Ubuntu

Change log for “tomcat6” package in Ubuntu

175 of 92 results
Published in lucid-updates on 2014-03-06
Published in lucid-security on 2014-03-06
tomcat6 (6.0.24-2ubuntu1.15) lucid-security; urgency=medium

  * SECURITY UPDATE: request smuggling attack via content-length headers
    - debian/patches/CVE-2013-4286.patch: handle multiple content lengths
      in java/org/apache/coyote/ajp/AbstractAjpProcessor.java,
      java/org/apache/coyote/ajp/AjpProcessor.java, handle content length
      and chunked encoding being both specified in
      java/org/apache/coyote/http11/Http11AprProcessor.java,
      java/org/apache/coyote/http11/Http11NioProcessor.java,
      java/org/apache/coyote/http11/Http11Processor.java.
    - CVE-2013-4286
  * SECURITY UPDATE: denial of service via chunked transfer coding
    - debian/patches/CVE-2013-4322.patch: limit length of extension data in
      java/org/apache/coyote/Constants.java,
      java/org/apache/coyote/http11/filters/ChunkedInputFilter.java,
      webapps/docs/config/systemprops.xml.
    - CVE-2013-4322
 -- Marc Deslauriers <email address hidden>   Wed, 05 Mar 2014 14:53:54 -0500
Published in precise-updates on 2014-03-06
Published in precise-security on 2014-03-06
tomcat6 (6.0.35-1ubuntu3.4) precise-security; urgency=medium

  * SECURITY UPDATE: request smuggling attack via content-length headers
    - debian/patches/CVE-2013-4286.patch: handle multiple content lengths
      in java/org/apache/coyote/ajp/AbstractAjpProcessor.java,
      java/org/apache/coyote/ajp/AjpProcessor.java, handle content length
      and chunked encoding being both specified in
      java/org/apache/coyote/http11/Http11AprProcessor.java,
      java/org/apache/coyote/http11/Http11NioProcessor.java,
      java/org/apache/coyote/http11/Http11Processor.java.
    - CVE-2013-4286
  * SECURITY UPDATE: denial of service via chunked transfer coding
    - debian/patches/CVE-2013-4322.patch: limit length of extension data in
      java/org/apache/coyote/Constants.java,
      java/org/apache/coyote/http11/filters/ChunkedInputFilter.java,
      webapps/docs/config/systemprops.xml.
    - CVE-2013-4322
  * SECURITY UPDATE: session fixation attack via crafted URL
    - debian/patches/CVE-2014-0033.patch: properly handle
      disableURLRewriting in
      java/org/apache/catalina/connector/CoyoteAdapter.java.
    - CVE-2014-0033
 -- Marc Deslauriers <email address hidden>   Tue, 04 Mar 2014 11:14:51 -0500
Published in trusty-release on 2014-02-24
Deleted in trusty-proposed (Reason: moved to release)
tomcat6 (6.0.39-1) unstable; urgency=medium


  * Team upload.
  * New upstream release.
    - Refreshed the patches
  * Standards-Version updated to 3.9.5 (no changes)
  * Switch to debhelper level 9
  * Use XZ compression for the upstream tarball
  * Use canonical URL for the Vcs-Git field

 -- Emmanuel Bourg <email address hidden>  Mon, 17 Feb 2014 00:02:00 +0100

Available diffs

Superseded in trusty-release on 2014-02-24
Published in saucy-release on 2013-08-04
Deleted in saucy-proposed (Reason: moved to release)
tomcat6 (6.0.37-1) unstable; urgency=low


  * New upstream release.
    - Drop patches for CVE-2012-4534, CVE-2012-4431, CVE-2012-3546,
      CVE-2012-2733, CVE-2012-3439
    - Drop 0011-CVE-02012-0022-regression-fix.patch
    - Drop 0017-eclipse-compiler-update.patch
  * Freshened remaining patches.

 -- tony mancill <email address hidden>  Sat, 03 Aug 2013 21:50:20 -0700

Available diffs

Published in quantal-updates on 2013-05-29
Published in quantal-security on 2013-05-29
tomcat6 (6.0.35-5ubuntu0.1) quantal-security; urgency=low

  [ Christian Kuersteiner ]
  * SECURITY UPDATE: denial of service via large header data
    - debian/patches/0012-CVE-2012-2733.patch: improve size logic in
      java/org/apache/coyote/http11/InternalNioInputBuffer.java.
    - CVE-2012-2733
    - LP: #1166649
  * SECURITY UPDATE: security-constraint bypass with FORM auth
    - debian/patches/CVE-2012-3546.patch: remove unneeded code in
      java/org/apache/catalina/realm/RealmBase.java.
    - CVE-2012-3546
  * SECURITY UPDATE: CSRF bypass via request with no session identifier
    - debian/patches/CVE-2012-4431.patch: check for session identifier in
      java/org/apache/catalina/filters/CsrfPreventionFilter.java.
    - CVE-2012-4431
  * SECURITY UPDATE: denial of service with NIO connector
    - debian/patches/CVE-2012-4534.patch: properly handle connection breaks
      in java/org/apache/tomcat/util/net/NioEndpoint.java.
    - CVE-2012-4534

  [ Jamie Strandboge ]
  * SECURITY UPDATE: multiple HTTP Digest Access Authentication flaws
    - debian/patches/0013-CVE-2012-588x.patch: disable caching of an
      authenticated user in the session by default, track server rather
      than client nonces, better handling of stale nonce values in
      java/org/apache/catalina/authenticator/DigestAuthenticator.java.
      Patch from Marc Deslauriers.
    - CVE-2012-3439
    - CVE-2012-5885
    - CVE-2012-5886
    - CVE-2012-5887
  * SECURITY UPDATE: denial of service via chunked transfer encoding
    - debian/patches/CVE-2012-3544.patch: properly parse CRLF in requests
      in java/org/apache/coyote/http11/filters/ChunkedInputFilter.java.
      Patch from Marc Deslauriers.
    - CVE-2012-3544
  * SECURITY UPDATE: FORM authentication request injection
    - debian/patches/CVE-2013-2067.patch: properly change session ID
      in java/org/apache/catalina/authenticator/FormAuthenticator.java.
      Patch from Marc Deslauriers.
    - CVE-2013-2067
 -- Jamie Strandboge <email address hidden>   Tue, 28 May 2013 15:11:06 -0500
Superseded in precise-updates on 2014-03-06
Superseded in precise-security on 2014-03-06
tomcat6 (6.0.35-1ubuntu3.3) precise-security; urgency=low

  * SECURITY UPDATE: denial of service via chunked transfer encoding
    - debian/patches/CVE-2012-3544.patch: properly parse CRLF in requests
      in java/org/apache/coyote/http11/filters/ChunkedInputFilter.java.
    - CVE-2012-3544
  * SECURITY UPDATE: FORM authentication request injection
    - debian/patches/CVE-2013-2067.patch: properly change session ID
      in java/org/apache/catalina/authenticator/FormAuthenticator.java.
    - CVE-2013-2067
 -- Marc Deslauriers <email address hidden>   Tue, 21 May 2013 09:39:22 -0400
Superseded in lucid-updates on 2014-03-06
Superseded in lucid-security on 2014-03-06
tomcat6 (6.0.24-2ubuntu1.13) lucid-security; urgency=low

  * SECURITY UPDATE: denial of service via chunked transfer encoding
    - debian/patches/CVE-2012-3544.patch: properly parse CRLF in requests
      in java/org/apache/coyote/http11/filters/ChunkedInputFilter.java.
    - CVE-2012-3544
  * SECURITY UPDATE: FORM authentication request injection
    - debian/patches/CVE-2013-2067.patch: properly change session ID
      in java/org/apache/catalina/authenticator/FormAuthenticator.java.
    - CVE-2013-2067
 -- Marc Deslauriers <email address hidden>   Tue, 21 May 2013 10:03:26 -0400
Superseded in precise-updates on 2013-05-28
Superseded in precise-security on 2013-05-28
tomcat6 (6.0.35-1ubuntu3.2) precise-security; urgency=low

