Change log for tomcat6 package in Ubuntu
1 → 75 of 107 results | First • Previous • Next • Last |
tomcat6 (6.0.45+dfsg-1ubuntu0.2) xenial-security; urgency=medium * SECURITY UPDATE: privilege escalation via insecure init script - debian/tomcat6.init: don't follow symlinks when handling the catalina.out file. - CVE-2016-1240 -- Emilia Torino <email address hidden> Mon, 26 Oct 2020 11:52:05 -0300
Available diffs
tomcat6 (6.0.45+dfsg-1ubuntu0.1) xenial-security; urgency=medium * Merge patches from Debian. * SECURITY UPDATE: Timing attack. - debian/patches/CVE-2016-0762.patch: Make timing attacks against the Realm implementations harder. - CVE-2016-0762 * SECURITY UPDATE: SecurityManager bypass. - debian/patches/CVE-2016-5018.patch: Remove unnecessary code. - debian/patches/CVE-2016-5018-part2.patch: Fix regression. - debian/patches/CVE-2016-6794.patch: Provide a mechanism that enables the container to check if a component has been granted a given permission when running under a SecurityManager. - debian/patches/CVE-2016-6796.patch: Ignore some JSP options when running under a SecurityManager. - CVE-2016-5018 - CVE-2016-6794 - CVE-2016-6796 * SECURITY UPDATE: Limited resources bypass. - debian/patches/CVE-2016-6797.patch: When adding and removing ResourceLinks dynamically, ensure that the global resource is only visible via the ResourceLinkFactory when it is meant to be. - debian/patches/CVE-2016-6797-part2.patch: Fix regression. - CVE-2016-6797 * SECURITY UPDATE: Data injection in HTTP requests. - debian/patches/CVE-2016-6816.patch: Add additional checks for valid characters to the HTTP request line parsing so invalid request lines are rejected sooner. - CVE-2016-6816 * SECURITY UPDATE: Remote code execution. - debian/patches/CVE-2016-8735.patch: Explicitly configure allowed credential types. - CVE-2016-8735 -- Eduardo Barretto <email address hidden> Tue, 29 Sep 2020 10:08:34 -0300
Available diffs
tomcat6 (6.0.39-1ubuntu0.1) trusty-security; urgency=medium * SECURITY UPDATE: Integer overflow - debian/patches/CVE-2014-0075.patch: Fix integer overflow in the parseChunkHeader function in java/org/apache/coyote/http11/filters/ChunkedInputFilter.java - CVE-2014-0075 * SECURITY UPDATE: Bypass security-manager restrictions and read arbitrary files via a crafted web application that provides an XML external entity declaration in conjunction with an entity reference. - debian/patches/CVE-2014-0096.patch: Properly restrict XSLT stylesheets - CVE-2014-0096 * SECURITY UPDATE: Fix integer overflow. - debian/patches/CVE-2014-0099.patch: Fix in java/org/apache/tomcat/util/buf/Ascii.java - CVE-2014-0099 * SECURITY UPDATE: Read arbitrary files via a crafted web application that provides an XML external entity declaration in conjunction with an entity reference. - debian/patches/CVE-2014-0119-1.patch: fix in SecurityClassLoad.java and DefaultServlet.java - debian/patches/CVE-2014-0119-2.patch: fix in TldConfig.java - debian/patches/CVE-2014-0119-3.patch: fix in multiple files - CVE-2014-0119 * SECURITY UPDATE: Add error flag to allow subsequent attempts at reading after an error to fail fast. - debian/patches/CVE-2014-0227.patch: fix in ChunkedInputFilter.java - CVE-2014-0227 * SECURITY UPDATE: DoS (thread consumption) via a series of aborted upload attempts. - debian/patches/CVE-2014-0230.patch: add support for maxSwallowSize - CVE-2014-0230 * SECURITY UPDATE: Bypass a SecurityManager protection mechanism via a web application that leverages use of incorrect privileges during EL evaluation. - debian/patches/CVE-2014-7810-1.patch: fix in BeanELResolver.java - debian/patches/CVE-2014-7810-2.patch: fix in PageContextImpl.java and SecurityClassLoad.java - CVE-2014-7810 * SECURITY UPDATE: Directory traversal vulnerability in RequestUtil.java - debian/patches/CVE-2015-5174.patch: fix in RequestUtil.java - CVE-2015-5174 * SECURITY UPDATE: Remote attackers can determine the existence of a directory via a URL that lacks a trailing slash character. - debian/patches/CVE-2015-5345-1.patch: fix in multiple files - debian/patches/CVE-2015-5345-2.patch: fix in multiple files - CVE-2015-5345 * SECURITY UPDATE: Bypass CSRF protection mechanism by using a token. - debian/patches/CVE-2015-5351-1.patch: fix in manager application - debian/patches/CVE-2015-5351-2.patch: fix in host-manager application - CVE-2015-5351 * SECURITY UPDATE: Bypass intended SecurityManager restrictions and read arbitrary HTTP requests, and consequently discover session ID values, via a crafted web application. - debian/patches/CVE-2016-0706.patch: fix in RestrictedServlets.properties - CVE-2016-0706 * SECURITY UPDATE: Bypass intended SecurityManager restrictions and execute arbitrary code in a privileged context via a web application that places a crafted object in a session. - debian/patches/CVE-2016-0714-1.patch: fix in multiple files. - debian/patches/CVE-2016-0714-2.patch: fix in multiple files. - CVE-2016-0714 * SECURITY UPDATE: Possible to determine valid user names. - debian/patches/CVE-2016-0762.patch: fix in MemoryRealm.java and RealmBase.java - CVE-2016-0762 * SECURITY UPDATE: Bypass intended SecurityManager restrictions and read or write to arbitrary application data, or cause a denial of service (application disruption), via a web application that sets a crafted global context. - debian/patches/CVE-2016-0763.patch: fix in ResourceLinkFactory.java - CVE-2016-0763 * SECURITY UPDATE: Access to the tomcat account to gain root privileges via a symlink attack on the Catalina log file. - debian/tomcat6.init: don't follow symlinks when handling the catalina.out file. - CVE-2016-1240 -- Eduardo Barretto <email address hidden> Thu, 11 Oct 2018 18:55:25 -0300
