URL
    - debian/patches/CVE-2014-0033.patch: properly handle
      disableURLRewriting in
      java/org/apache/catalina/connector/CoyoteAdapter.java.
    - CVE-2014-0033
 -- Marc Deslauriers <email address hidden>   Tue, 04 Mar 2014 11:14:51 -0500
Superseded in utopic-release on 2014-05-24
Published in trusty-release on 2014-02-24
Deleted in trusty-proposed (Reason: moved to release)
tomcat6 (6.0.39-1) unstable; urgency=medium


  * Team upload.
  * New upstream release.
    - Refreshed the patches
  * Standards-Version updated to 3.9.5 (no changes)
  * Switch to debhelper level 9
  * Use XZ compression for the upstream tarball
  * Use canonical URL for the Vcs-Git field

 -- Emmanuel Bourg <email address hidden>  Mon, 17 Feb 2014 00:02:00 +0100

Available diffs

Superseded in trusty-release on 2014-02-24
Obsolete in saucy-release on 2015-04-24
Deleted in saucy-proposed on 2015-04-28 (Reason: moved to release)
tomcat6 (6.0.37-1) unstable; urgency=low


  * New upstream release.
    - Drop patches for CVE-2012-4534, CVE-2012-4431, CVE-2012-3546,
      CVE-2012-2733, CVE-2012-3439
    - Drop 0011-CVE-02012-0022-regression-fix.patch
    - Drop 0017-eclipse-compiler-update.patch
  * Freshened remaining patches.

 -- tony mancill <email address hidden>  Sat, 03 Aug 2013 21:50:20 -0700

Available diffs

Obsolete in quantal-updates on 2015-04-24
Obsolete in quantal-security on 2015-04-24
tomcat6 (6.0.35-5ubuntu0.1) quantal-security; urgency=low

  [ Christian Kuersteiner ]
  * SECURITY UPDATE: denial of service via large header data
    - debian/patches/0012-CVE-2012-2733.patch: improve size logic in
      java/org/apache/coyote/http11/InternalNioInputBuffer.java.
    - CVE-2012-2733
    - LP: #1166649
  * SECURITY UPDATE: security-constraint bypass with FORM auth
    - debian/patches/CVE-2012-3546.patch: remove unneeded code in
      java/org/apache/catalina/realm/RealmBase.java.
    - CVE-2012-3546
  * SECURITY UPDATE: CSRF bypass via request with no session identifier
    - debian/patches/CVE-2012-4431.patch: check for session identifier in
      java/org/apache/catalina/filters/CsrfPreventionFilter.java.
    - CVE-2012-4431
  * SECURITY UPDATE: denial of service with NIO connector
    - debian/patches/CVE-2012-4534.patch: properly handle connection breaks
      in java/org/apache/tomcat/util/net/NioEndpoint.java.
    - CVE-2012-4534

  [ Jamie Strandboge ]
  * SECURITY UPDATE: multiple HTTP Digest Access Authentication flaws
    - debian/patches/0013-CVE-2012-588x.patch: disable caching of an
      authenticated user in the session by default, track server rather
      than client nonces, better handling of stale nonce values in
      java/org/apache/catalina/authenticator/DigestAuthenticator.java.
      Patch from Marc Deslauriers.
    - CVE-2012-3439
    - CVE-2012-5885
    - CVE-2012-5886
    - CVE-2012-5887
  * SECURITY UPDATE: denial of service via chunked transfer encoding
    - debian/patches/CVE-2012-3544.patch: properly parse CRLF in requests
      in java/org/apache/coyote/http11/filters/ChunkedInputFilter.java.
      Patch from Marc Deslauriers.
    - CVE-2012-3544
  * SECURITY UPDATE: FORM authentication request injection
    - debian/patches/CVE-2013-2067.patch: properly change session ID
      in java/org/apache/catalina/authenticator/FormAuthenticator.java.
      Patch from Marc Deslauriers.
    - CVE-2013-2067
 -- Jamie Strandboge <email address hidden>   Tue, 28 May 2013 15:11:06 -0500
Superseded in precise-updates on 2014-03-06
Superseded in precise-security on 2014-03-06
tomcat6 (6.0.35-1ubuntu3.3) precise-security; urgency=low

  * SECURITY UPDATE: denial of service via chunked transfer encoding
    - debian/patches/CVE-2012-3544.patch: properly parse CRLF in requests
      in java/org/apache/coyote/http11/filters/ChunkedInputFilter.java.
    - CVE-2012-3544
  * SECURITY UPDATE: FORM authentication request injection
    - debian/patches/CVE-2013-2067.patch: properly change session ID
      in java/org/apache/catalina/authenticator/FormAuthenticator.java.
    - CVE-2013-2067
 -- Marc Deslauriers <email address hidden>   Tue, 21 May 2013 09:39:22 -0400
Superseded in lucid-updates on 2014-03-06
Superseded in lucid-security on 2014-03-06
tomcat6 (6.0.24-2ubuntu1.13) lucid-security; urgency=low

  * SECURITY UPDATE: denial of service via chunked transfer encoding
    - debian/patches/CVE-2012-3544.patch: properly parse CRLF in requests
      in java/org/apache/coyote/http11/filters/ChunkedInputFilter.java.
    - CVE-2012-3544
  * SECURITY UPDATE: FORM authentication request injection
    - debian/patches/CVE-2013-2067.patch: properly change session ID
      in java/org/apache/catalina/authenticator/FormAuthenticator.java.
    - CVE-2013-2067
 -- Marc Deslauriers <email address hidden>   Tue, 21 May 2013 10:03:26 -0400
Superseded in precise-updates on 2013-05-28
Superseded in precise-security on 2013-05-28
tomcat6 (6.0.35-1ubuntu3.2) precise-security; urgency=low

  * SECURITY UPDATE: security-constraint bypass with FORM auth
    - debian/patches/CVE-2012-3546.patch: remove unneeded code in
      java/org/apache/catalina/realm/RealmBase.java.
    - CVE-2012-3546
  * SECURITY UPDATE: CSRF bypass via request with no session identifier
    - debian/patches/CVE-2012-4431.patch: check for session identifier in
      java/org/apache/catalina/filters/CsrfPreventionFilter.java.
    - CVE-2012-4431
  * SECURITY UPDATE: denial of service with NIO connector
    - debian/patches/CVE-2012-4534.patch: properly handle connection breaks
      in java/org/apache/tomcat/util/net/NioEndpoint.java.
    - CVE-2012-4534
 -- Marc Deslauriers <email address hidden>   Thu, 10 Jan 2013 09:51:09 -0500
Obsolete in oneiric-updates on 2015-04-24
Obsolete in oneiric-security on 2015-04-24
tomcat6 (6.0.32-5ubuntu1.4) oneiric-security; urgency=low