  * SECURITY UPDATE: security-constraint bypass with FORM auth
    - debian/patches/CVE-2012-3546.patch: remove unneeded code in
      java/org/apache/catalina/realm/RealmBase.java.
    - CVE-2012-3546
  * SECURITY UPDATE: CSRF bypass via request with no session identifier
    - debian/patches/CVE-2012-4431.patch: check for session identifier in
      java/org/apache/catalina/filters/CsrfPreventionFilter.java.
    - CVE-2012-4431
  * SECURITY UPDATE: denial of service with NIO connector
    - debian/patches/CVE-2012-4534.patch: properly handle connection breaks
      in java/org/apache/tomcat/util/net/NioEndpoint.java.
    - CVE-2012-4534
 -- Marc Deslauriers <email address hidden>   Thu, 10 Jan 2013 09:51:09 -0500
Published in oneiric-updates on 2013-01-14
Published in oneiric-security on 2013-01-14
tomcat6 (6.0.32-5ubuntu1.4) oneiric-security; urgency=low

  * SECURITY UPDATE: security-constraint bypass with FORM auth
    - debian/patches/CVE-2012-3546.patch: remove unneeded code in
      java/org/apache/catalina/realm/RealmBase.java.
    - CVE-2012-3546
  * SECURITY UPDATE: CSRF bypass via request with no session identifier
    - debian/patches/CVE-2012-4431.patch: check for session identifier in
      java/org/apache/catalina/filters/CsrfPreventionFilter.java.
    - CVE-2012-4431
  * SECURITY UPDATE: denial of service with NIO connector
    - debian/patches/CVE-2012-4534.patch: properly handle connection breaks
      in java/org/apache/tomcat/util/net/NioEndpoint.java.
    - CVE-2012-4534
 -- Marc Deslauriers <email address hidden>   Thu, 10 Jan 2013 10:00:07 -0500
Superseded in lucid-updates on 2013-05-28
Superseded in lucid-security on 2013-05-28
tomcat6 (6.0.24-2ubuntu1.12) lucid-security; urgency=low

  * SECURITY UPDATE: security-constraint bypass with FORM auth
    - debian/patches/CVE-2012-3546.patch: remove unneeded code in
      java/org/apache/catalina/realm/RealmBase.java.
    - CVE-2012-3546
  * SECURITY UPDATE: denial of service with NIO connector
    - debian/patches/CVE-2012-4534.patch: properly handle connection breaks
      in java/org/apache/tomcat/util/net/NioEndpoint.java.
    - CVE-2012-4534
 -- Marc Deslauriers <email address hidden>   Thu, 10 Jan 2013 10:03:38 -0500
Superseded in saucy-release on 2013-08-04
Published in raring-release on 2012-12-08
Deleted in raring-proposed (Reason: moved to release)
tomcat6 (6.0.35-6) unstable; urgency=high


  * Acknowledge NMU: 6.0.35-5+nmu1 (Closes: #692440)
    - Thank you to Michael Gilbert.
  * Add patches for the following security issues: (Closes: #695250)
    - CVE-2012-4534, CVE-2012-4431, CVE-2012-3546

 -- tony mancill <email address hidden>  Thu, 06 Dec 2012 21:10:11 -0800

Available diffs

Superseded in precise-updates on 2013-01-14
Superseded in precise-security on 2013-01-14
tomcat6 (6.0.35-1ubuntu3.1) precise-security; urgency=low

  * SECURITY UPDATE: denial of service via large header data
    - debian/patches/0012-CVE-2012-2733.patch: improve size logic in
      java/org/apache/coyote/http11/InternalNioInputBuffer.java.
    - CVE-2012-2733
  * SECURITY UPDATE: multiple HTTP Digest Access Authentication flaws
    - debian/patches/0013-CVE-2012-588x.patch: disable caching of an
      authenticated user in the session by default, track server rather
      than client nonces, better handling of stale nonce values in
      java/org/apache/catalina/authenticator/DigestAuthenticator.java.
    - CVE-2012-3439
    - CVE-2012-5885
    - CVE-2012-5886
    - CVE-2012-5887
 -- Marc Deslauriers <email address hidden>   Wed, 21 Nov 2012 10:36:18 -0500
Superseded in lucid-updates on 2013-01-14
Superseded in lucid-security on 2013-01-14
tomcat6 (6.0.24-2ubuntu1.11) lucid-security; urgency=low

  * SECURITY UPDATE: denial of service via large header data
    - debian/patches/0012-CVE-2012-2733.patch: improve size logic in
      java/org/apache/coyote/http11/InternalNioInputBuffer.java.
    - CVE-2012-2733
  * SECURITY UPDATE: multiple HTTP Digest Access Authentication flaws
    - debian/patches/0013-CVE-2012-588x.patch: disable caching of an
      authenticated user in the session by default, track server rather
      than client nonces, better handling of stale nonce values in
      java/org/apache/catalina/authenticator/DigestAuthenticator.java.
    - CVE-2012-3439
    - CVE-2012-5885
    - CVE-2012-5886
    - CVE-2012-5887
 -- Marc Deslauriers <email address hidden>   Wed, 21 Nov 2012 10:44:41 -0500
Superseded in oneiric-updates on 2013-01-14
Superseded in oneiric-security on 2013-01-14
tomcat6 (6.0.32-5ubuntu1.3) oneiric-security; urgency=low

  * SECURITY UPDATE: denial of service via large header data
    - debian/patches/0012-CVE-2012-2733.patch: improve size logic in
      java/org/apache/coyote/http11/InternalNioInputBuffer.java.
    - CVE-2012-2733
  * SECURITY UPDATE: multiple HTTP Digest Access Authentication flaws
    - debian/patches/0013-CVE-2012-588x.patch: disable caching of an
      authenticated user in the session by default, track server rather
      than client nonces, better handling of stale nonce values in
      java/org/apache/catalina/authenticator/DigestAuthenticator.java.
    - CVE-2012-3439
    - CVE-2012-5885
    - CVE-2012-5886
    - CVE-2012-5887
 -- Marc Deslauriers <email address hidden>   Wed, 21 Nov 2012 10:43:09 -0500
Superseded in raring-release on 2012-12-08
Deleted in raring-proposed on 2012-12-09 (Reason: moved to release)
tomcat6 (6.0.35-5+nmu1) unstable; urgency=high


  * Non-maintainer upload.
  * Fix multiple security issues (closes: #692440)
    - cve-2012-2733: denial-of-service by triggering out of memory error.
    - cve-2012-3439: multiple replay attack issues in digest authentication. 

 -- Michael Gilbert <email address hidden>  Sat, 17 Nov 2012 23:15:03 +0000

Available diffs

Superseded in raring-release on 2012-11-18
Published in quantal-release on 2012-09-27
tomcat6 (6.0.35-5) unstable; urgency=low


  * Apply patch to README.Debian to explain setting the HTTPOnly flag
    in cookies by default; CVE-2010-4312. (Closes: #608286)
    - Thank you to Thijs Kinkhorst for the patch.
  * Use ucf and a template for /etc/logrotate.d/tomcat6 file to avoid
    updating the shipped conffile. (Closes: #687818)

 -- tony mancill <email address hidden>  Mon, 06 Aug 2012 21:29:11 -0700

Available diffs

Superseded in quantal-release on 2012-09-27
Superseded in quantal-release on 2012-07-19
tomcat6 (6.0.35-4) unstable; urgency=low


  [ tony mancill ]
  * Team upload.
  * Apply patch from James Page (Closes: #671373)
    - d/tomcat6-instance-create: Quote access to files and directories
      so that spaces can be used when creating user instances.
    - d/tomcat6.init: Make NAME dynamic, to allow starting multiple
      instances. (Closes: #299635)

  [ Miguel Landaeta ]
  * Add Slovak debconf translation (Closes: #677912).
    - Thanks to Ivan Masár.

