Change log for tomcat6 package in Ubuntu
| 76 → 107 of 107 results | First • Previous • Next • Last |
tomcat6 (6.0.24-2ubuntu1.3) lucid-security; urgency=low
* SECURITY UPDATE: denial of service and possible information disclosure
via crafted header
- debian/patches/CVE-2010-2227.patch: fix filter logic in
java/org/apache/coyote/http11/{Http11AprProcessor,Http11NioProcessor,
Http11Processor,filters/BufferedInputFilter}.java.
- CVE-2010-2227
-- Marc Deslauriers <email address hidden> Thu, 19 Aug 2010 10:07:22 -0400
Available diffs
tomcat6 (6.0.28-2) unstable; urgency=low
* Add debconf questions for user, group and Java options.
* Use ucf to install /etc/default/tomcat6 from a template
* Drop CATALINA_BASE and CATALINA_HOME from /etc/default/tomcat6 since we
shouldn't encourage users to change those anyway
Available diffs
- diff from 6.0.26-5 to 6.0.28-2 (108.3 KiB)
tomcat6 (6.0.26-5) unstable; urgency=medium * Convert patches to dep3 format. * Backport security fix from trunk to fix CVE-2010-1157. (Closes: #587447) * Set urgency to medium due to the security fix.
Available diffs
- diff from 6.0.26-3 to 6.0.26-5 (10.6 KiB)
tomcat6 (6.0.24-2ubuntu1.2) lucid-proposed; urgency=low
* Fix issues preventing from running Tomcat6 with a security manager:
- debian/tomcat6.init: Remove duplicate securitymanager options.
- debian/patches/catalina-sh-security-manager.patch: Use the right
location for the security.policy file in catalina.sh.
- Closes LP: #591802. Thanks to Jeff Turner for the original
patches and to Adam Guthrie for the Lucid debdiff.
-- Thierry Carrez <email address hidden> Mon, 05 Jul 2010 14:54:47 +0200
Available diffs
tomcat6 (6.0.26-3) unstable; urgency=low
[ Marcus Better ]
* Apply upstream fix for deadlock in WebappClassLoader. (Closes: #583896)
[ Thierry Carrez ]
* debian/tomcat6.{install,postinst}: Do not store the default root webapp
in /usr/share/tomcat6/webapps as it increases confusion on what this
directory contains (and its relation with /var/lib/tomcat6/webapps).
Store it inside /usr/share/tomcat6-root instead (LP: #575303).
-- Ubuntu Archive Auto-Sync <email address hidden> Tue, 15 Jun 2010 10:11:17 +0100
Available diffs
- diff from 6.0.26-2 to 6.0.26-3 (2.5 KiB)
tomcat6 (6.0.26-2) unstable; urgency=low
* debian/tomcat6.{postinst,prerm}: Respect TOMCAT6_USER and TOMCAT6_GROUP
as defined in /etc/default/tomcat6 when setting directory permissions and
authbind configuration (Closes: #581018, LP: #557300)
* debian/tomcat6.postinst: Use group "tomcat6" instead of "adm" for
permissions in /var/lib/tomcat6, so that group "adm" doesn't get write
permissions over /var/lib/tomcat6/webapps (LP: #569118)
Available diffs
- diff from 6.0.24-2ubuntu1 to 6.0.26-2 (78.0 KiB)
tomcat6 (6.0.24-2ubuntu1.1) lucid-proposed; urgency=low
* debian/patches/fix-jsp-regression.patch: Fix regression in JSP compilation
that resulted in "Duplicate local variable" errors when using Struts 1.2
or bean:define (LP: #563642)
* debian/tomcat6.{postinst,prerm}: Respect TOMCAT6_USER and TOMCAT6_GROUP
as defined in /etc/default/tomcat6 when setting directory permissions and
authbind configuration (LP: #557300)
* debian/tomcat6.postinst: Use group "tomcat6" instead of "adm" for
permissions in /var/lib/tomcat6, so that group "adm" doesn't get write
permissions over /var/lib/tomcat6/webapps (LP: #569118)
-- Thierry Carrez <email address hidden> Fri, 21 May 2010 10:11:35 +0200
Available diffs
tomcat6 (6.0.24-2ubuntu1) lucid; urgency=low
[ Thierry Carrez ]
* Uploading what 6.0.24-5 should be (upload is blocked in Debian due to
current infrastructure issues), in order to meet Beta2Freeze.