Available diffs
tomcat6 (6.0.35-1ubuntu3.11) precise-security; urgency=medium * SECURITY UPDATE: possible DoS via CPU consumption (LP: #1663318) - debian/patches/CVE-2017-6056.patch: fix infinite loop in java/org/apache/coyote/http11/InternalAprInputBuffer.java, java/org/apache/coyote/http11/InternalInputBuffer.java, java/org/apache/coyote/http11/InternalNioInputBuffer.java. - CVE-2017-6056 -- Marc Deslauriers <email address hidden> Fri, 17 Feb 2017 09:04:04 -0500
Available diffs
tomcat6 (6.0.35-1ubuntu3.10) precise-security; urgency=medium * SECURITY REGRESSION: security manager startup issue (LP: #1659589) - debian/patches/0010-Use-java.security.policy-file-in-catalina.sh.patch: update to new /var/lib/tomcat6/policy location. - debian/tomcat6.postrm: remove policy directory. -- Marc Deslauriers <email address hidden> Wed, 01 Feb 2017 10:45:15 -0500
Available diffs
tomcat6 (6.0.35-1ubuntu3.9) precise-security; urgency=medium * SECURITY UPDATE: timing attack in realm implementations - debian/patches/CVE-2016-0762.patch: add time delays to java/org/apache/catalina/realm/MemoryRealm.java, java/org/apache/catalina/realm/RealmBase.java. - CVE-2016-0762 * SECURITY UPDATE: SecurityManager bypass via a utility method - debian/patches/CVE-2016-5018.patch: remove unnecessary code in java/org/apache/jasper/compiler/JspRuntimeContext.java, java/org/apache/jasper/runtime/JspRuntimeLibrary.java, java/org/apache/jasper/security/SecurityClassLoad.java. - CVE-2016-5018 * SECURITY UPDATE: mitigaton for httpoxy issue - debian/patches/CVE-2016-5388.patch: add envHttpHeaders initialization parameter to conf/web.xml, webapps/docs/cgi-howto.xml, java/org/apache/catalina/servlets/CGIServlet.java. - CVE-2016-5388 * SECURITY UPDATE: system properties read SecurityManager bypass - debian/patches/CVE-2016-6794.patch: extend SecurityManager protection to the system property replacement feature of the digester in java/org/apache/catalina/loader/WebappClassLoader.java, java/org/apache/tomcat/util/digester/Digester.java, java/org/apache/tomcat/util/security/PermissionCheck.java. - CVE-2016-6794 * SECURITY UPDATE: SecurityManager bypass via JSP Servlet configuration parameters - debian/patches/CVE-2016-6796.patch: ignore some JSP options when running under a SecurityManager in conf/web.xml, java/org/apache/jasper/EmbeddedServletOptions.java, java/org/apache/jasper/resources/LocalStrings.properties, java/org/apache/jasper/servlet/JspServlet.java, webapps/docs/jasper-howto.xml. - CVE-2016-6796 * SECURITY UPDATE: web application global JNDI resource access - debian/patches/CVE-2016-6797.patch: ensure that the global resource is only visible via the ResourceLinkFactory when it is meant to be in java/org/apache/catalina/core/NamingContextListener.java, java/org/apache/naming/factory/ResourceLinkFactory.java. - CVE-2016-6797 * SECURITY UPDATE: HTTP response injection via invalid characters - debian/patches/CVE-2016-6816.patch: add additional checks for valid characters in java/org/apache/coyote/http11/AbstractInputBuffer.java, java/org/apache/coyote/http11/InternalAprInputBuffer.java, java/org/apache/coyote/http11/InternalInputBuffer.java, java/org/apache/coyote/http11/InternalNioInputBuffer.java, java/org/apache/coyote/http11/LocalStrings.properties, java/org/apache/tomcat/util/http/parser/HttpParser.java. - CVE-2016-6816 * SECURITY UPDATE: remote code execution via JmxRemoteLifecycleListener - debian/patches/CVE-2016-8735.patch: explicitly configure allowed credential types in java/org/apache/catalina/mbeans/JmxRemoteLifecycleListener.java. - CVE-2016-8735 * SECURITY UPDATE: information leakage between requests - debian/patches/CVE-2016-8745.patch: properly handle cache when unable to complete sendfile request in java/org/apache/tomcat/util/net/NioEndpoint.java. - CVE-2016-8745 * SECURITY UPDATE: privilege escalation during package upgrade - debian/rules, debian/tomcat6.postinst: properly set permissions on /etc/tomcat7/Catalina/localhost. - CVE-2016-9774 * SECURITY UPDATE: privilege escalation during package removal - debian/tomcat6.postrm.in: don't reset permissions before removing user. - CVE-2016-9775 * debian/tomcat6.init: further hardening. -- Marc Deslauriers <email address hidden> Thu, 19 Jan 2017 15:18:22 -0500
Available diffs
tomcat6 (6.0.35-1ubuntu3.8) precise-security; urgency=medium * SECURITY UPDATE: privilege escalation via insecure init script - debian/tomcat6.init: don't follow symlinks when handling the catalina.out file. - CVE-2016-1240 * SECURITY REGRESSION: change in behaviour after security update - debian/patches/CVE-2015-5345-2.patch: change mapperContextRootRedirectEnabled default to true in java/org/apache/catalina/core/StandardContext.java, webapps/docs/config/context.xml. This reverts the change in behaviour following the CVE-2015-5345 security update and was also done upstream in later releases. -- Marc Deslauriers <email address hidden> Fri, 16 Sep 2016 09:34:48 -0400
Available diffs