 -- Miguel Landaeta <email address hidden>  Sun, 17 Jun 2012 18:57:50 -0430
Superseded in quantal-release on 2012-06-29
tomcat6 (6.0.35-3ubuntu2) quantal; urgency=low

  * No-change rebuild with openjdk-7 as default-jdk.
 -- James Page <email address hidden>   Fri, 18 May 2012 11:47:44 +0100

Available diffs

Superseded in quantal-release on 2012-05-18
tomcat6 (6.0.35-3ubuntu1) quantal; urgency=low

  * Merge from Debian Unstable, remaining changes:
    - d/tomcat6-instance-create: Quote access to files and directories
      so that spaces can be used when creating user instances.
    - d/tomcat6.init: Make NAME dynamic, to allow starting multiple instances.

Superseded in quantal-release on 2012-05-03
Published in precise-release on 2012-04-11
tomcat6 (6.0.35-1ubuntu3) precise; urgency=low

  * Handle creation of user instances with pathnames containing spaces
    (LP: #977498):
    - d/tomcat6-instance-create: Quote access to files and directories
      so that spaces can be used when creating user instances.
 -- James Page <email address hidden>   Wed, 11 Apr 2012 10:29:11 +0100
Superseded in precise-release on 2012-04-11
tomcat6 (6.0.35-1ubuntu2) precise; urgency=low

  * init: Make NAME dynamic, to allow starting multiple instances.
 -- Timo Aaltonen <email address hidden>   Fri, 16 Mar 2012 16:31:20 +0200

Available diffs

Superseded in precise-release on 2012-03-16
tomcat6 (6.0.35-1ubuntu1) precise; urgency=low

  * debian/patches/0011-CVE-2012-0022-regression-fix.patch: fix regression
    from the CVE-2012-0022 security fix that went into 6.0.35.
 -- Marc Deslauriers <email address hidden>   Mon, 13 Feb 2012 09:03:18 -0500

Available diffs

Superseded in lucid-updates on 2012-11-21
Superseded in lucid-security on 2012-11-21
Deleted in lucid-proposed on 2012-11-23 (Reason: moved to -updates)
tomcat6 (6.0.24-2ubuntu1.10) lucid-security; urgency=low

  * SECURITY UPDATE: denial of service via hash collision and incorrect
    handling of large numbers of parameters and parameter values
    (LP: #909828)
    - debian/patches/0019-CVE-2012-0022.patch: refactor parameter handling
      code in conf/web.xml,
      java/org/apache/catalina/connector/Connector.java,
      java/org/apache/catalina/connector/mbeans-descriptors.xml,
      java/org/apache/catalina/connector/Request.java,
      java/org/apache/catalina/filters/FailedRequestFilter.java,
      java/org/apache/catalina/Globals.java,
      java/org/apache/coyote/Request.java,
      java/org/apache/tomcat/util/buf/B2CConverter.java,
      java/org/apache/tomcat/util/buf/ByteChunk.java,
      java/org/apache/tomcat/util/buf/MessageBytes.java,
      java/org/apache/tomcat/util/buf/StringCache.java,
      java/org/apache/tomcat/util/http/LocalStrings.properties,
      java/org/apache/tomcat/util/http/Parameters.java,
      webapps/docs/config/ajp.xml,
      webapps/docs/config/http.xml.
    - CVE-2011-4858
    - CVE-2012-0022
 -- Marc Deslauriers <email address hidden>   Wed, 25 Jan 2012 14:35:46 -0500
Obsolete in maverick-updates on 2013-03-05
Obsolete in maverick-security on 2013-03-05
Deleted in maverick-proposed on 2013-03-05 (Reason: moved to -updates)
tomcat6 (6.0.28-2ubuntu1.6) maverick-security; urgency=low

  * SECURITY UPDATE: denial of service via hash collision and incorrect
    handling of large numbers of parameters and parameter values
    (LP: #909828)
    - debian/patches/0019-CVE-2012-0022.patch: refactor parameter handling
      code in conf/web.xml,
      java/org/apache/catalina/connector/Connector.java,
      java/org/apache/catalina/connector/mbeans-descriptors.xml,
      java/org/apache/catalina/connector/Request.java,
      java/org/apache/catalina/filters/FailedRequestFilter.java,
      java/org/apache/catalina/Globals.java,
      java/org/apache/coyote/Request.java,
      java/org/apache/tomcat/util/buf/B2CConverter.java,
      java/org/apache/tomcat/util/buf/ByteChunk.java,
      java/org/apache/tomcat/util/buf/MessageBytes.java,
      java/org/apache/tomcat/util/buf/StringCache.java,
      java/org/apache/tomcat/util/http/LocalStrings.properties,
      java/org/apache/tomcat/util/http/Parameters.java,
      webapps/docs/config/ajp.xml,
      webapps/docs/config/http.xml.
    - CVE-2011-4858
    - CVE-2012-0022
 -- Marc Deslauriers <email address hidden>   Wed, 25 Jan 2012 14:09:00 -0500
Obsolete in natty-updates on 2013-06-04
Obsolete in natty-security on 2013-06-04
Deleted in natty-proposed on 2013-06-04 (Reason: moved to -updates)
tomcat6 (6.0.28-10ubuntu2.3) natty-security; urgency=low

  * SECURITY UPDATE: denial of service via hash collision and incorrect
    handling of large numbers of parameters and parameter values
    (LP: #909828)
    - debian/patches/0019-CVE-2012-0022.patch: refactor parameter handling
      code in conf/web.xml,
      java/org/apache/catalina/connector/Connector.java,
      java/org/apache/catalina/connector/mbeans-descriptors.xml,
      java/org/apache/catalina/connector/Request.java,
      java/org/apache/catalina/filters/FailedRequestFilter.java,
      java/org/apache/catalina/Globals.java,
      java/org/apache/coyote/Request.java,
      java/org/apache/tomcat/util/buf/B2CConverter.java,
      java/org/apache/tomcat/util/buf/ByteChunk.java,
      java/org/apache/tomcat/util/buf/MessageBytes.java,
      java/org/apache/tomcat/util/buf/StringCache.java,
      java/org/apache/tomcat/util/http/LocalStrings.properties,
      java/org/apache/tomcat/util/http/Parameters.java,
      webapps/docs/config/ajp.xml,
      webapps/docs/config/http.xml.
    - CVE-2011-4858
    - CVE-2012-0022
 -- Marc Deslauriers <email address hidden>   Wed, 25 Jan 2012 13:42:23 -0500
Superseded in oneiric-updates on 2012-11-21
Superseded in oneiric-security on 2012-11-21
Deleted in oneiric-proposed on 2012-11-23 (Reason: moved to -updates)
tomcat6 (6.0.32-5ubuntu1.2) oneiric-security; urgency=low