  * SECURITY UPDATE: security-constraint bypass with FORM auth
    - debian/patches/CVE-2012-3546.patch: remove unneeded code in
      java/org/apache/catalina/realm/RealmBase.java.
    - CVE-2012-3546
  * SECURITY UPDATE: CSRF bypass via request with no session identifier
    - debian/patches/CVE-2012-4431.patch: check for session identifier in
      java/org/apache/catalina/filters/CsrfPreventionFilter.java.
    - CVE-2012-4431
  * SECURITY UPDATE: denial of service with NIO connector
    - debian/patches/CVE-2012-4534.patch: properly handle connection breaks
      in java/org/apache/tomcat/util/net/NioEndpoint.java.
    - CVE-2012-4534
 -- Marc Deslauriers <email address hidden>   Thu, 10 Jan 2013 10:00:07 -0500
Superseded in lucid-updates on 2013-05-28
Superseded in lucid-security on 2013-05-28
tomcat6 (6.0.24-2ubuntu1.12) lucid-security; urgency=low

  * SECURITY UPDATE: security-constraint bypass with FORM auth
    - debian/patches/CVE-2012-3546.patch: remove unneeded code in
      java/org/apache/catalina/realm/RealmBase.java.
    - CVE-2012-3546
  * SECURITY UPDATE: denial of service with NIO connector
    - debian/patches/CVE-2012-4534.patch: properly handle connection breaks
      in java/org/apache/tomcat/util/net/NioEndpoint.java.
    - CVE-2012-4534
 -- Marc Deslauriers <email address hidden>   Thu, 10 Jan 2013 10:03:38 -0500
Superseded in saucy-release on 2013-08-04
Obsolete in raring-release on 2015-04-24
Deleted in raring-proposed on 2015-04-27 (Reason: moved to release)
tomcat6 (6.0.35-6) unstable; urgency=high


  * Acknowledge NMU: 6.0.35-5+nmu1 (Closes: #692440)
    - Thank you to Michael Gilbert.
  * Add patches for the following security issues: (Closes: #695250)
    - CVE-2012-4534, CVE-2012-4431, CVE-2012-3546

 -- tony mancill <email address hidden>  Thu, 06 Dec 2012 21:10:11 -0800

Available diffs

Superseded in precise-updates on 2013-01-14
Superseded in precise-security on 2013-01-14
tomcat6 (6.0.35-1ubuntu3.1) precise-security; urgency=low

  * SECURITY UPDATE: denial of service via large header data
    - debian/patches/0012-CVE-2012-2733.patch: improve size logic in
      java/org/apache/coyote/http11/InternalNioInputBuffer.java.
    - CVE-2012-2733
  * SECURITY UPDATE: multiple HTTP Digest Access Authentication flaws
    - debian/patches/0013-CVE-2012-588x.patch: disable caching of an
      authenticated user in the session by default, track server rather
      than client nonces, better handling of stale nonce values in
      java/org/apache/catalina/authenticator/DigestAuthenticator.java.
    - CVE-2012-3439
    - CVE-2012-5885
    - CVE-2012-5886
    - CVE-2012-5887
 -- Marc Deslauriers <email address hidden>   Wed, 21 Nov 2012 10:36:18 -0500
Superseded in lucid-updates on 2013-01-14
Superseded in lucid-security on 2013-01-14
tomcat6 (6.0.24-2ubuntu1.11) lucid-security; urgency=low

  * SECURITY UPDATE: denial of service via large header data
    - debian/patches/0012-CVE-2012-2733.patch: improve size logic in
      java/org/apache/coyote/http11/InternalNioInputBuffer.java.
    - CVE-2012-2733
  * SECURITY UPDATE: multiple HTTP Digest Access Authentication flaws
    - debian/patches/0013-CVE-2012-588x.patch: disable caching of an
      authenticated user in the session by default, track server rather
      than client nonces, better handling of stale nonce values in
      java/org/apache/catalina/authenticator/DigestAuthenticator.java.
    - CVE-2012-3439
    - CVE-2012-5885
    - CVE-2012-5886
    - CVE-2012-5887
 -- Marc Deslauriers <email address hidden>   Wed, 21 Nov 2012 10:44:41 -0500
Superseded in oneiric-updates on 2013-01-14
Superseded in oneiric-security on 2013-01-14
tomcat6 (6.0.32-5ubuntu1.3) oneiric-security; urgency=low

  * SECURITY UPDATE: denial of service via large header data
    - debian/patches/0012-CVE-2012-2733.patch: improve size logic in
      java/org/apache/coyote/http11/InternalNioInputBuffer.java.
    - CVE-2012-2733
  * SECURITY UPDATE: multiple HTTP Digest Access Authentication flaws
    - debian/patches/0013-CVE-2012-588x.patch: disable caching of an
      authenticated user in the session by default, track server rather
      than client nonces, better handling of stale nonce values in
      java/org/apache/catalina/authenticator/DigestAuthenticator.java.
    - CVE-2012-3439
    - CVE-2012-5885
    - CVE-2012-5886
    - CVE-2012-5887
 -- Marc Deslauriers <email address hidden>   Wed, 21 Nov 2012 10:43:09 -0500
Superseded in raring-release on 2012-12-08
Deleted in raring-proposed on 2012-12-09 (Reason: moved to release)
tomcat6 (6.0.35-5+nmu1) unstable; urgency=high


  * Non-maintainer upload.
  * Fix multiple security issues (closes: #692440)
    - cve-2012-2733: denial-of-service by triggering out of memory error.
    - cve-2012-3439: multiple replay attack issues in digest authentication. 

 -- Michael Gilbert <email address hidden>  Sat, 17 Nov 2012 23:15:03 +0000

Available diffs

Superseded in raring-release on 2012-11-18
Obsolete in quantal-release on 2015-04-24
tomcat6 (6.0.35-5) unstable; urgency=low


  * Apply patch to README.Debian to explain setting the HTTPOnly flag
    in cookies by default; CVE-2010-4312. (Closes: #608286)
    - Thank you to Thijs Kinkhorst for the patch.
  * Use ucf and a template for /etc/logrotate.d/tomcat6 file to avoid
    updating the shipped conffile. (Closes: #687818)

 -- tony mancill <email address hidden>  Mon, 06 Aug 2012 21:29:11 -0700

Available diffs

Superseded in quantal-release on 2012-09-27
Superseded in quantal-release on 2012-07-19
tomcat6 (6.0.35-4) unstable; urgency=low


  [ tony mancill ]
  * Team upload.
  * Apply patch from James Page (Closes: #671373)
    - d/tomcat6-instance-create: Quote access to files and directories
      so that spaces can be used when creating user instances.
    - d/tomcat6.init: Make NAME dynamic, to allow starting multiple
      instances. (Closes: #299635)

  [ Miguel Landaeta ]
  * Add Slovak debconf translation (Closes: #677912).
    - Thanks to Ivan Masár.