[ Niels Thykier ]
* Added optimised garbage collection options to tomcat6's default options.
Thanks to Aaron J. Zirbes and Thierry Carrez for research and the patch.
(Closes: LP: #541520)
* Updated the changelog to mention closed CVE's in the 6.0.24-1 release.
* Applied patch from Arto Jantunen fixing an issue with cleaning up the
pid-file. (Closes: #574084)
[ Ludovic Claude ]
* debian/tomcat6.postrm: fix removal of Tomcat (Closes: #567548)
* Set UTF-8 as default character encoding - Patch by Thomas Koch
(Closes: #573539)
* Set the major, minor and build versions when calling Ant
(Closes: LP: #495505)
* Rebuild with a more recent version of maven-repo-helper which puts
the javax jars at the correct location in the Maven repository.
Fixes several FTBFS in other packages.
-- Thierry Carrez <email address hidden> Wed, 31 Mar 2010 10:47:51 +0200
Available diffs
- diff from 6.0.24-2 to 6.0.24-2ubuntu1 (3.6 KiB)
tomcat6 (6.0.24-2) unstable; urgency=low
* Fix missing symlinks to tomcat-coyote.jar and
catalina-tribes.jar causing NoClassDefFoundException
at startup (last minute packaging change, sorry)
(Closes: #570220)
* tomcat6-admin, tomcat6-examples and tomcat6-docs now depend on
tomcat6-common instead of tomcat6, this allow users to install
those packages without requiring tomcat6 and its automatic startup scripts
being present. tomcat-users can be installed instead and allow full
control over when Tomcat is started or stopped.
-- Thierry Carrez <email address hidden> Mon, 22 Feb 2010 13:52:01 +0000
Available diffs
- diff from 6.0.24-1 to 6.0.24-2 (2.3 KiB)
tomcat6 (6.0.24-1) unstable; urgency=low
[ Ludovic Claude ]
* New upstream version
* Update the POM files for the new version of Tomcat
* Bump up Standards-Version to 3.8.4
* Refresh patches deploy-webapps-build-xml.patch and var_loaders.patch
* Remove patch fix_context_name.patch as it has been applied upstream
* Fix the installation of servlet-api-2.5.jar: the jar
goes to /usr/share/java as in older versions (6.0.20-2)
and links to the jar are added to /usr/share/maven-repo
* Moved NEWS.Debian into README.Debian
* Add a link from /usr/share/doc/tomcat6-common/README.Debian to
/usr/share/doc/tomcat6/README.Debian to include a minimum of
documentation in the tomcat6 package and add some useful notes.
(Closes: #563937, #563939)
* Remove poms from the Debian packaging, use upstream pom files
[ Jason Brittain ]
* Fixed a bug in the init script: When a start fails, the PID file was
being left in place. Now the init script makes sure it is deleted.
* Fixed a packaging bug that results in the ROOT webapp not being properly
installed after an uninstall, then a reinstall.
* control: Corrected a couple of comments (no functional change).
Available diffs
- diff from 6.0.20-dfsg1-1 to 6.0.24-1 (285.3 KiB)
tomcat6 (6.0.18-0ubuntu3.3) intrepid-security; urgency=low
* SECURITY UPDATE: arbitrary file creation or overwrite from directory
traversal via a .. entry in a WAR file.
- CVE-2009-2693
* SECURITY UPDATE: authentication bypass via autodeployment process
- CVE-2009-2901
* SECURITY UPDATE: work-directory file deletion via directory traversal
sequences in a WAR filename.
- CVE-2009-2902
- debian/patches/security_CVE-2009-2693_2901_2902.patch: validate file
names and paths in java/org/apache/catalina/loader/
{LocalStrings.properties,WebappClassLoader.java},
java/org/apache/catalina/startup/{ContextConfig.java,ExpandWar.java,
HostConfig.java,LocalStrings.properties}
-- Marc Deslauriers <email address hidden> Thu, 11 Feb 2010 09:22:51 -0500
Available diffs
tomcat6 (6.0.18-0ubuntu6.2) jaunty-security; urgency=low
* SECURITY UPDATE: arbitrary file creation or overwrite from directory
traversal via a .. entry in a WAR file.