  * SECURITY UPDATE: cross-request information leakage
    - debian/patches/0016-CVE-2011-3375.patch: ensure that the request and
      response objects are recycled after being re-populated in
      java/org/apache/catalina/connector/CoyoteAdapter.java,
      java/org/apache/coyote/ajp/AjpAprProcessor.java,
      java/org/apache/coyote/ajp/AjpProcessor.java,
      java/org/apache/coyote/http11/Http11AprProcessor.java,
      java/org/apache/coyote/http11/Http11NioProcessor.java,
      java/org/apache/coyote/http11/Http11Processor.java.
    - CVE-2011-3375
  * SECURITY UPDATE: denial of service via hash collision and incorrect
    handling of large numbers of parameters and parameter values
    (LP: #909828)
    - debian/patches/0017-CVE-2012-0022.patch: refactor parameter handling
      code in conf/web.xml,
      java/org/apache/catalina/connector/Connector.java,
      java/org/apache/catalina/connector/mbeans-descriptors.xml,
      java/org/apache/catalina/connector/Request.java,
      java/org/apache/catalina/filters/FilterBase.java,
      java/org/apache/catalina/filters/FailedRequestFilter.java,
      java/org/apache/catalina/Globals.java,
      java/org/apache/coyote/Request.java,
      java/org/apache/tomcat/util/buf/B2CConverter.java,
      java/org/apache/tomcat/util/buf/ByteChunk.java,
      java/org/apache/tomcat/util/buf/MessageBytes.java,
      java/org/apache/tomcat/util/buf/StringCache.java,
      java/org/apache/tomcat/util/http/LocalStrings.properties,
      java/org/apache/tomcat/util/http/Parameters.java,
      webapps/docs/config/ajp.xml,
      webapps/docs/config/filter.xml,
      webapps/docs/config/http.xml.
    - CVE-2011-4858
    - CVE-2012-0022
 -- Marc Deslauriers <email address hidden>   Wed, 25 Jan 2012 09:00:23 -0500
Superseded in precise-release on 2012-02-13
tomcat6 (6.0.35-1) unstable; urgency=low

  [ Miguel Landaeta ]
  * New upstream release.
  * Add myself to Uploaders.
  * Remove 0013-CVE-2011-3190.patch since it was included upstream.
  * Add mh_clean call in clean target.
  * Fix error in debian/rules that caused tomcat to report no version.
    Thanks to Jorge Barreiro for the patch. (Closes: #650656).

  [ tony mancill ]
  * Update Vcs-* fields in debian/control for switch to git.
  * Update to run with openjdk-7 and openjdk-6 when not default-jdk is
    not present. (Closes: #651448)
  * Allow java?-runtime-headless to satisfy Depends.
  * Add myself to Uploaders.
 -- Ubuntu Archive Auto-Sync <email address hidden>   Mon,  26 Dec 2011 17:52:51 +0000

Available diffs

Superseded in precise-release on 2011-12-26
tomcat6 (6.0.33-1) unstable; urgency=low


  * Team upload.
  * New upstream release.  
  * Remove the following patches (included upstream):
    - 0011-623242.patch
    - 0012-CVE-2011-2204.patch
    - 0015-CVE-2011-2526.patch
    - 0014-CVE-2011-1184.patch
  * Add patch for multi-instance startup.  CATALINA_HOME no longer
    depends on the instance $NAME.  JVM_TMP is now $NAME-specific.
    - Thank you to Julien Wajsberg. (Closes: #644365)
  * Add dependency on JRE to tomcat6-common (Closes: #644340)
  * Modify init script to look for JVM in /usr/lib/jvm/default-java

 -- tony mancill <email address hidden>  Mon, 28 Nov 2011 21:28:52 -0800
Superseded in precise-release on 2011-12-22
tomcat6 (6.0.32-6ubuntu1) precise; urgency=low

  * SECURITY UPDATE: HTTP DIGEST authentication weaknesses
    - debian/patches/0014-CVE-2011-1184.patch: add new nonce options in
      java/org/apache/catalina/authenticator/DigestAuthenticator.java,
      java/org/apache/catalina/authenticator/LocalStrings.properties,
      java/org/apache/catalina/authenticator/mbeans-descriptors.xml,
      java/org/apache/catalina/realm/RealmBase.java,
      webapps/docs/config/valve.xml.
    - CVE-2011-1184
  * SECURITY UPDATE: file restriction bypass or denial of service via
    untrusted web application.
    - debian/patches/0015-CVE-2011-2526.patch: check canonical name in
      java/org/apache/catalina/connector/LocalStrings.properties,
      java/org/apache/catalina/connector/Request.java,
      java/org/apache/catalina/servlets/DefaultServlet.java,
      java/org/apache/coyote/http11/Http11AprProcessor.java,
      java/org/apache/coyote/http11/LocalStrings.properties,
      java/org/apache/tomcat/util/net/AprEndpoint.java,
      java/org/apache/tomcat/util/net/NioEndpoint.java.
    - CVE-2011-2526
 -- Marc Deslauriers <email address hidden>   Tue, 08 Nov 2011 07:55:32 -0500
Superseded in oneiric-updates on 2012-02-13
Superseded in oneiric-security on 2012-02-13
tomcat6 (6.0.32-5ubuntu1.1) oneiric-security; urgency=low

  * SECURITY UPDATE: HTTP DIGEST authentication weaknesses
    - debian/patches/0014-CVE-2011-1184.patch: add new nonce options in
      java/org/apache/catalina/authenticator/DigestAuthenticator.java,
      java/org/apache/catalina/authenticator/LocalStrings.properties,
      java/org/apache/catalina/authenticator/mbeans-descriptors.xml,
      java/org/apache/catalina/realm/RealmBase.java,
      webapps/docs/config/valve.xml.
    - CVE-2011-1184
  * SECURITY UPDATE: file restriction bypass or denial of service via
    untrusted web application.
    - debian/patches/0015-CVE-2011-2526.patch: check canonical name in
      java/org/apache/catalina/connector/LocalStrings.properties,
      java/org/apache/catalina/connector/Request.java,
      java/org/apache/catalina/servlets/DefaultServlet.java,
      java/org/apache/coyote/http11/Http11AprProcessor.java,
      java/org/apache/coyote/http11/LocalStrings.properties,
      java/org/apache/tomcat/util/net/AprEndpoint.java,
      java/org/apache/tomcat/util/net/NioEndpoint.java.
    - CVE-2011-2526
 -- Marc Deslauriers <email address hidden>   Thu, 13 Oct 2011 16:41:43 -0400
Superseded in natty-updates on 2012-02-13
Superseded in natty-security on 2012-02-13
tomcat6 (6.0.28-10ubuntu2.2) natty-security; urgency=low

  * SECURITY UPDATE: information disclosure via log file
    - debian/patches/0015-CVE-2011-2204.patch: fix logging in
      java/org/apache/catalina/mbeans/MemoryUserDatabaseMBean.java,
      java/org/apache/catalina/users/MemoryUserDatabase.java,
      java/org/apache/catalina/users/MemoryUser.java.
    - CVE-2011-2204
  * SECURITY UPDATE: file restriction bypass or denial of service via
    untrusted web application.
    - debian/patches/0016-CVE-2011-2526.patch: check canonical name in
      java/org/apache/catalina/connector/LocalStrings.properties,
      java/org/apache/catalina/connector/Request.java,
      java/org/apache/catalina/servlets/DefaultServlet.java,
      java/org/apache/coyote/http11/Http11AprProcessor.java,
      java/org/apache/coyote/http11/LocalStrings.properties,
      java/org/apache/tomcat/util/net/AprEndpoint.java,
      java/org/apache/tomcat/util/net/NioEndpoint.java.
    - CVE-2011-2526
  * SECURITY UPDATE: AJP request spoofing and authentication bypass
    (LP: #843701)
    - debian/patches/0017-CVE-2011-3190.patch: Properly handle request
      bodies in java/org/apache/coyote/ajp/AjpAprProcessor.java,
      java/org/apache/coyote/ajp/AjpProcessor.java.
    - CVE-2011-3190
  * SECURITY UPDATE: HTTP DIGEST authentication weaknesses
    - debian/patches/0018-CVE-2011-1184.patch: add new nonce options in
      java/org/apache/catalina/authenticator/DigestAuthenticator.java,
      java/org/apache/catalina/authenticator/LocalStrings.properties,
      java/org/apache/catalina/authenticator/mbeans-descriptors.xml,
      java/org/apache/catalina/realm/RealmBase.java,
      webapps/docs/config/valve.xml.
    - CVE-2011-1184
 -- Marc Deslauriers <email address hidden>   Mon, 26 Sep 2011 11:27:14 -0400
Superseded in lucid-updates on 2012-02-13
Superseded in lucid-security on 2012-02-13
tomcat6 (6.0.24-2ubuntu1.9) lucid-security; urgency=low