 -- Miguel Landaeta <email address hidden>  Sun, 17 Jun 2012 18:57:50 -0430
Superseded in quantal-release on 2012-06-29
tomcat6 (6.0.35-3ubuntu2) quantal; urgency=low

  * No-change rebuild with openjdk-7 as default-jdk.
 -- James Page <email address hidden>   Fri, 18 May 2012 11:47:44 +0100

Available diffs

Superseded in quantal-release on 2012-05-18
tomcat6 (6.0.35-3ubuntu1) quantal; urgency=low

  * Merge from Debian Unstable, remaining changes:
    - d/tomcat6-instance-create: Quote access to files and directories
      so that spaces can be used when creating user instances.
    - d/tomcat6.init: Make NAME dynamic, to allow starting multiple instances.

Superseded in quantal-release on 2012-05-03
Published in precise-release on 2012-04-11
tomcat6 (6.0.35-1ubuntu3) precise; urgency=low

  * Handle creation of user instances with pathnames containing spaces
    (LP: #977498):
    - d/tomcat6-instance-create: Quote access to files and directories
      so that spaces can be used when creating user instances.
 -- James Page <email address hidden>   Wed, 11 Apr 2012 10:29:11 +0100
Superseded in precise-release on 2012-04-11
tomcat6 (6.0.35-1ubuntu2) precise; urgency=low

  * init: Make NAME dynamic, to allow starting multiple instances.
 -- Timo Aaltonen <email address hidden>   Fri, 16 Mar 2012 16:31:20 +0200

Available diffs

Superseded in precise-release on 2012-03-16
tomcat6 (6.0.35-1ubuntu1) precise; urgency=low

  * debian/patches/0011-CVE-2012-0022-regression-fix.patch: fix regression
    from the CVE-2012-0022 security fix that went into 6.0.35.
 -- Marc Deslauriers <email address hidden>   Mon, 13 Feb 2012 09:03:18 -0500

Available diffs

Superseded in lucid-updates on 2012-11-21
Superseded in lucid-security on 2012-11-21
Deleted in lucid-proposed on 2012-11-23 (Reason: moved to -updates)
tomcat6 (6.0.24-2ubuntu1.10) lucid-security; urgency=low

  * SECURITY UPDATE: denial of service via hash collision and incorrect
    handling of large numbers of parameters and parameter values
    (LP: #909828)
    - debian/patches/0019-CVE-2012-0022.patch: refactor parameter handling
      code in conf/web.xml,
      java/org/apache/catalina/connector/Connector.java,
      java/org/apache/catalina/connector/mbeans-descriptors.xml,
      java/org/apache/catalina/connector/Request.java,
      java/org/apache/catalina/filters/FailedRequestFilter.java,
      java/org/apache/catalina/Globals.java,
      java/org/apache/coyote/Request.java,
      java/org/apache/tomcat/util/buf/B2CConverter.java,
      java/org/apache/tomcat/util/buf/ByteChunk.java,
      java/org/apache/tomcat/util/buf/MessageBytes.java,
      java/org/apache/tomcat/util/buf/StringCache.java,
      java/org/apache/tomcat/util/http/LocalStrings.properties,
      java/org/apache/tomcat/util/http/Parameters.java,
      webapps/docs/config/ajp.xml,
      webapps/docs/config/http.xml.
    - CVE-2011-4858
    - CVE-2012-0022
 -- Marc Deslauriers <email address hidden>   Wed, 25 Jan 2012 14:35:46 -0500
Obsolete in maverick-updates on 2013-03-05
Obsolete in maverick-security on 2013-03-05
Deleted in maverick-proposed on 2013-03-05 (Reason: moved to -updates)
tomcat6 (6.0.28-2ubuntu1.6) maverick-security; urgency=low

  * SECURITY UPDATE: denial of service via hash collision and incorrect
    handling of large numbers of parameters and parameter values
    (LP: #909828)
    - debian/patches/0019-CVE-2012-0022.patch: refactor parameter handling
      code in conf/web.xml,
      java/org/apache/catalina/connector/Connector.java,
      java/org/apache/catalina/connector/mbeans-descriptors.xml,
      java/org/apache/catalina/connector/Request.java,
      java/org/apache/catalina/filters/FailedRequestFilter.java,
      java/org/apache/catalina/Globals.java,
      java/org/apache/coyote/Request.java,
      java/org/apache/tomcat/util/buf/B2CConverter.java,
      java/org/apache/tomcat/util/buf/ByteChunk.java,
      java/org/apache/tomcat/util/buf/MessageBytes.java,
      java/org/apache/tomcat/util/buf/StringCache.java,
      java/org/apache/tomcat/util/http/LocalStrings.properties,
      java/org/apache/tomcat/util/http/Parameters.java,
      webapps/docs/config/ajp.xml,
      webapps/docs/config/http.xml.
    - CVE-2011-4858
    - CVE-2012-0022
 -- Marc Deslauriers <email address hidden>   Wed, 25 Jan 2012 14:09:00 -0500
Obsolete in natty-updates on 2013-06-04
Obsolete in natty-security on 2013-06-04
Deleted in natty-proposed on 2013-06-04 (Reason: moved to -updates)
tomcat6 (6.0.28-10ubuntu2.3) natty-security; urgency=low

  * SECURITY UPDATE: denial of service via hash collision and incorrect
    handling of large numbers of parameters and parameter values
    (LP: #909828)
    - debian/patches/0019-CVE-2012-0022.patch: refactor parameter handling
      code in conf/web.xml,
      java/org/apache/catalina/connector/Connector.java,
      java/org/apache/catalina/connector/mbeans-descriptors.xml,
      java/org/apache/catalina/connector/Request.java,
      java/org/apache/catalina/filters/FailedRequestFilter.java,
      java/org/apache/catalina/Globals.java,
      java/org/apache/coyote/Request.java,
      java/org/apache/tomcat/util/buf/B2CConverter.java,
      java/org/apache/tomcat/util/buf/ByteChunk.java,
      java/org/apache/tomcat/util/buf/MessageBytes.java,
      java/org/apache/tomcat/util/buf/StringCache.java,
      java/org/apache/tomcat/util/http/LocalStrings.properties,
      java/org/apache/tomcat/util/http/Parameters.java,
      webapps/docs/config/ajp.xml,
      webapps/docs/config/http.xml.
    - CVE-2011-4858
    - CVE-2012-0022
 -- Marc Deslauriers <email address hidden>   Wed, 25 Jan 2012 13:42:23 -0500
Superseded in oneiric-updates on 2012-11-21
Superseded in oneiric-security on 2012-11-21
Deleted in oneiric-proposed on 2012-11-23 (Reason: moved to -updates)
tomcat6 (6.0.32-5ubuntu1.2) oneiric-security; urgency=low