tomcat6 (6.0.35-1ubuntu3.7) precise-security; urgency=medium * SECURITY UPDATE: directory traversal vulnerability in RequestUtil.java - debian/patches/CVE-2015-5174.patch: fix normalization edge cases in java/org/apache/tomcat/util/http/RequestUtil.java. - CVE-2015-5174 * SECURITY UPDATE: information disclosure via redirects by mapper - debian/patches/CVE-2015-5345.patch: fix redirect logic in java/org/apache/catalina/Context.java, java/org/apache/catalina/authenticator/FormAuthenticator.java, java/org/apache/catalina/connector/MapperListener.java, java/org/apache/catalina/core/StandardContext.java, java/org/apache/catalina/core/mbeans-descriptors.xml, java/org/apache/catalina/servlets/DefaultServlet.java, java/org/apache/catalina/servlets/WebdavServlet.java, java/org/apache/tomcat/util/http/mapper/Mapper.java, webapps/docs/config/context.xml. - CVE-2015-5345 * SECURITY UPDATE: securityManager restrictions bypass via StatusManagerServlet - debian/patches/CVE-2016-0706.patch: place servlet in restricted list in java/org/apache/catalina/core/RestrictedServlets.properties. - CVE-2016-0706 * SECURITY UPDATE: securityManager restrictions bypass via session-persistence implementation - debian/patches/CVE-2016-0714.patch: extend the session attribute filtering options in java/org/apache/catalina/ha/session/mbeans-descriptors.xml, java/org/apache/catalina/session/LocalStrings.properties, java/org/apache/catalina/session/ManagerBase.java, java/org/apache/catalina/session/mbeans-descriptors.xml, webapps/docs/config/cluster-manager.xml, webapps/docs/config/manager.xml, java/org/apache/catalina/session/StandardManager.java, java/org/apache/catalina/util/CustomObjectInputStream.java. - CVE-2016-0714 * SECURITY UPDATE: securityManager restrictions bypass via crafted global context - debian/patches/CVE-2016-0763.patch: protect initialization in java/org/apache/naming/factory/ResourceLinkFactory.java. - CVE-2016-0763 * SECURITY UPDATE: denial of service in FileUpload - debian/patches/CVE-2016-3092.patch: properly handle size in java/org/apache/tomcat/util/http/fileupload/MultipartStream.java. - CVE-2016-3092 -- Marc Deslauriers <email address hidden> Wed, 29 Jun 2016 14:00:46 -0400
Available diffs
Deleted in yakkety-release (Reason: (From Debian) ROM; No longer used; Debian bug #832023) |
Published in xenial-release |
Deleted in xenial-proposed (Reason: moved to release) |
tomcat6 (6.0.45+dfsg-1) unstable; urgency=medium * Team upload. * Imported Upstream version 6.0.45+dfsg. - Remove all prebuilt jar files. * Declare compliance with Debian Policy 3.9.7. * Vcs-fields: Use https. * This update fixes the following security vulnerabilities in the source package. Since src:tomcat6 only builds libservlet2.5-java and documentation, users are not directly affected. - CVE-2015-5174: Directory traversal vulnerability in RequestUtil.java. - CVE-2015-5345: The Mapper component in Apache Tomcat before 6.0.45 processes redirects before considering security constraints and Filters. - CVE-2016-0706: Apache Tomcat before 6.0.45 does not place org.apache.catalina.manager.StatusManagerServlet on the org/apache/catalina/core/RestrictedServlets.properties list which allows remote authenticated users to bypass intended SecurityManager restrictions. - CVE-2016-0714: The session-persistence implementation in Apache Tomcat before 6.0.45 mishandles session attributes, which allows remote authenticated users to bypass intended SecurityManager restrictions. - CVE-2016-0763: The setGlobalContext method in org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat does not consider whether ResourceLinkFactory.setGlobalContext callers are authorized, which allows remote authenticated users to bypass intended SecurityManager restrictions and read or write to arbitrary application data, or cause a denial of service (application disruption), via a web application that sets a crafted global context. - CVE-2015-5351: The Manager and Host Manager applications in Apache Tomcat establish sessions and send CSRF tokens for arbitrary new requests, which allows remote attackers to bypass a CSRF protection mechanism by using a token. -- Markus Koschany <email address hidden> Sat, 27 Feb 2016 19:32:00 +0100
Available diffs
- diff from 6.0.41-4 to 6.0.45+dfsg-1 (219.9 KiB)
tomcat6 (6.0.35-1ubuntu3.6) precise-security; urgency=medium * SECURITY UPDATE: HTTP request smuggling or denial of service via streaming with malformed chunked transfer encoding (LP: #1449975) - debian/patches/CVE-2014-0227.patch: add error flag and improve i18n in java/org/apache/coyote/http11/filters/ChunkedInputFilter.java, java/org/apache/coyote/http11/filters/LocalStrings.properties. - CVE-2014-0227 * SECURITY UPDATE: denial of service via aborted upload attempts (LP: #1449975) - debian/patches/CVE-2014-0230.patch: limit amount of data in java/org/apache/coyote/Constants.java, java/org/apache/coyote/http11/filters/ChunkedInputFilter.java, java/org/apache/coyote/http11/filters/IdentityInputFilter.java, java/org/apache/coyote/http11/filters/LocalStrings.properties, webapps/docs/config/systemprops.xml. - CVE-2014-0230 * SECURITY UPDATE: SecurityManager bypass via Expression Language - debian/patches/CVE-2014-7810.patch: handle classes that may not be accessible but have accessible interfaces in java/javax/el/BeanELResolver.java, remove unnecessary code in java/org/apache/jasper/runtime/PageContextImpl.java, java/org/apache/jasper/security/SecurityClassLoad.java. - CVE-2014-7810 -- Marc Deslauriers <email address hidden> Mon, 22 Jun 2015 08:16:23 -0400