  * SECURITY UPDATE: information disclosure via log file
    - debian/patches/0015-CVE-2011-2204.patch: fix logging in
      java/org/apache/catalina/mbeans/MemoryUserDatabaseMBean.java,
      java/org/apache/catalina/users/MemoryUserDatabase.java,
      java/org/apache/catalina/users/MemoryUser.java.
    - CVE-2011-2204
  * SECURITY UPDATE: file restriction bypass or denial of service via
    untrusted web application.
    - debian/patches/0016-CVE-2011-2526.patch: check canonical name in
      java/org/apache/catalina/connector/LocalStrings.properties,
      java/org/apache/catalina/connector/Request.java,
      java/org/apache/catalina/servlets/DefaultServlet.java,
      java/org/apache/coyote/http11/Http11AprProcessor.java,
      java/org/apache/coyote/http11/LocalStrings.properties,
      java/org/apache/tomcat/util/net/AprEndpoint.java,
      java/org/apache/tomcat/util/net/NioEndpoint.java.
    - CVE-2011-2526
  * SECURITY UPDATE: AJP request spoofing and authentication bypass
    (LP: #843701)
    - debian/patches/0017-CVE-2011-3190.patch: Properly handle request
      bodies in java/org/apache/coyote/ajp/AjpAprProcessor.java,
      java/org/apache/coyote/ajp/AjpProcessor.java.
    - CVE-2011-3190
  * SECURITY UPDATE: HTTP DIGEST authentication weaknesses
    - debian/patches/0018-CVE-2011-1184.patch: add new nonce options in
      java/org/apache/catalina/authenticator/DigestAuthenticator.java,
      java/org/apache/catalina/authenticator/LocalStrings.properties,
      java/org/apache/catalina/authenticator/mbeans-descriptors.xml,
      java/org/apache/catalina/realm/RealmBase.java,
      webapps/docs/config/valve.xml.
    - CVE-2011-1184
 -- Marc Deslauriers <email address hidden>   Mon, 26 Sep 2011 11:53:28 -0400
Superseded in maverick-updates on 2012-02-13
Superseded in maverick-security on 2012-02-13
tomcat6 (6.0.28-2ubuntu1.5) maverick-security; urgency=low

  * SECURITY UPDATE: information disclosure via log file
    - debian/patches/0015-CVE-2011-2204.patch: fix logging in
      java/org/apache/catalina/mbeans/MemoryUserDatabaseMBean.java,
      java/org/apache/catalina/users/MemoryUserDatabase.java,
      java/org/apache/catalina/users/MemoryUser.java.
    - CVE-2011-2204
  * SECURITY UPDATE: file restriction bypass or denial of service via
    untrusted web application.
    - debian/patches/0016-CVE-2011-2526.patch: check canonical name in
      java/org/apache/catalina/connector/LocalStrings.properties,
      java/org/apache/catalina/connector/Request.java,
      java/org/apache/catalina/servlets/DefaultServlet.java,
      java/org/apache/coyote/http11/Http11AprProcessor.java,
      java/org/apache/coyote/http11/LocalStrings.properties,
      java/org/apache/tomcat/util/net/AprEndpoint.java,
      java/org/apache/tomcat/util/net/NioEndpoint.java.
    - CVE-2011-2526
  * SECURITY UPDATE: AJP request spoofing and authentication bypass
    (LP: #843701)
    - debian/patches/0017-CVE-2011-3190.patch: Properly handle request
      bodies in java/org/apache/coyote/ajp/AjpAprProcessor.java,
      java/org/apache/coyote/ajp/AjpProcessor.java.
    - CVE-2011-3190
  * SECURITY UPDATE: HTTP DIGEST authentication weaknesses
    - debian/patches/0018-CVE-2011-1184.patch: add new nonce options in
      java/org/apache/catalina/authenticator/DigestAuthenticator.java,
      java/org/apache/catalina/authenticator/LocalStrings.properties,
      java/org/apache/catalina/authenticator/mbeans-descriptors.xml,
      java/org/apache/catalina/realm/RealmBase.java,
      webapps/docs/config/valve.xml.
    - CVE-2011-1184
  * This package does _not_ contain the changes that were in
    6.0.28-2ubuntu1.3 in -proposed.
 -- Marc Deslauriers <email address hidden>   Mon, 26 Sep 2011 11:48:20 -0400
Superseded in precise-release on 2011-11-08
tomcat6 (6.0.32-6) unstable; urgency=medium


  [ tony mancill ]
  * Team upload.
  * Update Korean debconf translation.  (Closes: #630950, 631482)
    Thanks to si-cheol Ko.
  * Add Dutch debconf translation.  (Closes: #637507)
    Thanks to Jeroen Schot.

  [ Niels Thykier ]
  * Removed myself from uploaders.

  [ James Page ]
  * Added patch for CVE-2011-3190 (LP: #843701). 

 -- tony mancill <email address hidden>  Sat, 17 Sep 2011 09:48:42 -0700
Superseded in precise-release on 2011-10-15
Published in oneiric-release on 2011-09-15
tomcat6 (6.0.32-5ubuntu1) oneiric; urgency=low

  * Added patch for CVE-2011-3190 (LP: #843701).
 -- James Page <email address hidden>   Thu, 08 Sep 2011 14:45:34 +0100

Available diffs

Superseded in oneiric-release on 2011-09-15
tomcat6 (6.0.32-5) unstable; urgency=low

  * Team upload.
  * Add Catalan debconf translation ca.po (Closes: #630073).
  * Correct Suggests for libtcnative-1 (tomcat-native) (Closes: #631919)
  * Add patch for CVE-2011-2204 (Closes: #632882)
 -- James Page <email address hidden>   Mon,  11 Jul 2011 11:21:44 +0000

Available diffs

Superseded in oneiric-release on 2011-07-11
tomcat6 (6.0.32-4) unstable; urgency=low

  * Team upload.
  * Add Italian debconf translation.
    Thanks to Dario Santamaria (Closes: #624376)
  * Add logrotate for catalina.out (Closes: 607050)
  * Bump standards version to 3.9.2 (no changes needed).
 -- Ubuntu Archive Auto-Sync <email address hidden>   Thu,  09 Jun 2011 09:37:34 +0000

Available diffs

Superseded in oneiric-release on 2011-06-09
tomcat6 (6.0.32-3) unstable; urgency=low

  * Team upload.
  * Include upstream patch for ASF Bugzilla - Bug 50700
    (Context parameters are being overridden with parameters from the 
     web application deployment descriptor) (Closes: #623242)

Available diffs

Deleted in maverick-proposed on 2011-11-10 (Reason: moved to -updates)
tomcat6 (6.0.28-2ubuntu1.3) maverick-proposed; urgency=low

  * Fix update failures when JAVA_OPTS contains / (LP: #654549)
    - debian/tomcat6.postinst: amended sed calls to use % instead of / when
      generating /etc/default/tomcat6.
 -- James Page <email address hidden>   Fri, 15 Apr 2011 12:30:47 +0100
Superseded in maverick-updates on 2011-11-08
Superseded in maverick-security on 2011-11-08
tomcat6 (6.0.28-2ubuntu1.2) maverick-security; urgency=low

  * SECURITY UPDATE: directory traversal via incorrect ServetContext
    attribute (LP: #717396)
    - debian/patches/0012-CVE-2010-3718.patch: mark as read only in
      java/org/apache/catalina/core/StandardContext.java.
    - CVE-2010-3718
  * SECURITY UPDATE: cross-site scripting in HTML Manager interface
    - debian/patches/0013-CVE-2011-0013.patch: properly filter values in
      java/org/apache/catalina/manager/{HTMLManagerServlet.java,
      StatusTransformer.java}.
    - CVE-2011-0013
  * SECURITY UPDATE: denial of service via NIOS HTTP connector
    (LP: #714239, LP: #717396)
    - debian/patches/0014-CVE-2011-0534.patch: enforce proper size in
      java/org/apache/coyote/http11/InternalNioInputBuffer.java.
    - CVE-2011-0534
 -- Marc Deslauriers <email address hidden>   Thu, 24 Mar 2011 10:10:09 -0400
Superseded in lucid-updates on 2011-11-08
Superseded in lucid-security on 2011-11-08
tomcat6 (6.0.24-2ubuntu1.7) lucid-security; urgency=low