- CVE-2009-2693
* SECURITY UPDATE: authentication bypass via autodeployment process
- CVE-2009-2901
* SECURITY UPDATE: work-directory file deletion via directory traversal
sequences in a WAR filename.
- CVE-2009-2902
- debian/patches/security_CVE-2009-2693_2901_2902.patch: validate file
names and paths in java/org/apache/catalina/loader/
{LocalStrings.properties,WebappClassLoader.java},
java/org/apache/catalina/startup/{ContextConfig.java,ExpandWar.java,
HostConfig.java,LocalStrings.properties}
-- Marc Deslauriers <email address hidden> Thu, 11 Feb 2010 08:41:39 -0500
Available diffs
tomcat6 (6.0.20-2ubuntu2.1) karmic-security; urgency=low
* SECURITY UPDATE: arbitrary file creation or overwrite from directory
traversal via a .. entry in a WAR file.
- CVE-2009-2693
* SECURITY UPDATE: authentication bypass via autodeployment process
- CVE-2009-2901
* SECURITY UPDATE: work-directory file deletion via directory traversal
sequences in a WAR filename.
- CVE-2009-2902
- debian/patches/security_CVE-2009-2693_2901_2902.patch: validate file
names and paths in java/org/apache/catalina/loader/
{LocalStrings.properties,WebappClassLoader.java},
java/org/apache/catalina/startup/{ContextConfig.java,ExpandWar.java,
HostConfig.java,LocalStrings.properties}
-- Marc Deslauriers <email address hidden> Wed, 10 Feb 2010 15:46:14 -0500
Available diffs
| Superseded in lucid-release |
tomcat6 (6.0.20-dfsg1-1) unstable; urgency=low
* Fix debian/orig-tar.sh to exclude binary only standard.jar and jstl.jar.
(Closes: #528119)
* Upload a cleaned tarball.
* Add ${misc:Depends} in debian/control.
-- Ubuntu Archive Auto-Sync <email address hidden> Tue, 02 Feb 2010 00:01:25 +0000
Available diffs
- diff from 6.0.20-9 to 6.0.20-dfsg1-1 (179.9 KiB)
tomcat6 (6.0.20-9) unstable; urgency=low * Fix spelling issues. * Always set JSVC_CLASSPATH to a default value in init. -- Benjamin Drung <email address hidden> Mon, 04 Jan 2010 19:03:51 +0000
Available diffs
- diff from 6.0.20-8ubuntu1 to 6.0.20-9 (2.4 KiB)
| Superseded in lucid-release |
tomcat6 (6.0.20-8ubuntu1) lucid; urgency=low
* Merge from Debian unstable. Remaining changes:
- debian/control, debian/rules: Do not use 3.0 (quilt) source format yet
* debian/tomcat6.default: Fix typos in "JSVC" and "remote", missing newline
* debian/tomcat6.default, debian/tomcat6.init: Handle JSVC_CLASSPATH
default value the same way as other defaults
Available diffs
- diff from 6.0.20-2ubuntu2 to 6.0.20-8ubuntu1 (10.8 KiB)
tomcat6 (6.0.20-2ubuntu2) karmic; urgency=low * Add maven POM's for libservlet2.5-java. LP: #454822. * debian/policy/02debian.policy: grant access to /usr/share/maven-repo/ as it is a valid source of Debian JARs. -- Matthias Klose <email address hidden> Sun, 25 Oct 2009 17:00:31 +0100
Available diffs
| Obsolete in hardy-backports |
tomcat6 (6.0.18-0ubuntu3.2~hardy1) hardy-backports; urgency=low [ Michael Jeanson ] * Source backport for Hardy backports (LP: #271784) * debian/control: - Changed dependency on default-jdk to openjdk-6-jdk - Changed dependency on default-jre-headless to openjdk-6-jre-headless * debian/rules: - Adjusted JAVA_HOME for openjdk-6-jdk [ Michael Casadevall ] * Updated diff to apply against intrepid-security 6.0.18-0ubuntu3.2 -- Michael Casadevall <email address hidden> Fri, 11 Sep 2009 14:07:05 -0400
Available diffs
| Superseded in karmic-release |
tomcat6 (6.0.20-2ubuntu1) karmic; urgency=low * Merge from debian unstable (LP: #391018); remaining changes: - debian/control, debian/rules: Use default-jdk to build - debian/control: Run using default-jre-headless by default