Available diffs
Superseded in xenial-release |
Obsolete in wily-release |
Deleted in wily-proposed (Reason: moved to release) |
tomcat6 (6.0.41-4) unstable; urgency=medium * Removed the timstamp from the Javadoc of the Servlet API to make the build reproducible -- Emmanuel Bourg <email address hidden> Wed, 06 May 2015 09:35:37 +0200
Available diffs
- diff from 6.0.41-1 to 6.0.41-4 (3.6 KiB)
- diff from 6.0.41-3 to 6.0.41-4 (645 bytes)
tomcat6 (6.0.41-3) unstable; urgency=medium * Build only the libservlet2.5-java and libservlet2.5-java-doc packages. Tomcat 6 will not be supported in Jessie, but the Servlet API is still useful as a build dependency for other packages. * Standards-Version updated to 3.9.6 (no changes) -- Emmanuel Bourg <email address hidden> Wed, 22 Oct 2014 09:48:54 +0200
tomcat6 (6.0.35-1ubuntu3.5) precise-security; urgency=medium * SECURITY UPDATE: denial of service via malformed chunk size - debian/patches/CVE-2014-0075.patch: fix overflow in java/org/apache/coyote/http11/filters/ChunkedInputFilter.java. - CVE-2014-0075 * SECURITY UPDATE: file disclosure via XXE issue - debian/patches/CVE-2014-0096.patch: change globalXsltFile to be a relative path in conf/web.xml, java/org/apache/catalina/servlets/DefaultServlet.java, java/org/apache/catalina/servlets/LocalStrings.properties, webapps/docs/default-servlet.xml. - CVE-2014-0096 * SECURITY UPDATE: HTTP request smuggling attack via crafted Content-Length HTTP header - debian/patches/CVE-2014-0099.patch: correctly handle long values in java/org/apache/tomcat/util/buf/Ascii.java. - CVE-2014-0099 -- Marc Deslauriers <email address hidden> Thu, 24 Jul 2014 15:38:01 -0400
Available diffs
tomcat6 (6.0.24-2ubuntu1.16) lucid-security; urgency=medium * SECURITY UPDATE: denial of service via malformed chunk size - debian/patches/CVE-2014-0075.patch: fix overflow in java/org/apache/coyote/http11/filters/ChunkedInputFilter.java. - CVE-2014-0075 * SECURITY UPDATE: file disclosure via XXE issue - debian/patches/CVE-2014-0096.patch: change globalXsltFile to be a relative path in conf/web.xml, java/org/apache/catalina/servlets/DefaultServlet.java, java/org/apache/catalina/servlets/LocalStrings.properties, webapps/docs/default-servlet.xml. - CVE-2014-0096 * SECURITY UPDATE: HTTP request smuggling attack via crafted Content-Length HTTP header - debian/patches/CVE-2014-0099.patch: correctly handle long values in java/org/apache/tomcat/util/buf/Ascii.java. - CVE-2014-0099 -- Marc Deslauriers <email address hidden> Thu, 24 Jul 2014 15:49:36 -0400
Available diffs
Superseded in wily-release |
Obsolete in vivid-release |
Obsolete in utopic-release |
Deleted in utopic-proposed (Reason: moved to release) |
tomcat6 (6.0.41-1) unstable; urgency=medium * New upstream release. - Refreshed the patches -- Emmanuel Bourg <email address hidden> Thu, 22 May 2014 10:03:04 +0200
Available diffs
- diff from 6.0.39-1 to 6.0.41-1 (99.4 KiB)
tomcat6 (6.0.24-2ubuntu1.15) lucid-security; urgency=medium * SECURITY UPDATE: request smuggling attack via content-length headers - debian/patches/CVE-2013-4286.patch: handle multiple content lengths in java/org/apache/coyote/ajp/AbstractAjpProcessor.java, java/org/apache/coyote/ajp/AjpProcessor.java, handle content length and chunked encoding being both specified in java/org/apache/coyote/http11/Http11AprProcessor.java, java/org/apache/coyote/http11/Http11NioProcessor.java, java/org/apache/coyote/http11/Http11Processor.java. - CVE-2013-4286 * SECURITY UPDATE: denial of service via chunked transfer coding - debian/patches/CVE-2013-4322.patch: limit length of extension data in java/org/apache/coyote/Constants.java, java/org/apache/coyote/http11/filters/ChunkedInputFilter.java, webapps/docs/config/systemprops.xml. - CVE-2013-4322 -- Marc Deslauriers <email address hidden> Wed, 05 Mar 2014 14:53:54 -0500
Available diffs
tomcat6 (6.0.35-1ubuntu3.4) precise-security; urgency=medium * SECURITY UPDATE: request smuggling attack via content-length headers - debian/patches/CVE-2013-4286.patch: handle multiple content lengths in java/org/apache/coyote/ajp/AbstractAjpProcessor.java, java/org/apache/coyote/ajp/AjpProcessor.java, handle content length and chunked encoding being both specified in java/org/apache/coyote/http11/Http11AprProcessor.java, java/org/apache/coyote/http11/Http11NioProcessor.java, java/org/apache/coyote/http11/Http11Processor.java. - CVE-2013-4286 * SECURITY UPDATE: denial of service via chunked transfer coding - debian/patches/CVE-2013-4322.patch: limit length of extension data in java/org/apache/coyote/Constants.java, java/org/apache/coyote/http11/filters/ChunkedInputFilter.java, webapps/docs/config/systemprops.xml. - CVE-2013-4322 * SECURITY UPDATE: session fixation attack via crafted URL - debian/patches/CVE-2014-0033.patch: properly handle disableURLRewriting in java/org/apache/catalina/connector/CoyoteAdapter.java. - CVE-2014-0033 -- Marc Deslauriers <email address hidden> Tue, 04 Mar 2014 11:14:51 -0500
Available diffs
Superseded in utopic-release |
Published in trusty-release |
Deleted in trusty-proposed (Reason: moved to release) |