  * SECURITY UPDATE: directory traversal via incorrect ServetContext
    attribute (LP: #717396)
    - debian/patches/0012-CVE-2010-3718.patch: mark as read only in
      java/org/apache/catalina/core/StandardContext.java.
    - CVE-2010-3718
  * SECURITY UPDATE: cross-site scripting in HTML Manager interface
    - debian/patches/0013-CVE-2011-0013.patch: properly filter values in
      java/org/apache/catalina/manager/{HTMLManagerServlet.java,
      StatusTransformer.java}.
    - CVE-2011-0013
  * SECURITY UPDATE: denial of service via NIOS HTTP connector
    (LP: #714239, LP: #717396)
    - debian/patches/0014-CVE-2011-0534.patch: enforce proper size in
      java/org/apache/coyote/http11/InternalNioInputBuffer.java.
    - CVE-2011-0534
 -- Marc Deslauriers <email address hidden>   Thu, 24 Mar 2011 11:08:39 -0400
Obsolete in karmic-updates on 2013-03-04
Obsolete in karmic-security on 2013-03-04
tomcat6 (6.0.20-2ubuntu2.4) karmic-security; urgency=low

  * SECURITY UPDATE: directory traversal via incorrect ServetContext
    attribute (LP: #717396)
    - debian/patches/0012-CVE-2010-3718.patch: mark as read only in
      java/org/apache/catalina/core/StandardContext.java.
    - CVE-2010-3718
  * SECURITY UPDATE: cross-site scripting in HTML Manager interface
    - debian/patches/0013-CVE-2011-0013.patch: properly filter values in
      java/org/apache/catalina/manager/{HTMLManagerServlet.java,
      StatusTransformer.java}.
    - CVE-2011-0013
  * SECURITY UPDATE: denial of service via NIOS HTTP connector
    (LP: #714239, LP: #717396)
    - debian/patches/0014-CVE-2011-0534.patch: enforce proper size in
      java/org/apache/coyote/http11/InternalNioInputBuffer.java.
    - CVE-2011-0534
 -- Marc Deslauriers <email address hidden>   Thu, 24 Mar 2011 13:58:06 -0400
Superseded in oneiric-release on 2011-05-04
Obsolete in natty-release on 2013-06-04
tomcat6 (6.0.28-10ubuntu2) natty; urgency=low

  * debian/tomcat6-instance-create: Eclipse can now be configured to use a user instance
    of tomcat6 using tomcat6-instance-create without any additional work.
    tomcat6-instance-create will setup all the necessary symlinks to make eclipse work.
    (Closes: #551091) (LP: #297675)
 -- Abhinav Upadhyay <email address hidden>   Fri, 11 Mar 2011 13:55:28 +0530
Superseded in natty-release on 2011-03-16
tomcat6 (6.0.28-10ubuntu1) natty; urgency=low

  [ Abhinav Upadhyay ]
  * tomcat6-instance-create should accept -1 as the value of -c option
    as per http://tomcat.apache.org/tomcat-6.0-doc/config/server.html
    (LP: #707405)

  [ Dave Walker (Daviey) ]
  * debian/control: Updated Maintainer as per policy.
 -- Abhinav Upadhyay <email address hidden>   Mon, 07 Mar 2011 13:38:05 +0530

Available diffs

Superseded in natty-release on 2011-03-09
tomcat6 (6.0.28-10) unstable; urgency=medium

  * Team upload.
  * Add Portuguese/Brazilian debconf translation.
    Thanks to José de Figueiredo (Closes: #608527)
  * Add patches for CVE-2011-0534, CVE-2010-3718, CVE-2011-0013 
    (Closes: #612257)
 -- Jamie Strandboge <email address hidden>   Fri,  11 Feb 2011 20:51:04 +0000

Available diffs

Superseded in karmic-updates on 2011-03-29
Superseded in karmic-security on 2011-03-29
tomcat6 (6.0.20-2ubuntu2.3) karmic-security; urgency=low

  * SECURITY UPDATE: cross-site scripting in Manager application
    - debian/patches/0011-CVE-2010-4172.patch: add proper escaping to
      java/org/apache/catalina/manager/JspHelper.java,
      webapps/manager/{sessionDetail,sessionsList}.jsp.
    - patch backported from Debian 6.0.28-9 package
    - CVE-2010-4172
 -- Marc Deslauriers <email address hidden>   Thu, 13 Jan 2011 15:52:00 -0600
Superseded in lucid-updates on 2011-03-29
Superseded in lucid-security on 2011-03-29
tomcat6 (6.0.24-2ubuntu1.6) lucid-security; urgency=low

  * SECURITY UPDATE: cross-site scripting in Manager application
    - debian/patches/0011-CVE-2010-4172.patch: add proper escaping to
      java/org/apache/catalina/manager/JspHelper.java,
      webapps/manager/{sessionDetail,sessionsList}.jsp.
    - patch backported from Debian 6.0.28-9 package
    - CVE-2010-4172
 -- Marc Deslauriers <email address hidden>   Thu, 13 Jan 2011 15:32:24 -0600
Superseded in maverick-updates on 2011-03-29
Superseded in maverick-security on 2011-03-29
tomcat6 (6.0.28-2ubuntu1.1) maverick-security; urgency=low

  * SECURITY UPDATE: cross-site scripting in Manager application
    - debian/patches/0011-CVE-2010-4172.patch: add proper escaping to
      java/org/apache/catalina/manager/JspHelper.java,
      webapps/manager/WEB-INF/jsp/{sessionDetail,sessionsList}.jsp.
    - patch from Debian 6.0.28-9 package
    - CVE-2010-4172
 -- Marc Deslauriers <email address hidden>   Thu, 13 Jan 2011 15:16:35 -0600
Superseded in natty-release on 2011-02-11
tomcat6 (6.0.28-9) unstable; urgency=medium

  * Team upload.
  * Update URL for manager application in README.Debian 
    Thanks to Ernesto Ongaro (Closes: #606170)
  * Add patch for CVE-2010-4172. (Closes: #606388)
 -- Ubuntu Archive Auto-Sync <email address hidden>   Fri,  10 Dec 2010 16:44:11 +0000

Available diffs

Superseded in natty-release on 2010-12-10
tomcat6 (6.0.28-8) unstable; urgency=low

  * Team upload.

  [ Thierry Carrez (ttx) ]
  * Do not fail to purge if /etc/tomcat6 was manually removed (LP: #648619)
  * Add missing -p option in start-stop-daemon when starting tomcat6 to avoid
    failing to start due to /bin/bash running (LP: #632554)
  * Fix build failure (missing TraXLiaison class) by adding ant-nodeps
    to the classpath.