Available diffs
- diff from 6.0.20-1ubuntu1 to 6.0.20-2ubuntu1 (938 bytes)
| Superseded in karmic-release |
tomcat6 (6.0.20-1ubuntu1) karmic; urgency=low [ Iulian Udrea ] * Merge from debian unstable (LP: #385262), remaining changes: - debian/control, debian/rules: Use default-jdk to build - debian/control: Run using default-jre-headless by default
Available diffs
- diff from 6.0.18-3ubuntu1 to 6.0.20-1ubuntu1 (254.5 KiB)
tomcat6 (6.0.18-0ubuntu6.1) jaunty-security; urgency=low
* SECURITY UPDATE: security bypass via specially crafted request
- debian/patches/security-CVE-2008-5515.patch: use only a single
normalise implementation in:
java/org/apache/catalina/connector/Request.java,
java/org/apache/catalina/core/{ApplicationContext,ApplicationHttpRequest}.java,
java/org/apache/catalina/servlets/WebdavServlet.java,
java/org/apache/catalina/ssi/{SSIServletExternalResolver,SSIServletRequestUtil}.java,
java/org/apache/catalina/util/RequestUtil.java,
java/org/apache/naming/resources/FileDirContext.java
- CVE-2008-5515
* SECURITY UPDATE: denial of service via request with invalid headers
- debian/patches/security-CVE-2009-0033.patch: make sure we return
400 to the browser in
java/org/apache/jk/common/{ChannelNioSocket,ChannelSocket,HandlerRequest}.java
- CVE-2009-0033
* SECURITY UPDATE: valid username enumeration via improper error checking
- debian/patches/security-CVE-2009-0580.patch: make sure we have valid
credentials in java/org/apache/catalina/realm/{DataSourceRealm,JDBCRealm,MemoryRealm}.java
- CVE-2009-0580
* SECURITY UPDATE: cross-site scripting in calendar example application
(LP: #341278)
- debian/patches/security-CVE-2009-0781.patch: properly quote value in
webapps/examples/jsp/cal/cal2.jsp
- CVE-2009-0781
* SECURITY UPDATE: information disclosure via XML parser replacement
- debian/patches/security-CVE-2009-0783.patch: create digesters and
parsers earlier and don't use xml-parser from web-app in
java/org/apache/catalina/core/StandardContext.java,
java/org/apache/catalina/startup/{LocalStrings.properties,TldConfig.java}
- CVE-2009-0783
-- Marc Deslauriers <email address hidden> Wed, 10 Jun 2009 08:31:31 -0400
Available diffs
tomcat6 (6.0.18-0ubuntu3.2) intrepid-security; urgency=low
* SECURITY UPDATE: security bypass via specially crafted request
- debian/patches/security-CVE-2008-5515.patch: use only a single
normalise implementation in:
java/org/apache/catalina/connector/Request.java,
java/org/apache/catalina/core/{ApplicationContext,ApplicationHttpRequest}.java,
java/org/apache/catalina/servlets/WebdavServlet.java,
java/org/apache/catalina/ssi/{SSIServletExternalResolver,SSIServletRequestUtil}.java,
java/org/apache/catalina/util/RequestUtil.java,
java/org/apache/naming/resources/FileDirContext.java
- CVE-2008-5515
* SECURITY UPDATE: denial of service via request with invalid headers
- debian/patches/security-CVE-2009-0033.patch: make sure we return
400 to the browser in
java/org/apache/jk/common/{ChannelNioSocket,ChannelSocket,HandlerRequest}.java
- CVE-2009-0033
* SECURITY UPDATE: valid username enumeration via improper error checking
- debian/patches/security-CVE-2009-0580.patch: make sure we have valid
credentials in java/org/apache/catalina/realm/{DataSourceRealm,JDBCRealm,MemoryRealm}.java
- CVE-2009-0580
* SECURITY UPDATE: cross-site scripting in calendar example application
(LP: #341278)
- debian/patches/security-CVE-2009-0781.patch: properly quote value in
webapps/examples/jsp/cal/cal2.jsp
- CVE-2009-0781
* SECURITY UPDATE: information disclosure via XML parser replacement