tomcat6 (6.0.39-1) unstable; urgency=medium * Team upload. * New upstream release. - Refreshed the patches * Standards-Version updated to 3.9.5 (no changes) * Switch to debhelper level 9 * Use XZ compression for the upstream tarball * Use canonical URL for the Vcs-Git field -- Emmanuel Bourg <email address hidden> Mon, 17 Feb 2014 00:02:00 +0100
Available diffs
- diff from 6.0.37-1 to 6.0.39-1 (162.4 KiB)
Superseded in trusty-release |
Obsolete in saucy-release |
Deleted in saucy-proposed (Reason: moved to release) |
tomcat6 (6.0.37-1) unstable; urgency=low * New upstream release. - Drop patches for CVE-2012-4534, CVE-2012-4431, CVE-2012-3546, CVE-2012-2733, CVE-2012-3439 - Drop 0011-CVE-02012-0022-regression-fix.patch - Drop 0017-eclipse-compiler-update.patch * Freshened remaining patches. -- tony mancill <email address hidden> Sat, 03 Aug 2013 21:50:20 -0700
Available diffs
- diff from 6.0.35-6 to 6.0.37-1 (163.3 KiB)
tomcat6 (6.0.35-5ubuntu0.1) quantal-security; urgency=low [ Christian Kuersteiner ] * SECURITY UPDATE: denial of service via large header data - debian/patches/0012-CVE-2012-2733.patch: improve size logic in java/org/apache/coyote/http11/InternalNioInputBuffer.java. - CVE-2012-2733 - LP: #1166649 * SECURITY UPDATE: security-constraint bypass with FORM auth - debian/patches/CVE-2012-3546.patch: remove unneeded code in java/org/apache/catalina/realm/RealmBase.java. - CVE-2012-3546 * SECURITY UPDATE: CSRF bypass via request with no session identifier - debian/patches/CVE-2012-4431.patch: check for session identifier in java/org/apache/catalina/filters/CsrfPreventionFilter.java. - CVE-2012-4431 * SECURITY UPDATE: denial of service with NIO connector - debian/patches/CVE-2012-4534.patch: properly handle connection breaks in java/org/apache/tomcat/util/net/NioEndpoint.java. - CVE-2012-4534 [ Jamie Strandboge ] * SECURITY UPDATE: multiple HTTP Digest Access Authentication flaws - debian/patches/0013-CVE-2012-588x.patch: disable caching of an authenticated user in the session by default, track server rather than client nonces, better handling of stale nonce values in java/org/apache/catalina/authenticator/DigestAuthenticator.java. Patch from Marc Deslauriers. - CVE-2012-3439 - CVE-2012-5885 - CVE-2012-5886 - CVE-2012-5887 * SECURITY UPDATE: denial of service via chunked transfer encoding - debian/patches/CVE-2012-3544.patch: properly parse CRLF in requests in java/org/apache/coyote/http11/filters/ChunkedInputFilter.java. Patch from Marc Deslauriers. - CVE-2012-3544 * SECURITY UPDATE: FORM authentication request injection - debian/patches/CVE-2013-2067.patch: properly change session ID in java/org/apache/catalina/authenticator/FormAuthenticator.java. Patch from Marc Deslauriers. - CVE-2013-2067 -- Jamie Strandboge <email address hidden> Tue, 28 May 2013 15:11:06 -0500
Available diffs
tomcat6 (6.0.35-1ubuntu3.3) precise-security; urgency=low * SECURITY UPDATE: denial of service via chunked transfer encoding - debian/patches/CVE-2012-3544.patch: properly parse CRLF in requests in java/org/apache/coyote/http11/filters/ChunkedInputFilter.java. - CVE-2012-3544 * SECURITY UPDATE: FORM authentication request injection - debian/patches/CVE-2013-2067.patch: properly change session ID in java/org/apache/catalina/authenticator/FormAuthenticator.java. - CVE-2013-2067 -- Marc Deslauriers <email address hidden> Tue, 21 May 2013 09:39:22 -0400
Available diffs
tomcat6 (6.0.24-2ubuntu1.13) lucid-security; urgency=low * SECURITY UPDATE: denial of service via chunked transfer encoding - debian/patches/CVE-2012-3544.patch: properly parse CRLF in requests in java/org/apache/coyote/http11/filters/ChunkedInputFilter.java. - CVE-2012-3544 * SECURITY UPDATE: FORM authentication request injection - debian/patches/CVE-2013-2067.patch: properly change session ID in java/org/apache/catalina/authenticator/FormAuthenticator.java. - CVE-2013-2067 -- Marc Deslauriers <email address hidden> Tue, 21 May 2013 10:03:26 -0400
Available diffs
tomcat6 (6.0.35-1ubuntu3.2) precise-security; urgency=low * SECURITY UPDATE: security-constraint bypass with FORM auth - debian/patches/CVE-2012-3546.patch: remove unneeded code in java/org/apache/catalina/realm/RealmBase.java. - CVE-2012-3546 * SECURITY UPDATE: CSRF bypass via request with no session identifier - debian/patches/CVE-2012-4431.patch: check for session identifier in java/org/apache/catalina/filters/CsrfPreventionFilter.java. - CVE-2012-4431 * SECURITY UPDATE: denial of service with NIO connector - debian/patches/CVE-2012-4534.patch: properly handle connection breaks in java/org/apache/tomcat/util/net/NioEndpoint.java. - CVE-2012-4534 -- Marc Deslauriers <email address hidden> Thu, 10 Jan 2013 09:51:09 -0500
Available diffs
tomcat6 (6.0.32-5ubuntu1.4) oneiric-security; urgency=low * SECURITY UPDATE: security-constraint bypass with FORM auth - debian/patches/CVE-2012-3546.patch: remove unneeded code in java/org/apache/catalina/realm/RealmBase.java. - CVE-2012-3546 * SECURITY UPDATE: CSRF bypass via request with no session identifier - debian/patches/CVE-2012-4431.patch: check for session identifier in java/org/apache/catalina/filters/CsrfPreventionFilter.java. - CVE-2012-4431 * SECURITY UPDATE: denial of service with NIO connector - debian/patches/CVE-2012-4534.patch: properly handle connection breaks in java/org/apache/tomcat/util/net/NioEndpoint.java. - CVE-2012-4534 -- Marc Deslauriers <email address hidden> Thu, 10 Jan 2013 10:00:07 -0500