  [ tony mancill ]
  * Use debconf to determine tomcat6 user and group to delete upon purge.
    Thanks to Misha Koshelev.  (Closes: #599458)
  * Add tomcat-native to Suggests: for tomcat6 binary package. 
    Thanks to Eddy Petrisor  (Closes: #600590)
  * Add Danish debconf template translation.
    Thanks to Joe Dalton (Closes: #605070)
  * Actually add the Czech debconf template translation. 
    Thanks this time to Christian PERRIER (Closes: #597863)
 -- Thierry Carrez <email address hidden>   Wed,  08 Dec 2010 21:32:52 +0000

Available diffs

Superseded in lucid-updates on 2011-01-24
Deleted in lucid-proposed on 2011-01-25 (Reason: moved to -updates)
tomcat6 (6.0.24-2ubuntu1.5) lucid-proposed; urgency=low

  * debian/tomcat6.init: Add missing -p option in start-stop-daemon when
    starting tomcat6 to avoid failing to start due to /bin/bash running
    (LP: #632554)
 -- Michael Jeanson <email address hidden>   Wed, 08 Dec 2010 11:51:33 -0500
Superseded in natty-release on 2010-12-08
tomcat6 (6.0.28-7ubuntu4) natty; urgency=low

  * debian/control: Reapply ant1.7-optional to ant-optional change, was
    accidentally reverted in last upload.
 -- Thierry Carrez (ttx) <email address hidden>   Tue, 23 Nov 2010 17:02:19 +0100

Available diffs

Superseded in natty-release on 2010-11-23
tomcat6 (6.0.28-7ubuntu3) natty; urgency=low

  * debian/tomcat6.init: Add missing -p option in start-stop-daemon when
    starting tomcat6 to avoid failing to start due to /bin/bash running
    (LP: #632554)
 -- Thierry Carrez (ttx) <email address hidden>   Tue, 23 Nov 2010 16:35:40 +0100

Available diffs

Superseded in natty-release on 2010-11-23
tomcat6 (6.0.28-7ubuntu2) natty; urgency=low

  * Build-depend on ant/ant-optional (1.8.1)
  * Amended debian/rules, fix xslt processing in ant 1.8.1 to
    fix FTBFS (LP: #662588)
 -- James Page <email address hidden>   Mon, 08 Nov 2010 13:19:04 +0000

Available diffs

Superseded in natty-release on 2010-11-09
tomcat6 (6.0.28-7ubuntu1) natty; urgency=low

  * Build-depend on ant1.7 / ant1.7-optional to fix FTBFS (LP: #662588)
 -- Thierry Carrez (ttx) <email address hidden>   Wed, 20 Oct 2010 15:15:33 +0200

Available diffs

Superseded in natty-release on 2010-10-21
tomcat6 (6.0.28-7) unstable; urgency=low

  * Team upload.
  * Add Czech debconf template translation.
    Thanks to Michal Simunek. (Closes: #597863) 
  * Add Spanish debconf template translation.
    Thanks to Javier Fernández-Sanguino (Closes: #599230)
  * Modify postinst to handle JAVA_OPTS strings containing the '/' 
    character.  This was causing upgrade failures for users.
    (Closes: #597814)

Available diffs

Superseded in lucid-updates on 2010-12-18
Deleted in lucid-proposed on 2010-12-19 (Reason: moved to -updates)
tomcat6 (6.0.24-2ubuntu1.4) lucid-proposed; urgency=low

  * Check for group existence to avoid postinst failure (LP: #611721)
 -- Thierry Carrez (ttx) <email address hidden>   Thu, 07 Oct 2010 14:06:00 +0100
Superseded in natty-release on 2010-10-15
Obsolete in maverick-release on 2013-03-05
tomcat6 (6.0.28-2ubuntu1) maverick; urgency=low

  * Check for group existence to avoid postinst failure (LP: #611721)
 -- Thierry Carrez (ttx) <email address hidden>   Wed, 25 Aug 2010 09:07:03 +0200

Available diffs

Obsolete in jaunty-updates on 2013-02-28
Obsolete in jaunty-security on 2013-02-28
tomcat6 (6.0.18-0ubuntu6.3) jaunty-security; urgency=low

  * SECURITY UPDATE: denial of service and possible information disclosure
    via crafted header
    - debian/patches/CVE-2010-2227.patch: fix filter logic in
      java/org/apache/coyote/http11/{Http11AprProcessor,Http11NioProcessor,
      Http11Processor,filters/BufferedInputFilter}.java.
    - CVE-2010-2227
 -- Marc Deslauriers <email address hidden>   Thu, 19 Aug 2010 11:04:50 -0400
Superseded in karmic-updates on 2011-01-24
Superseded in karmic-security on 2011-01-24
tomcat6 (6.0.20-2ubuntu2.2) karmic-security; urgency=low

  * SECURITY UPDATE: denial of service and possible information disclosure
    via crafted header
    - debian/patches/CVE-2010-2227.patch: fix filter logic in
      java/org/apache/coyote/http11/{Http11AprProcessor,Http11NioProcessor,
      Http11Processor,filters/BufferedInputFilter}.java.
    - CVE-2010-2227
 -- Marc Deslauriers <email address hidden>   Thu, 19 Aug 2010 11:02:58 -0400
Superseded in lucid-updates on 2010-10-18
Superseded in lucid-security on 2011-01-24
tomcat6 (6.0.24-2ubuntu1.3) lucid-security; urgency=low

  * SECURITY UPDATE: denial of service and possible information disclosure
    via crafted header
    - debian/patches/CVE-2010-2227.patch: fix filter logic in
      java/org/apache/coyote/http11/{Http11AprProcessor,Http11NioProcessor,
      Http11Processor,filters/BufferedInputFilter}.java.
    - CVE-2010-2227
 -- Marc Deslauriers <email address hidden>   Thu, 19 Aug 2010 10:07:22 -0400
Superseded in maverick-release on 2010-08-25
tomcat6 (6.0.28-2) unstable; urgency=low

  * Add debconf questions for user, group and Java options.
  * Use ucf to install /etc/default/tomcat6 from a template
  * Drop CATALINA_BASE and CATALINA_HOME from /etc/default/tomcat6 since we
    shouldn't encourage users to change those anyway

Available diffs

Superseded in maverick-release on 2010-08-02
tomcat6 (6.0.26-5) unstable; urgency=medium

  * Convert patches to dep3 format.
  * Backport security fix from trunk to fix CVE-2010-1157. (Closes: #587447)
  * Set urgency to medium due to the security fix.

Available diffs

Superseded in lucid-updates on 2010-08-25
Deleted in lucid-proposed on 2010-08-26 (Reason: moved to -updates)
tomcat6 (6.0.24-2ubuntu1.2) lucid-proposed; urgency=low

  * Fix issues preventing from running Tomcat6 with a security manager:
    - debian/tomcat6.init: Remove duplicate securitymanager options.
    - debian/patches/catalina-sh-security-manager.patch: Use the right
      location for the security.policy file in catalina.sh.
    - Closes LP: #591802. Thanks to Jeff Turner for the original
      patches and to Adam Guthrie for the Lucid debdiff.
 -- Thierry Carrez <email address hidden>   Mon, 05 Jul 2010 14:54:47 +0200
Superseded in maverick-release on 2010-07-13
tomcat6 (6.0.26-3) unstable; urgency=low

  [ Marcus Better ]
  * Apply upstream fix for deadlock in WebappClassLoader. (Closes: #583896)

  [ Thierry Carrez ]
  * debian/tomcat6.{install,postinst}: Do not store the default root webapp
    in /usr/share/tomcat6/webapps as it increases confusion on what this
    directory contains (and its relation with /var/lib/tomcat6/webapps).
    Store it inside /usr/share/tomcat6-root instead (LP: #575303).
 -- Ubuntu Archive Auto-Sync <email address hidden>   Tue,  15 Jun 2010 10:11:17 +0100

Available diffs

Superseded in maverick-release on 2010-06-15
tomcat6 (6.0.26-2) unstable; urgency=low

  * debian/tomcat6.{postinst,prerm}: Respect TOMCAT6_USER and TOMCAT6_GROUP
    as defined in /etc/default/tomcat6 when setting directory permissions and
    authbind configuration (Closes: #581018, LP: #557300)
  * debian/tomcat6.postinst: Use group "tomcat6" instead of "adm" for
    permissions in /var/lib/tomcat6, so that group "adm" doesn't get write
    permissions over /var/lib/tomcat6/webapps (LP: #569118)

Available diffs

Superseded in lucid-updates on 2010-07-14
Deleted in lucid-proposed on 2010-07-15 (Reason: moved to -updates)
tomcat6 (6.0.24-2ubuntu1.1) lucid-proposed; urgency=low

  * debian/patches/fix-jsp-regression.patch: Fix regression in JSP compilation
    that resulted in "Duplicate local variable" errors when using Struts 1.2
    or bean:define (LP: #563642)
  * debian/tomcat6.{postinst,prerm}: Respect TOMCAT6_USER and TOMCAT6_GROUP
    as defined in /etc/default/tomcat6 when setting directory permissions and
    authbind configuration (LP: #557300)
  * debian/tomcat6.postinst: Use group "tomcat6" instead of "adm" for
    permissions in /var/lib/tomcat6, so that group "adm" doesn't get write
    permissions over /var/lib/tomcat6/webapps (LP: #569118)
 -- Thierry Carrez <email address hidden>   Fri, 21 May 2010 10:11:35 +0200
Superseded in maverick-release on 2010-06-04
Published in lucid-release on 2010-03-31
tomcat6 (6.0.24-2ubuntu1) lucid; urgency=low

  [ Thierry Carrez ]
  * Uploading what 6.0.24-5 should be (upload is blocked in Debian due to
    current infrastructure issues), in order to meet Beta2Freeze.