- debian/patches/security-CVE-2009-0783.patch: create digesters and
parsers earlier and don't use xml-parser from web-app in
java/org/apache/catalina/core/StandardContext.java,
java/org/apache/catalina/startup/{LocalStrings.properties,TldConfig.java}
- CVE-2009-0783
-- Marc Deslauriers <email address hidden> Wed, 10 Jun 2009 09:46:33 -0400
Available diffs
| Superseded in karmic-release |
tomcat6 (6.0.18-3ubuntu1) karmic; urgency=low * Merge from debian unstable (LP: #371728), remaining changes: - debian/control, debian/rules: Use default-jdk to build - debian/control: Run using default-jre-headless by default - debian/patches/tcnative-ipv6-fix-43327.patch to fix incompatibility between libtcnative-1 and ipv6
Available diffs
tomcat6 (6.0.18-0ubuntu6) jaunty; urgency=low
* Added debian/patches/tcnative-ipv6-fix-43327.patch to fix incompatibility
between libtcnative-1 and ipv6 (fixes LP: #287645)
* No longer create confusing /var/lib/tomcat6/lib or lib subdirectory in
private instances, since they are ignored (LP: #324212)
-- Thierry Carrez <email address hidden> Mon, 23 Feb 2009 10:16:37 +0000
Available diffs
| Superseded in jaunty-release |
tomcat6 (6.0.18-0ubuntu5) jaunty; urgency=low
[ Thierry Carrez ]
* Removed tomcat6-[admin,docs,examples].post[inst,rm] and let Tomcat webapp
autodeployment features handle application load/unload (LP: #302914)
* tomcat6-instance-create, tomcat6-instance-create.1, control:
Allow to change the HTTP port, control port and shutdown word on the
tomcat6-instance-create command line (LP: #300691).
[ Mathias Gug]
* debian/tomcat6-instance-create: move directoryname from an option to
an argument.
* debian/tomcat6-instance-create.1: some updates to the man page.
* debian/control: update maintainer field to Ubuntu Core Developers now that
tomcat6 is in main.
-- Mathias Gug <email address hidden> Wed, 07 Jan 2009 18:44:39 -0500
Available diffs
tomcat6 (6.0.18-0ubuntu3.1) intrepid-proposed; urgency=low
* patches/use-commons-dbcp.patch: Change default DBCP factory class
to org.apache.commons.dbcp.BasicDataSourceFactory (LP: #283852)
* tomcat6.dirs, tomcat6.postinst, default_root/index.html: Create
Catalina/localhost in /etc/tomcat6 and make it writeable by the tomcat6
group, so that autodeploy and admin webapps work as expected (LP: #294277)
-- Thierry Carrez <email address hidden> Fri, 05 Dec 2008 09:58:55 +0100
Available diffs
| Superseded in jaunty-release |
tomcat6 (6.0.18-0ubuntu4) jaunty; urgency=low
* tomcat6.init, tomcat6.postinst, tomcat6.dirs, tomcat6.default,
README.debian: Use /tmp/tomcat6-temp instead of /var/lib/tomcat6/temp as
the JVM temporary directory and clean it at each restart (LP: #287452)
* policy/04webapps.policy: add rules to allow usage of java.io.tmpdir
* tomcat6.init, rules: Do not use TearDown, as this results in
LifecycleListener callbacks in webapps being bypassed (LP: #299436)
* rules: Compile at Java 1.5 level to allow usage of Java 5 JREs
(LP: #286427)
* control, rules, libservlet2.5-java-doc.install,
libservlet2.5-java-doc.links: New libservlet2.5-java-doc package ships
missing Servlet/JSP API documentation (LP: #279645)
* patches/use-commons-dbcp.patch: Change default DBCP factory class
to org.apache.commons.dbcp.BasicDataSourceFactory (LP: #283852)
* tomcat6.dirs, tomcat6.postinst, default_root/index.html: Create
Catalina/localhost in /etc/tomcat6 and make it writeable by the tomcat6
group, so that autodeploy and admin webapps work as expected (LP: #294277)
* patches/disable-apr-loading.patch: Disable APR library loading until we
properly provide it.