Available diffs
tomcat6 (6.0.24-2ubuntu1.12) lucid-security; urgency=low * SECURITY UPDATE: security-constraint bypass with FORM auth - debian/patches/CVE-2012-3546.patch: remove unneeded code in java/org/apache/catalina/realm/RealmBase.java. - CVE-2012-3546 * SECURITY UPDATE: denial of service with NIO connector - debian/patches/CVE-2012-4534.patch: properly handle connection breaks in java/org/apache/tomcat/util/net/NioEndpoint.java. - CVE-2012-4534 -- Marc Deslauriers <email address hidden> Thu, 10 Jan 2013 10:03:38 -0500
Available diffs
Superseded in saucy-release |
Obsolete in raring-release |
Deleted in raring-proposed (Reason: moved to release) |
tomcat6 (6.0.35-6) unstable; urgency=high * Acknowledge NMU: 6.0.35-5+nmu1 (Closes: #692440) - Thank you to Michael Gilbert. * Add patches for the following security issues: (Closes: #695250) - CVE-2012-4534, CVE-2012-4431, CVE-2012-3546 -- tony mancill <email address hidden> Thu, 06 Dec 2012 21:10:11 -0800
Available diffs
- diff from 6.0.35-5+nmu1 to 6.0.35-6 (2.8 KiB)
tomcat6 (6.0.35-1ubuntu3.1) precise-security; urgency=low * SECURITY UPDATE: denial of service via large header data - debian/patches/0012-CVE-2012-2733.patch: improve size logic in java/org/apache/coyote/http11/InternalNioInputBuffer.java. - CVE-2012-2733 * SECURITY UPDATE: multiple HTTP Digest Access Authentication flaws - debian/patches/0013-CVE-2012-588x.patch: disable caching of an authenticated user in the session by default, track server rather than client nonces, better handling of stale nonce values in java/org/apache/catalina/authenticator/DigestAuthenticator.java. - CVE-2012-3439 - CVE-2012-5885 - CVE-2012-5886 - CVE-2012-5887 -- Marc Deslauriers <email address hidden> Wed, 21 Nov 2012 10:36:18 -0500
Available diffs
tomcat6 (6.0.24-2ubuntu1.11) lucid-security; urgency=low * SECURITY UPDATE: denial of service via large header data - debian/patches/0012-CVE-2012-2733.patch: improve size logic in java/org/apache/coyote/http11/InternalNioInputBuffer.java. - CVE-2012-2733 * SECURITY UPDATE: multiple HTTP Digest Access Authentication flaws - debian/patches/0013-CVE-2012-588x.patch: disable caching of an authenticated user in the session by default, track server rather than client nonces, better handling of stale nonce values in java/org/apache/catalina/authenticator/DigestAuthenticator.java. - CVE-2012-3439 - CVE-2012-5885 - CVE-2012-5886 - CVE-2012-5887 -- Marc Deslauriers <email address hidden> Wed, 21 Nov 2012 10:44:41 -0500
Available diffs
tomcat6 (6.0.32-5ubuntu1.3) oneiric-security; urgency=low * SECURITY UPDATE: denial of service via large header data - debian/patches/0012-CVE-2012-2733.patch: improve size logic in java/org/apache/coyote/http11/InternalNioInputBuffer.java. - CVE-2012-2733 * SECURITY UPDATE: multiple HTTP Digest Access Authentication flaws - debian/patches/0013-CVE-2012-588x.patch: disable caching of an authenticated user in the session by default, track server rather than client nonces, better handling of stale nonce values in java/org/apache/catalina/authenticator/DigestAuthenticator.java. - CVE-2012-3439 - CVE-2012-5885 - CVE-2012-5886 - CVE-2012-5887 -- Marc Deslauriers <email address hidden> Wed, 21 Nov 2012 10:43:09 -0500
Available diffs
tomcat6 (6.0.35-5+nmu1) unstable; urgency=high * Non-maintainer upload. * Fix multiple security issues (closes: #692440) - cve-2012-2733: denial-of-service by triggering out of memory error. - cve-2012-3439: multiple replay attack issues in digest authentication. -- Michael Gilbert <email address hidden> Sat, 17 Nov 2012 23:15:03 +0000
Available diffs
- diff from 6.0.35-5 to 6.0.35-5+nmu1 (4.4 KiB)
tomcat6 (6.0.35-5) unstable; urgency=low * Apply patch to README.Debian to explain setting the HTTPOnly flag in cookies by default; CVE-2010-4312. (Closes: #608286) - Thank you to Thijs Kinkhorst for the patch. * Use ucf and a template for /etc/logrotate.d/tomcat6 file to avoid updating the shipped conffile. (Closes: #687818) -- tony mancill <email address hidden> Mon, 06 Aug 2012 21:29:11 -0700
Available diffs
- diff from 6.0.35-4 to 6.0.35-5 (1.9 KiB)
tomcat6 (6.0.35-4) unstable; urgency=low [ tony mancill ] * Team upload. * Apply patch from James Page (Closes: #671373) - d/tomcat6-instance-create: Quote access to files and directories so that spaces can be used when creating user instances. - d/tomcat6.init: Make NAME dynamic, to allow starting multiple instances. (Closes: #299635) [ Miguel Landaeta ] * Add Slovak debconf translation (Closes: #677912). - Thanks to Ivan Masár. -- Miguel Landaeta <email address hidden> Sun, 17 Jun 2012 18:57:50 -0430
Available diffs
Superseded in quantal-release |
tomcat6 (6.0.35-3ubuntu2) quantal; urgency=low * No-change rebuild with openjdk-7 as default-jdk. -- James Page <email address hidden> Fri, 18 May 2012 11:47:44 +0100
Available diffs
- diff from 6.0.35-3ubuntu1 to 6.0.35-3ubuntu2 (352 bytes)
Superseded in quantal-release |
tomcat6 (6.0.35-3ubuntu1) quantal; urgency=low * Merge from Debian Unstable, remaining changes: - d/tomcat6-instance-create: Quote access to files and directories so that spaces can be used when creating user instances. - d/tomcat6.init: Make NAME dynamic, to allow starting multiple instances.