  * SECURITY UPDATE: cross-request information leakage
    - debian/patches/0016-CVE-2011-3375.patch: ensure that the request and
      response objects are recycled after being re-populated in
      java/org/apache/catalina/connector/CoyoteAdapter.java,
      java/org/apache/coyote/ajp/AjpAprProcessor.java,
      java/org/apache/coyote/ajp/AjpProcessor.java,
      java/org/apache/coyote/http11/Http11AprProcessor.java,
      java/org/apache/coyote/http11/Http11NioProcessor.java,
      java/org/apache/coyote/http11/Http11Processor.java.
    - CVE-2011-3375
  * SECURITY UPDATE: denial of service via hash collision and incorrect
    handling of large numbers of parameters and parameter values
    (LP: #909828)
    - debian/patches/0017-CVE-2012-0022.patch: refactor parameter handling
      code in conf/web.xml,
      java/org/apache/catalina/connector/Connector.java,
      java/org/apache/catalina/connector/mbeans-descriptors.xml,
      java/org/apache/catalina/connector/Request.java,
      java/org/apache/catalina/filters/FilterBase.java,
      java/org/apache/catalina/filters/FailedRequestFilter.java,
      java/org/apache/catalina/Globals.java,
      java/org/apache/coyote/Request.java,
      java/org/apache/tomcat/util/buf/B2CConverter.java,
      java/org/apache/tomcat/util/buf/ByteChunk.java,
      java/org/apache/tomcat/util/buf/MessageBytes.java,
      java/org/apache/tomcat/util/buf/StringCache.java,
      java/org/apache/tomcat/util/http/LocalStrings.properties,
      java/org/apache/tomcat/util/http/Parameters.java,
      webapps/docs/config/ajp.xml,
      webapps/docs/config/filter.xml,
      webapps/docs/config/http.xml.
    - CVE-2011-4858
    - CVE-2012-0022
 -- Marc Deslauriers <email address hidden>   Wed, 25 Jan 2012 09:00:23 -0500
Superseded in precise-release on 2012-02-13
tomcat6 (6.0.35-1) unstable; urgency=low

  [ Miguel Landaeta ]
  * New upstream release.
  * Add myself to Uploaders.
  * Remove 0013-CVE-2011-3190.patch since it was included upstream.
  * Add mh_clean call in clean target.
  * Fix error in debian/rules that caused tomcat to report no version.
    Thanks to Jorge Barreiro for the patch. (Closes: #650656).

  [ tony mancill ]
  * Update Vcs-* fields in debian/control for switch to git.
  * Update to run with openjdk-7 and openjdk-6 when not default-jdk is
    not present. (Closes: #651448)
  * Allow java?-runtime-headless to satisfy Depends.
  * Add myself to Uploaders.
 -- Ubuntu Archive Auto-Sync <email address hidden>   Mon,  26 Dec 2011 17:52:51 +0000

Available diffs

Superseded in precise-release on 2011-12-26
tomcat6 (6.0.33-1) unstable; urgency=low


  * Team upload.
  * New upstream release.  
  * Remove the following patches (included upstream):
    - 0011-623242.patch
    - 0012-CVE-2011-2204.patch
    - 0015-CVE-2011-2526.patch
    - 0014-CVE-2011-1184.patch
  * Add patch for multi-instance startup.  CATALINA_HOME no longer
    depends on the instance $NAME.  JVM_TMP is now $NAME-specific.
    - Thank you to Julien Wajsberg. (Closes: #644365)
  * Add dependency on JRE to tomcat6-common (Closes: #644340)
  * Modify init script to look for JVM in /usr/lib/jvm/default-java

 -- tony mancill <email address hidden>  Mon, 28 Nov 2011 21:28:52 -0800
Superseded in precise-release on 2011-12-22
tomcat6 (6.0.32-6ubuntu1) precise; urgency=low

  * SECURITY UPDATE: HTTP DIGEST authentication weaknesses
    - debian/patches/0014-CVE-2011-1184.patch: add new nonce options in
      java/org/apache/catalina/authenticator/DigestAuthenticator.java,
      java/org/apache/catalina/authenticator/LocalStrings.properties,
      java/org/apache/catalina/authenticator/mbeans-descriptors.xml,
      java/org/apache/catalina/realm/RealmBase.java,
      webapps/docs/config/valve.xml.
    - CVE-2011-1184
  * SECURITY UPDATE: file restriction bypass or denial of service via
    untrusted web application.
    - debian/patches/0015-CVE-2011-2526.patch: check canonical name in
      java/org/apache/catalina/connector/LocalStrings.properties,
      java/org/apache/catalina/connector/Request.java,
      java/org/apache/catalina/servlets/DefaultServlet.java,
      java/org/apache/coyote/http11/Http11AprProcessor.java,
      java/org/apache/coyote/http11/LocalStrings.properties,
      java/org/apache/tomcat/util/net/AprEndpoint.java,
      java/org/apache/tomcat/util/net/NioEndpoint.java.
    - CVE-2011-2526
 -- Marc Deslauriers <email address hidden>   Tue, 08 Nov 2011 07:55:32 -0500
Superseded in oneiric-updates on 2012-02-13
Superseded in oneiric-security on 2012-02-13
tomcat6 (6.0.32-5ubuntu1.1) oneiric-security; urgency=low

  * SECURITY UPDATE: HTTP DIGEST authentication weaknesses
    - debian/patches/0014-CVE-2011-1184.patch: add new nonce options in
      java/org/apache/catalina/authenticator/DigestAuthenticator.java,
      java/org/apache/catalina/authenticator/LocalStrings.properties,
      java/org/apache/catalina/authenticator/mbeans-descriptors.xml,
      java/org/apache/catalina/realm/RealmBase.java,
      webapps/docs/config/valve.xml.
    - CVE-2011-1184
  * SECURITY UPDATE: file restriction bypass or denial of service via
    untrusted web application.
    - debian/patches/0015-CVE-2011-2526.patch: check canonical name in
      java/org/apache/catalina/connector/LocalStrings.properties,
      java/org/apache/catalina/connector/Request.java,
      java/org/apache/catalina/servlets/DefaultServlet.java,
      java/org/apache/coyote/http11/Http11AprProcessor.java,
      java/org/apache/coyote/http11/LocalStrings.properties,
      java/org/apache/tomcat/util/net/AprEndpoint.java,
      java/org/apache/tomcat/util/net/NioEndpoint.java.
    - CVE-2011-2526
 -- Marc Deslauriers <email address hidden>   Thu, 13 Oct 2011 16:41:43 -0400
Superseded in natty-updates on 2012-02-13
Superseded in natty-security on 2012-02-13
tomcat6 (6.0.28-10ubuntu2.2) natty-security; urgency=low