  [ Niels Thykier ]
  * Added optimised garbage collection options to tomcat6's default options.
    Thanks to Aaron J. Zirbes and Thierry Carrez for research and the patch.
    (Closes: LP: #541520)
  * Updated the changelog to mention closed CVE's in the 6.0.24-1 release.
  * Applied patch from Arto Jantunen fixing an issue with cleaning up the
    pid-file. (Closes: #574084)

  [ Ludovic Claude ]
  * debian/tomcat6.postrm: fix removal of Tomcat (Closes: #567548)
  * Set UTF-8 as default character encoding - Patch by Thomas Koch
    (Closes: #573539)
  * Set the major, minor and build versions when calling Ant
    (Closes: LP: #495505)
  * Rebuild with a more recent version of maven-repo-helper which puts
    the javax jars at the correct location in the Maven repository.
    Fixes several FTBFS in other packages.
 -- Thierry Carrez <email address hidden>   Wed, 31 Mar 2010 10:47:51 +0200

Available diffs

Superseded in lucid-release on 2010-03-31
tomcat6 (6.0.24-2) unstable; urgency=low

  * Fix missing symlinks to tomcat-coyote.jar and
    catalina-tribes.jar causing NoClassDefFoundException
    at startup (last minute packaging change, sorry)
    (Closes: #570220)
  * tomcat6-admin, tomcat6-examples and tomcat6-docs now depend on
    tomcat6-common instead of tomcat6, this allow users to install
    those packages without requiring tomcat6 and its automatic startup scripts
    being present. tomcat-users can be installed instead and allow full
    control over when Tomcat is started or stopped.
 -- Thierry Carrez <email address hidden>   Mon,  22 Feb 2010 13:52:01 +0000

Available diffs

Superseded in lucid-release on 2010-02-22
tomcat6 (6.0.24-1) unstable; urgency=low

  [ Ludovic Claude ]
  * New upstream version
  * Update the POM files for the new version of Tomcat
  * Bump up Standards-Version to 3.8.4
  * Refresh patches deploy-webapps-build-xml.patch and var_loaders.patch
  * Remove patch fix_context_name.patch as it has been applied upstream
  * Fix the installation of servlet-api-2.5.jar: the jar
    goes to /usr/share/java as in older versions (6.0.20-2)
    and links to the jar are added to /usr/share/maven-repo
  * Moved NEWS.Debian into README.Debian
  * Add a link from /usr/share/doc/tomcat6-common/README.Debian to
    /usr/share/doc/tomcat6/README.Debian to include a minimum of
    documentation in the tomcat6 package and add some useful notes. 
    (Closes: #563937, #563939)
  * Remove poms from the Debian packaging, use upstream pom files

  [ Jason Brittain ]
  * Fixed a bug in the init script: When a start fails, the PID file was
    being left in place.  Now the init script makes sure it is deleted.
  * Fixed a packaging bug that results in the ROOT webapp not being properly
    installed after an uninstall, then a reinstall.
  * control: Corrected a couple of comments (no functional change).

Available diffs

Obsolete in intrepid-updates on 2013-02-20
Obsolete in intrepid-security on 2013-02-20
tomcat6 (6.0.18-0ubuntu3.3) intrepid-security; urgency=low

  * SECURITY UPDATE: arbitrary file creation or overwrite from directory
    traversal via a .. entry in a WAR file.
    - CVE-2009-2693
  * SECURITY UPDATE: authentication bypass via autodeployment process
    - CVE-2009-2901
  * SECURITY UPDATE: work-directory file deletion via directory traversal
    sequences in a WAR filename.
    - CVE-2009-2902
    - debian/patches/security_CVE-2009-2693_2901_2902.patch: validate file
      names and paths in java/org/apache/catalina/loader/
      {LocalStrings.properties,WebappClassLoader.java},
      java/org/apache/catalina/startup/{ContextConfig.java,ExpandWar.java,
      HostConfig.java,LocalStrings.properties}
 -- Marc Deslauriers <email address hidden>   Thu, 11 Feb 2010 09:22:51 -0500
Superseded in jaunty-updates on 2010-08-25
Superseded in jaunty-security on 2010-08-25
tomcat6 (6.0.18-0ubuntu6.2) jaunty-security; urgency=low

  * SECURITY UPDATE: arbitrary file creation or overwrite from directory
    traversal via a .. entry in a WAR file.
    - CVE-2009-2693
  * SECURITY UPDATE: authentication bypass via autodeployment process
    - CVE-2009-2901
  * SECURITY UPDATE: work-directory file deletion via directory traversal
    sequences in a WAR filename.
    - CVE-2009-2902
    - debian/patches/security_CVE-2009-2693_2901_2902.patch: validate file
      names and paths in java/org/apache/catalina/loader/
      {LocalStrings.properties,WebappClassLoader.java},
      java/org/apache/catalina/startup/{ContextConfig.java,ExpandWar.java,
      HostConfig.java,LocalStrings.properties}
 -- Marc Deslauriers <email address hidden>   Thu, 11 Feb 2010 08:41:39 -0500
Superseded in karmic-updates on 2010-08-25
Superseded in karmic-security on 2010-08-25
tomcat6 (6.0.20-2ubuntu2.1) karmic-security; urgency=low

  * SECURITY UPDATE: arbitrary file creation or overwrite from directory
    traversal via a .. entry in a WAR file.
    - CVE-2009-2693
  * SECURITY UPDATE: authentication bypass via autodeployment process
    - CVE-2009-2901
  * SECURITY UPDATE: work-directory file deletion via directory traversal
    sequences in a WAR filename.
    - CVE-2009-2902
    - debian/patches/security_CVE-2009-2693_2901_2902.patch: validate file
      names and paths in java/org/apache/catalina/loader/
      {LocalStrings.properties,WebappClassLoader.java},
      java/org/apache/catalina/startup/{ContextConfig.java,ExpandWar.java,
      HostConfig.java,LocalStrings.properties}
 -- Marc Deslauriers <email address hidden>   Wed, 10 Feb 2010 15:46:14 -0500
Superseded in lucid-release on 2010-02-18
tomcat6 (6.0.20-dfsg1-1) unstable; urgency=low

  * Fix debian/orig-tar.sh to exclude binary only standard.jar and jstl.jar.
    (Closes: #528119)
  * Upload a cleaned tarball.
  * Add ${misc:Depends} in debian/control.
 -- Ubuntu Archive Auto-Sync <email address hidden>   Tue,  02 Feb 2010 00:01:25 +0000

Available diffs

Superseded in lucid-release on 2010-02-02
tomcat6 (6.0.20-9) unstable; urgency=low

  * Fix spelling issues.
  * Always set JSVC_CLASSPATH to a default value in init.
 -- Benjamin Drung <email address hidden>   Mon,  04 Jan 2010 19:03:51 +0000

Available diffs

175 of 92 results