Available diffs
tomcat6 (6.0.35-1ubuntu3) precise; urgency=low * Handle creation of user instances with pathnames containing spaces (LP: #977498): - d/tomcat6-instance-create: Quote access to files and directories so that spaces can be used when creating user instances. -- James Page <email address hidden> Wed, 11 Apr 2012 10:29:11 +0100
Available diffs
Superseded in precise-release |
tomcat6 (6.0.35-1ubuntu2) precise; urgency=low * init: Make NAME dynamic, to allow starting multiple instances. -- Timo Aaltonen <email address hidden> Fri, 16 Mar 2012 16:31:20 +0200
Available diffs
- diff from 6.0.35-1ubuntu1 to 6.0.35-1ubuntu2 (565 bytes)
Superseded in precise-release |
tomcat6 (6.0.35-1ubuntu1) precise; urgency=low * debian/patches/0011-CVE-2012-0022-regression-fix.patch: fix regression from the CVE-2012-0022 security fix that went into 6.0.35. -- Marc Deslauriers <email address hidden> Mon, 13 Feb 2012 09:03:18 -0500
Available diffs
- diff from 6.0.35-1 to 6.0.35-1ubuntu1 (2.0 KiB)
Superseded in lucid-updates |
Superseded in lucid-security |
Deleted in lucid-proposed (Reason: moved to -updates) |
tomcat6 (6.0.24-2ubuntu1.10) lucid-security; urgency=low * SECURITY UPDATE: denial of service via hash collision and incorrect handling of large numbers of parameters and parameter values (LP: #909828) - debian/patches/0019-CVE-2012-0022.patch: refactor parameter handling code in conf/web.xml, java/org/apache/catalina/connector/Connector.java, java/org/apache/catalina/connector/mbeans-descriptors.xml, java/org/apache/catalina/connector/Request.java, java/org/apache/catalina/filters/FailedRequestFilter.java, java/org/apache/catalina/Globals.java, java/org/apache/coyote/Request.java, java/org/apache/tomcat/util/buf/B2CConverter.java, java/org/apache/tomcat/util/buf/ByteChunk.java, java/org/apache/tomcat/util/buf/MessageBytes.java, java/org/apache/tomcat/util/buf/StringCache.java, java/org/apache/tomcat/util/http/LocalStrings.properties, java/org/apache/tomcat/util/http/Parameters.java, webapps/docs/config/ajp.xml, webapps/docs/config/http.xml. - CVE-2011-4858 - CVE-2012-0022 -- Marc Deslauriers <email address hidden> Wed, 25 Jan 2012 14:35:46 -0500
Available diffs
Obsolete in maverick-updates |
Obsolete in maverick-security |
Deleted in maverick-proposed (Reason: moved to -updates) |
tomcat6 (6.0.28-2ubuntu1.6) maverick-security; urgency=low * SECURITY UPDATE: denial of service via hash collision and incorrect handling of large numbers of parameters and parameter values (LP: #909828) - debian/patches/0019-CVE-2012-0022.patch: refactor parameter handling code in conf/web.xml, java/org/apache/catalina/connector/Connector.java, java/org/apache/catalina/connector/mbeans-descriptors.xml, java/org/apache/catalina/connector/Request.java, java/org/apache/catalina/filters/FailedRequestFilter.java, java/org/apache/catalina/Globals.java, java/org/apache/coyote/Request.java, java/org/apache/tomcat/util/buf/B2CConverter.java, java/org/apache/tomcat/util/buf/ByteChunk.java, java/org/apache/tomcat/util/buf/MessageBytes.java, java/org/apache/tomcat/util/buf/StringCache.java, java/org/apache/tomcat/util/http/LocalStrings.properties, java/org/apache/tomcat/util/http/Parameters.java, webapps/docs/config/ajp.xml, webapps/docs/config/http.xml. - CVE-2011-4858 - CVE-2012-0022 -- Marc Deslauriers <email address hidden> Wed, 25 Jan 2012 14:09:00 -0500
Available diffs
Obsolete in natty-updates |
Obsolete in natty-security |
Deleted in natty-proposed (Reason: moved to -updates) |
tomcat6 (6.0.28-10ubuntu2.3) natty-security; urgency=low * SECURITY UPDATE: denial of service via hash collision and incorrect handling of large numbers of parameters and parameter values (LP: #909828) - debian/patches/0019-CVE-2012-0022.patch: refactor parameter handling code in conf/web.xml, java/org/apache/catalina/connector/Connector.java, java/org/apache/catalina/connector/mbeans-descriptors.xml, java/org/apache/catalina/connector/Request.java, java/org/apache/catalina/filters/FailedRequestFilter.java, java/org/apache/catalina/Globals.java, java/org/apache/coyote/Request.java, java/org/apache/tomcat/util/buf/B2CConverter.java, java/org/apache/tomcat/util/buf/ByteChunk.java, java/org/apache/tomcat/util/buf/MessageBytes.java, java/org/apache/tomcat/util/buf/StringCache.java, java/org/apache/tomcat/util/http/LocalStrings.properties, java/org/apache/tomcat/util/http/Parameters.java, webapps/docs/config/ajp.xml, webapps/docs/config/http.xml. - CVE-2011-4858 - CVE-2012-0022 -- Marc Deslauriers <email address hidden> Wed, 25 Jan 2012 13:42:23 -0500
Available diffs
Superseded in oneiric-updates |
Superseded in oneiric-security |
Deleted in oneiric-proposed (Reason: moved to -updates) |