  * SECURITY UPDATE: information disclosure via log file
    - debian/patches/0015-CVE-2011-2204.patch: fix logging in
      java/org/apache/catalina/mbeans/MemoryUserDatabaseMBean.java,
      java/org/apache/catalina/users/MemoryUserDatabase.java,
      java/org/apache/catalina/users/MemoryUser.java.
    - CVE-2011-2204
  * SECURITY UPDATE: file restriction bypass or denial of service via
    untrusted web application.
    - debian/patches/0016-CVE-2011-2526.patch: check canonical name in
      java/org/apache/catalina/connector/LocalStrings.properties,
      java/org/apache/catalina/connector/Request.java,
      java/org/apache/catalina/servlets/DefaultServlet.java,
      java/org/apache/coyote/http11/Http11AprProcessor.java,
      java/org/apache/coyote/http11/LocalStrings.properties,
      java/org/apache/tomcat/util/net/AprEndpoint.java,
      java/org/apache/tomcat/util/net/NioEndpoint.java.
    - CVE-2011-2526
  * SECURITY UPDATE: AJP request spoofing and authentication bypass
    (LP: #843701)
    - debian/patches/0017-CVE-2011-3190.patch: Properly handle request
      bodies in java/org/apache/coyote/ajp/AjpAprProcessor.java,
      java/org/apache/coyote/ajp/AjpProcessor.java.
    - CVE-2011-3190
  * SECURITY UPDATE: HTTP DIGEST authentication weaknesses
    - debian/patches/0018-CVE-2011-1184.patch: add new nonce options in
      java/org/apache/catalina/authenticator/DigestAuthenticator.java,
      java/org/apache/catalina/authenticator/LocalStrings.properties,
      java/org/apache/catalina/authenticator/mbeans-descriptors.xml,
      java/org/apache/catalina/realm/RealmBase.java,
      webapps/docs/config/valve.xml.
    - CVE-2011-1184
 -- Marc Deslauriers <email address hidden>   Mon, 26 Sep 2011 11:27:14 -0400
Superseded in lucid-updates on 2012-02-13
Superseded in lucid-security on 2012-02-13
tomcat6 (6.0.24-2ubuntu1.9) lucid-security; urgency=low

  * SECURITY UPDATE: information disclosure via log file
    - debian/patches/0015-CVE-2011-2204.patch: fix logging in
      java/org/apache/catalina/mbeans/MemoryUserDatabaseMBean.java,
      java/org/apache/catalina/users/MemoryUserDatabase.java,
      java/org/apache/catalina/users/MemoryUser.java.
    - CVE-2011-2204
  * SECURITY UPDATE: file restriction bypass or denial of service via
    untrusted web application.
    - debian/patches/0016-CVE-2011-2526.patch: check canonical name in
      java/org/apache/catalina/connector/LocalStrings.properties,
      java/org/apache/catalina/connector/Request.java,
      java/org/apache/catalina/servlets/DefaultServlet.java,
      java/org/apache/coyote/http11/Http11AprProcessor.java,
      java/org/apache/coyote/http11/LocalStrings.properties,
      java/org/apache/tomcat/util/net/AprEndpoint.java,
      java/org/apache/tomcat/util/net/NioEndpoint.java.
    - CVE-2011-2526
  * SECURITY UPDATE: AJP request spoofing and authentication bypass
    (LP: #843701)
    - debian/patches/0017-CVE-2011-3190.patch: Properly handle request
      bodies in java/org/apache/coyote/ajp/AjpAprProcessor.java,
      java/org/apache/coyote/ajp/AjpProcessor.java.
    - CVE-2011-3190
  * SECURITY UPDATE: HTTP DIGEST authentication weaknesses
    - debian/patches/0018-CVE-2011-1184.patch: add new nonce options in
      java/org/apache/catalina/authenticator/DigestAuthenticator.java,
      java/org/apache/catalina/authenticator/LocalStrings.properties,
      java/org/apache/catalina/authenticator/mbeans-descriptors.xml,
      java/org/apache/catalina/realm/RealmBase.java,
      webapps/docs/config/valve.xml.
    - CVE-2011-1184
 -- Marc Deslauriers <email address hidden>   Mon, 26 Sep 2011 11:53:28 -0400
Superseded in maverick-updates on 2012-02-13
Superseded in maverick-security on 2012-02-13
tomcat6 (6.0.28-2ubuntu1.5) maverick-security; urgency=low

  * SECURITY UPDATE: information disclosure via log file
    - debian/patches/0015-CVE-2011-2204.patch: fix logging in
      java/org/apache/catalina/mbeans/MemoryUserDatabaseMBean.java,
      java/org/apache/catalina/users/MemoryUserDatabase.java,
      java/org/apache/catalina/users/MemoryUser.java.
    - CVE-2011-2204
  * SECURITY UPDATE: file restriction bypass or denial of service via
    untrusted web application.
    - debian/patches/0016-CVE-2011-2526.patch: check canonical name in
      java/org/apache/catalina/connector/LocalStrings.properties,
      java/org/apache/catalina/connector/Request.java,
      java/org/apache/catalina/servlets/DefaultServlet.java,
      java/org/apache/coyote/http11/Http11AprProcessor.java,
      java/org/apache/coyote/http11/LocalStrings.properties,
      java/org/apache/tomcat/util/net/AprEndpoint.java,
      java/org/apache/tomcat/util/net/NioEndpoint.java.
    - CVE-2011-2526
  * SECURITY UPDATE: AJP request spoofing and authentication bypass
    (LP: #843701)
    - debian/patches/0017-CVE-2011-3190.patch: Properly handle request
      bodies in java/org/apache/coyote/ajp/AjpAprProcessor.java,
      java/org/apache/coyote/ajp/AjpProcessor.java.
    - CVE-2011-3190
  * SECURITY UPDATE: HTTP DIGEST authentication weaknesses
    - debian/patches/0018-CVE-2011-1184.patch: add new nonce options in
      java/org/apache/catalina/authenticator/DigestAuthenticator.java,
      java/org/apache/catalina/authenticator/LocalStrings.properties,
      java/org/apache/catalina/authenticator/mbeans-descriptors.xml,
      java/org/apache/catalina/realm/RealmBase.java,
      webapps/docs/config/valve.xml.
    - CVE-2011-1184
  * This package does _not_ contain the changes that were in
    6.0.28-2ubuntu1.3 in -proposed.
 -- Marc Deslauriers <email address hidden>   Mon, 26 Sep 2011 11:48:20 -0400
Superseded in precise-release on 2011-11-08
tomcat6 (6.0.32-6) unstable; urgency=medium


  [ tony mancill ]
  * Team upload.
  * Update Korean debconf translation.  (Closes: #630950, 631482)
    Thanks to si-cheol Ko.
  * Add Dutch debconf translation.  (Closes: #637507)
    Thanks to Jeroen Schot.