* patches/disable-ajp-connector: Do not load AJP13 connector by default
(LP: #300697)
* rules: minor fixes to prevent build being called twice.
-- Thierry Carrez <email address hidden> Thu, 27 Nov 2008 12:47:42 +0000
Available diffs
tomcat6 (6.0.18-0ubuntu3) intrepid; urgency=low
* debian/tomcat6.postinst:
- Make /var/lib/tomcat6/temp writeable by the tomcat6 user (LP: #287126)
- Make /var/lib/tomcat6/webapps writeable by tomcat6 group (LP: #287447)
* debian/tomcat6.init: make status return nonzero if tomcat6 is not running
(fixes LP: #288218)
-- Thierry Carrez <email address hidden> Thu, 23 Oct 2008 18:19:15 +0200
Available diffs
- diff from 6.0.18-0ubuntu2 to 6.0.18-0ubuntu3 (675 bytes)
| Superseded in intrepid-release |
tomcat6 (6.0.18-0ubuntu2) intrepid; urgency=low
* debian/rules: call dh_installinit with --error-handler so that install
doesn't fail if Tomcat cannot be started during configure (LP: #274365)
-- Thierry Carrez <email address hidden> Mon, 06 Oct 2008 13:55:21 +0200
Available diffs
- diff from 6.0.18-0ubuntu1 to 6.0.18-0ubuntu2 (510 bytes)
tomcat6 (6.0.18-0ubuntu1) intrepid; urgency=low * New upstream version (LP: #260016) - Fixes CVE-2008-2938: Directory traversal vulnerability (LP: #256802) - Fixes CVE-2008-2370: Information disclosure vulnerability (LP: #256922) - Fixes CVE-2008-1232: XSS through sendError vulnerability (LP: #256926) * Dropped CVE-2008-1947.patch (fix is shipped in this upstream release) * control: Improve short descriptions for the binary packages * copyright: Added link to /usr/share/common-licenses/Apache-2.0 * control: To pull the right JRE, libtomcat6-java now depends on default-jre-headless | java6-runtime-headless -- Thierry Carrez <email address hidden> Fri, 22 Aug 2008 09:15:11 +0200
Available diffs
- diff from 6.0.16-1ubuntu1 to 6.0.18-0ubuntu1 (208.3 KiB)
| Superseded in intrepid-release |
tomcat6 (6.0.16-1ubuntu1) intrepid; urgency=low * Adding full Tomcat 6 server stack support (LP: #256052) - tomcat6 handles the system instance (/var/lib/tomcat6) - tomcat6-user allows users to create their own private instances - tomcat6-common installs common files in /usr/share/tomcat6 - libtomcat6-java installs Tomcat 6 java libs in /usr/share/java - tomcat6-docs installs the documentation webapp - tomcat6-examples installs the examples webapp - tomcat6-admin installs the manager and host-manager webapps * Other key differences with the tomcat5.5 packages: - default-jdk build support - OpenJDK-6 JRE runtime support - tomcat6 installs a minimal ROOT webapp - new webapp locations follow Debian webapp policy - webapps restart tomcat6 in postrm rather than in prerm - added a doc-base entry - use standard upstream server.xml - initscript: try to check if Tomcat is really running before returning OK - removed transitional configuration migration code - autogenerate policy in /var/cache/tomcat6 rather than /etc/tomcat6 - logging.properties is customized to remove -webapps-related lines - initscript: implement TearDown spec * CVE-2008-1947 fix (cross-site-scripting issue in host-manager webapp) -- Thierry Carrez <email address hidden> Fri, 08 Aug 2008 15:37:48 +0200
Available diffs
- diff from 6.0.16-1 to 6.0.16-1ubuntu1 (13.4 KiB)
tomcat6 (6.0.16-1) unstable; urgency=low
* Initial release.
(Closes: #480964).
-- Ubuntu Archive Auto-Sync <email address hidden> Fri, 30 May 2008 07:44:49 +0100
| 76 → 107 of 107 results | First • Previous • Next • Last |