  [ Niels Thykier ]
  * Removed myself from uploaders.

  [ James Page ]
  * Added patch for CVE-2011-3190 (LP: #843701). 

 -- tony mancill <email address hidden>  Sat, 17 Sep 2011 09:48:42 -0700
Superseded in precise-release on 2011-10-15
Obsolete in oneiric-release on 2015-04-24
tomcat6 (6.0.32-5ubuntu1) oneiric; urgency=low

  * Added patch for CVE-2011-3190 (LP: #843701).
 -- James Page <email address hidden>   Thu, 08 Sep 2011 14:45:34 +0100

Available diffs

Superseded in oneiric-release on 2011-09-15
tomcat6 (6.0.32-5) unstable; urgency=low

  * Team upload.
  * Add Catalan debconf translation ca.po (Closes: #630073).
  * Correct Suggests for libtcnative-1 (tomcat-native) (Closes: #631919)
  * Add patch for CVE-2011-2204 (Closes: #632882)
 -- James Page <email address hidden>   Mon,  11 Jul 2011 11:21:44 +0000

Available diffs

Superseded in oneiric-release on 2011-07-11
tomcat6 (6.0.32-4) unstable; urgency=low

  * Team upload.
  * Add Italian debconf translation.
    Thanks to Dario Santamaria (Closes: #624376)
  * Add logrotate for catalina.out (Closes: 607050)
  * Bump standards version to 3.9.2 (no changes needed).
 -- Ubuntu Archive Auto-Sync <email address hidden>   Thu,  09 Jun 2011 09:37:34 +0000

Available diffs

Superseded in oneiric-release on 2011-06-09
tomcat6 (6.0.32-3) unstable; urgency=low

  * Team upload.
  * Include upstream patch for ASF Bugzilla - Bug 50700
    (Context parameters are being overridden with parameters from the 
     web application deployment descriptor) (Closes: #623242)

Available diffs

Deleted in maverick-proposed on 2011-11-10 (Reason: moved to -updates)
tomcat6 (6.0.28-2ubuntu1.3) maverick-proposed; urgency=low

  * Fix update failures when JAVA_OPTS contains / (LP: #654549)
    - debian/tomcat6.postinst: amended sed calls to use % instead of / when
      generating /etc/default/tomcat6.
 -- James Page <email address hidden>   Fri, 15 Apr 2011 12:30:47 +0100
Superseded in maverick-updates on 2011-11-08
Superseded in maverick-security on 2011-11-08
tomcat6 (6.0.28-2ubuntu1.2) maverick-security; urgency=low

  * SECURITY UPDATE: directory traversal via incorrect ServetContext
    attribute (LP: #717396)
    - debian/patches/0012-CVE-2010-3718.patch: mark as read only in
      java/org/apache/catalina/core/StandardContext.java.
    - CVE-2010-3718
  * SECURITY UPDATE: cross-site scripting in HTML Manager interface
    - debian/patches/0013-CVE-2011-0013.patch: properly filter values in
      java/org/apache/catalina/manager/{HTMLManagerServlet.java,
      StatusTransformer.java}.
    - CVE-2011-0013
  * SECURITY UPDATE: denial of service via NIOS HTTP connector
    (LP: #714239, LP: #717396)
    - debian/patches/0014-CVE-2011-0534.patch: enforce proper size in
      java/org/apache/coyote/http11/InternalNioInputBuffer.java.
    - CVE-2011-0534
 -- Marc Deslauriers <email address hidden>   Thu, 24 Mar 2011 10:10:09 -0400
Superseded in lucid-updates on 2011-11-08
Superseded in lucid-security on 2011-11-08
tomcat6 (6.0.24-2ubuntu1.7) lucid-security; urgency=low

  * SECURITY UPDATE: directory traversal via incorrect ServetContext
    attribute (LP: #717396)
    - debian/patches/0012-CVE-2010-3718.patch: mark as read only in
      java/org/apache/catalina/core/StandardContext.java.
    - CVE-2010-3718
  * SECURITY UPDATE: cross-site scripting in HTML Manager interface
    - debian/patches/0013-CVE-2011-0013.patch: properly filter values in
      java/org/apache/catalina/manager/{HTMLManagerServlet.java,
      StatusTransformer.java}.
    - CVE-2011-0013
  * SECURITY UPDATE: denial of service via NIOS HTTP connector
    (LP: #714239, LP: #717396)
    - debian/patches/0014-CVE-2011-0534.patch: enforce proper size in
      java/org/apache/coyote/http11/InternalNioInputBuffer.java.
    - CVE-2011-0534
 -- Marc Deslauriers <email address hidden>   Thu, 24 Mar 2011 11:08:39 -0400
Obsolete in karmic-updates on 2013-03-04
Obsolete in karmic-security on 2013-03-04
tomcat6 (6.0.20-2ubuntu2.4) karmic-security; urgency=low

  * SECURITY UPDATE: directory traversal via incorrect ServetContext
    attribute (LP: #717396)
    - debian/patches/0012-CVE-2010-3718.patch: mark as read only in
      java/org/apache/catalina/core/StandardContext.java.
    - CVE-2010-3718
  * SECURITY UPDATE: cross-site scripting in HTML Manager interface
    - debian/patches/0013-CVE-2011-0013.patch: properly filter values in
      java/org/apache/catalina/manager/{HTMLManagerServlet.java,
      StatusTransformer.java}.
    - CVE-2011-0013
  * SECURITY UPDATE: denial of service via NIOS HTTP connector
    (LP: #714239, LP: #717396)
    - debian/patches/0014-CVE-2011-0534.patch: enforce proper size in
      java/org/apache/coyote/http11/InternalNioInputBuffer.java.
    - CVE-2011-0534
 -- Marc Deslauriers <email address hidden>   Thu, 24 Mar 2011 13:58:06 -0400
Superseded in oneiric-release on 2011-05-04
Obsolete in natty-release on 2013-06-04
tomcat6 (6.0.28-10ubuntu2) natty; urgency=low

  * debian/tomcat6-instance-create: Eclipse can now be configured to use a user instance
    of tomcat6 using tomcat6-instance-create without any additional work.
    tomcat6-instance-create will setup all the necessary symlinks to make eclipse work.
    (Closes: #551091) (LP: #297675)
 -- Abhinav Upadhyay <email address hidden>   Fri, 11 Mar 2011 13:55:28 +0530
Superseded in natty-release on 2011-03-16
tomcat6 (6.0.28-10ubuntu1) natty; urgency=low

  [ Abhinav Upadhyay ]
  * tomcat6-instance-create should accept -1 as the value of -c option
    as per http://tomcat.apache.org/tomcat-6.0-doc/config/server.html
    (LP: #707405)

  [ Dave Walker (Daviey) ]
  * debian/control: Updated Maintainer as per policy.
 -- Abhinav Upadhyay <email address hidden>   Mon, 07 Mar 2011 13:38:05 +0530

Available diffs

Superseded in natty-release on 2011-03-09
tomcat6 (6.0.28-10) unstable; urgency=medium

  * Team upload.
  * Add Portuguese/Brazilian debconf translation.
    Thanks to José de Figueiredo (Closes: #608527)
  * Add patches for CVE-2011-0534, CVE-2010-3718, CVE-2011-0013 
    (Closes: #612257)
 -- Jamie Strandboge <email address hidden>   Fri,  11 Feb 2011 20:51:04 +0000

Available diffs

Superseded in karmic-updates on 2011-03-29
Superseded in karmic-security on 2011-03-29
tomcat6 (6.0.20-2ubuntu2.3) karmic-security; urgency=low

  * SECURITY UPDATE: cross-site scripting in Manager application
    - debian/patches/0011-CVE-2010-4172.patch: add proper escaping to
      java/org/apache/catalina/manager/JspHelper.java,
      webapps/manager/{sessionDetail,sessionsList}.jsp.
    - patch backported from Debian 6.0.28-9 package
    - CVE-2010-4172
 -- Marc Deslauriers <email address hidden>   Thu, 13 Jan 2011 15:52:00 -0600
Superseded in lucid-updates on 2011-03-29
Superseded in lucid-security on 2011-03-29
tomcat6 (6.0.24-2ubuntu1.6) lucid-security; urgency=low

  * SECURITY UPDATE: cross-site scripting in Manager application
    - debian/patches/0011-CVE-2010-4172.patch: add proper escaping to
      java/org/apache/catalina/manager/JspHelper.java,
      webapps/manager/{sessionDetail,sessionsList}.jsp.
    - patch backported from Debian 6.0.28-9 package
    - CVE-2010-4172
 -- Marc Deslauriers <email address hidden>   Thu, 13 Jan 2011 15:32:24 -0600
Superseded in maverick-updates on 2011-03-29
Superseded in maverick-security on 2011-03-29
tomcat6 (6.0.28-2ubuntu1.1) maverick-security; urgency=low

  * SECURITY UPDATE: cross-site scripting in Manager application
    - debian/patches/0011-CVE-2010-4172.patch: add proper escaping to
      java/org/apache/catalina/manager/JspHelper.java,
      webapps/manager/WEB-INF/jsp/{sessionDetail,sessionsList}.jsp.
    - patch from Debian 6.0.28-9 package
    - CVE-2010-4172
 -- Marc Deslauriers <email address hidden>   Thu, 13 Jan 2011 15:16:35 -0600
Superseded in natty-release on 2011-02-11
tomcat6 (6.0.28-9) unstable; urgency=medium

  * Team upload.
  * Update URL for manager application in README.Debian 
    Thanks to Ernesto Ongaro (Closes: #606170)
  * Add patch for CVE-2010-4172. (Closes: #606388)
 -- Ubuntu Archive Auto-Sync <email address hidden>   Fri,  10 Dec 2010 16:44:11 +0000

Available diffs

Superseded in natty-release on 2010-12-10
tomcat6 (6.0.28-8) unstable; urgency=low

  * Team upload.

  [ Thierry Carrez (ttx) ]
  * Do not fail to purge if /etc/tomcat6 was manually removed (LP: #648619)
  * Add missing -p option in start-stop-daemon when starting tomcat6 to avoid
    failing to start due to /bin/bash running (LP: #632554)
  * Fix build failure (missing TraXLiaison class) by adding ant-nodeps
    to the classpath.

  [ tony mancill ]
  * Use debconf to determine tomcat6 user and group to delete upon purge.
    Thanks to Misha Koshelev.  (Closes: #599458)
  * Add tomcat-native to Suggests: for tomcat6 binary package. 
    Thanks to Eddy Petrisor  (Closes: #600590)
  * Add Danish debconf template translation.
    Thanks to Joe Dalton (Closes: #605070)
  * Actually add the Czech debconf template translation. 
    Thanks this time to Christian PERRIER (Closes: #597863)
 -- Thierry Carrez <email address hidden>   Wed,  08 Dec 2010 21:32:52 +0000

Available diffs

Superseded in lucid-updates on 2011-01-24
Deleted in lucid-proposed on 2011-01-25 (Reason: moved to -updates)
tomcat6 (6.0.24-2ubuntu1.5) lucid-proposed; urgency=low

  * debian/tomcat6.init: Add missing -p option in start-stop-daemon when
    starting tomcat6 to avoid failing to start due to /bin/bash running
    (LP: #632554)
 -- Michael Jeanson <email address hidden>   Wed, 08 Dec 2010 11:51:33 -0500
Superseded in natty-release on 2010-12-08
tomcat6 (6.0.28-7ubuntu4) natty; urgency=low

  * debian/control: Reapply ant1.7-optional to ant-optional change, was
    accidentally reverted in last upload.
 -- Thierry Carrez (ttx) <email address hidden>   Tue, 23 Nov 2010 17:02:19 +0100

Available diffs

Superseded in natty-release on 2010-11-23
tomcat6 (6.0.28-7ubuntu3) natty; urgency=low

  * debian/tomcat6.init: Add missing -p option in start-stop-daemon when
    starting tomcat6 to avoid failing to start due to /bin/bash running
    (LP: #632554)
 -- Thierry Carrez (ttx) <email address hidden>   Tue, 23 Nov 2010 16:35:40 +0100

Available diffs

Superseded in natty-release on 2010-11-23
tomcat6 (6.0.28-7ubuntu2) natty; urgency=low

  * Build-depend on ant/ant-optional (1.8.1)
  * Amended debian/rules, fix xslt processing in ant 1.8.1 to
    fix FTBFS (LP: #662588)
 -- James Page <email address hidden>   Mon, 08 Nov 2010 13:19:04 +0000

Available diffs

Superseded in natty-release on 2010-11-09
tomcat6 (6.0.28-7ubuntu1) natty; urgency=low

  * Build-depend on ant1.7 / ant1.7-optional to fix FTBFS (LP: #662588)
 -- Thierry Carrez (ttx) <email address hidden>   Wed, 20 Oct 2010 15:15:33 +0200

Available diffs

Superseded in natty-release on 2010-10-21
tomcat6 (6.0.28-7) unstable; urgency=low

  * Team upload.
  * Add Czech debconf template translation.
    Thanks to Michal Simunek. (Closes: #597863) 
  * Add Spanish debconf template translation.
    Thanks to Javier Fernández-Sanguino (Closes: #599230)
  * Modify postinst to handle JAVA_OPTS strings containing the '/' 
    character.  This was causing upgrade failures for users.
    (Closes: #597814)

Available diffs

Superseded in lucid-updates on 2010-12-18
Deleted in lucid-proposed on 2010-12-19 (Reason: moved to -updates)
tomcat6 (6.0.24-2ubuntu1.4) lucid-proposed; urgency=low

  * Check for group existence to avoid postinst failure (LP: #611721)
 -- Thierry Carrez (ttx) <email address hidden>   Thu, 07 Oct 2010 14:06:00 +0100
Superseded in natty-release on 2010-10-15
Obsolete in maverick-release on 2013-03-05
tomcat6 (6.0.28-2ubuntu1) maverick; urgency=low

  * Check for group existence to avoid postinst failure (LP: #611721)
 -- Thierry Carrez (ttx) <email address hidden>   Wed, 25 Aug 2010 09:07:03 +0200

Available diffs

Obsolete in jaunty-updates on 2013-02-28
Obsolete in jaunty-security on 2013-02-28
tomcat6 (6.0.18-0ubuntu6.3) jaunty-security; urgency=low

  * SECURITY UPDATE: denial of service and possible information disclosure
    via crafted header
    - debian/patches/CVE-2010-2227.patch: fix filter logic in
      java/org/apache/coyote/http11/{Http11AprProcessor,Http11NioProcessor,
      Http11Processor,filters/BufferedInputFilter}.java.
    - CVE-2010-2227
 -- Marc Deslauriers <email address hidden>   Thu, 19 Aug 2010 11:04:50 -0400
Superseded in karmic-updates on 2011-01-24
Superseded in karmic-security on 2011-01-24
tomcat6 (6.0.20-2ubuntu2.2) karmic-security; urgency=low

  * SECURITY UPDATE: denial of service and possible information disclosure
    via crafted header
    - debian/patches/CVE-2010-2227.patch: fix filter logic in
      java/org/apache/coyote/http11/{Http11AprProcessor,Http11NioProcessor,
      Http11Processor,filters/BufferedInputFilter}.java.
    - CVE-2010-2227
 -- Marc Deslauriers <email address hidden>   Thu, 19 Aug 2010 11:02:58 -0400
Superseded in lucid-updates on 2010-10-18
Superseded in lucid-security on 2011-01-24
tomcat6 (6.0.24-2ubuntu1.3) lucid-security; urgency=low

  * SECURITY UPDATE: denial of service and possible information disclosure
    via crafted header
    - debian/patches/CVE-2010-2227.patch: fix filter logic in
      java/org/apache/coyote/http11/{Http11AprProcessor,Http11NioProcessor,
      Http11Processor,filters/BufferedInputFilter}.java.
    - CVE-2010-2227
 -- Marc Deslauriers <email address hidden>   Thu, 19 Aug 2010 10:07:22 -0400
Superseded in maverick-release on 2010-08-25
tomcat6 (6.0.28-2) unstable; urgency=low

  * Add debconf questions for user, group and Java options.
  * Use ucf to install /etc/default/tomcat6 from a template
  * Drop CATALINA_BASE and CATALINA_HOME from /etc/default/tomcat6 since we
    shouldn't encourage users to change those anyway

Available diffs

Superseded in maverick-release on 2010-08-02
tomcat6 (6.0.26-5) unstable; urgency=medium

  * Convert patches to dep3 format.
  * Backport security fix from trunk to fix CVE-2010-1157. (Closes: #587447)
  * Set urgency to medium due to the security fix.

Available diffs

Superseded in lucid-updates on 2010-08-25
Deleted in lucid-proposed on 2010-08-26 (Reason: moved to -updates)
tomcat6 (6.0.24-2ubuntu1.2) lucid-proposed; urgency=low

  * Fix issues preventing from running Tomcat6 with a security manager:
    - debian/tomcat6.init: Remove duplicate securitymanager options.
    - debian/patches/catalina-sh-security-manager.patch: Use the right
      location for the security.policy file in catalina.sh.
    - Closes LP: #591802. Thanks to Jeff Turner for the original
      patches and to Adam Guthrie for the Lucid debdiff.
 -- Thierry Carrez <email address hidden>   Mon, 05 Jul 2010 14:54:47 +0200
Superseded in maverick-release on 2010-07-13
tomcat6 (6.0.26-3) unstable; urgency=low

  [ Marcus Better ]
  * Apply upstream fix for deadlock in WebappClassLoader. (Closes: #583896)

  [ Thierry Carrez ]
  * debian/tomcat6.{install,postinst}: Do not store the default root webapp
    in /usr/share/tomcat6/webapps as it increases confusion on what this
    directory contains (and its relation with /var/lib/tomcat6/webapps).
    Store it inside /usr/share/tomcat6-root instead (LP: #575303).
 -- Ubuntu Archive Auto-Sync <email address hidden>   Tue,  15 Jun 2010 10:11:17 +0100

Available diffs

Superseded in maverick-release on 2010-06-15
tomcat6 (6.0.26-2) unstable; urgency=low

  * debian/tomcat6.{postinst,prerm}: Respect TOMCAT6_USER and TOMCAT6_GROUP
    as defined in /etc/default/tomcat6 when setting directory permissions and
    authbind configuration (Closes: #581018, LP: #557300)
  * debian/tomcat6.postinst: Use group "tomcat6" instead of "adm" for
    permissions in /var/lib/tomcat6, so that group "adm" doesn't get write
    permissions over /var/lib/tomcat6/webapps (LP: #569118)

Available diffs

175 of 101 results