tomcat6 (6.0.32-5ubuntu1.2) oneiric-security; urgency=low * SECURITY UPDATE: cross-request information leakage - debian/patches/0016-CVE-2011-3375.patch: ensure that the request and response objects are recycled after being re-populated in java/org/apache/catalina/connector/CoyoteAdapter.java, java/org/apache/coyote/ajp/AjpAprProcessor.java, java/org/apache/coyote/ajp/AjpProcessor.java, java/org/apache/coyote/http11/Http11AprProcessor.java, java/org/apache/coyote/http11/Http11NioProcessor.java, java/org/apache/coyote/http11/Http11Processor.java. - CVE-2011-3375 * SECURITY UPDATE: denial of service via hash collision and incorrect handling of large numbers of parameters and parameter values (LP: #909828) - debian/patches/0017-CVE-2012-0022.patch: refactor parameter handling code in conf/web.xml, java/org/apache/catalina/connector/Connector.java, java/org/apache/catalina/connector/mbeans-descriptors.xml, java/org/apache/catalina/connector/Request.java, java/org/apache/catalina/filters/FilterBase.java, java/org/apache/catalina/filters/FailedRequestFilter.java, java/org/apache/catalina/Globals.java, java/org/apache/coyote/Request.java, java/org/apache/tomcat/util/buf/B2CConverter.java, java/org/apache/tomcat/util/buf/ByteChunk.java, java/org/apache/tomcat/util/buf/MessageBytes.java, java/org/apache/tomcat/util/buf/StringCache.java, java/org/apache/tomcat/util/http/LocalStrings.properties, java/org/apache/tomcat/util/http/Parameters.java, webapps/docs/config/ajp.xml, webapps/docs/config/filter.xml, webapps/docs/config/http.xml. - CVE-2011-4858 - CVE-2012-0022 -- Marc Deslauriers <email address hidden> Wed, 25 Jan 2012 09:00:23 -0500
Available diffs
tomcat6 (6.0.35-1) unstable; urgency=low [ Miguel Landaeta ] * New upstream release. * Add myself to Uploaders. * Remove 0013-CVE-2011-3190.patch since it was included upstream. * Add mh_clean call in clean target. * Fix error in debian/rules that caused tomcat to report no version. Thanks to Jorge Barreiro for the patch. (Closes: #650656). [ tony mancill ] * Update Vcs-* fields in debian/control for switch to git. * Update to run with openjdk-7 and openjdk-6 when not default-jdk is not present. (Closes: #651448) * Allow java?-runtime-headless to satisfy Depends. * Add myself to Uploaders. -- Ubuntu Archive Auto-Sync <email address hidden> Mon, 26 Dec 2011 17:52:51 +0000
Available diffs
- diff from 6.0.33-1 (in Debian) to 6.0.35-1 (68.4 KiB)
tomcat6 (6.0.33-1) unstable; urgency=low * Team upload. * New upstream release. * Remove the following patches (included upstream): - 0011-623242.patch - 0012-CVE-2011-2204.patch - 0015-CVE-2011-2526.patch - 0014-CVE-2011-1184.patch * Add patch for multi-instance startup. CATALINA_HOME no longer depends on the instance $NAME. JVM_TMP is now $NAME-specific. - Thank you to Julien Wajsberg. (Closes: #644365) * Add dependency on JRE to tomcat6-common (Closes: #644340) * Modify init script to look for JVM in /usr/lib/jvm/default-java -- tony mancill <email address hidden> Mon, 28 Nov 2011 21:28:52 -0800
Available diffs
Superseded in precise-release |
tomcat6 (6.0.32-6ubuntu1) precise; urgency=low * SECURITY UPDATE: HTTP DIGEST authentication weaknesses - debian/patches/0014-CVE-2011-1184.patch: add new nonce options in java/org/apache/catalina/authenticator/DigestAuthenticator.java, java/org/apache/catalina/authenticator/LocalStrings.properties, java/org/apache/catalina/authenticator/mbeans-descriptors.xml, java/org/apache/catalina/realm/RealmBase.java, webapps/docs/config/valve.xml. - CVE-2011-1184 * SECURITY UPDATE: file restriction bypass or denial of service via untrusted web application. - debian/patches/0015-CVE-2011-2526.patch: check canonical name in java/org/apache/catalina/connector/LocalStrings.properties, java/org/apache/catalina/connector/Request.java, java/org/apache/catalina/servlets/DefaultServlet.java, java/org/apache/coyote/http11/Http11AprProcessor.java, java/org/apache/coyote/http11/LocalStrings.properties, java/org/apache/tomcat/util/net/AprEndpoint.java, java/org/apache/tomcat/util/net/NioEndpoint.java. - CVE-2011-2526 -- Marc Deslauriers <email address hidden> Tue, 08 Nov 2011 07:55:32 -0500
Available diffs
tomcat6 (6.0.32-5ubuntu1.1) oneiric-security; urgency=low * SECURITY UPDATE: HTTP DIGEST authentication weaknesses - debian/patches/0014-CVE-2011-1184.patch: add new nonce options in java/org/apache/catalina/authenticator/DigestAuthenticator.java, java/org/apache/catalina/authenticator/LocalStrings.properties, java/org/apache/catalina/authenticator/mbeans-descriptors.xml, java/org/apache/catalina/realm/RealmBase.java, webapps/docs/config/valve.xml. - CVE-2011-1184 * SECURITY UPDATE: file restriction bypass or denial of service via untrusted web application. - debian/patches/0015-CVE-2011-2526.patch: check canonical name in java/org/apache/catalina/connector/LocalStrings.properties, java/org/apache/catalina/connector/Request.java, java/org/apache/catalina/servlets/DefaultServlet.java, java/org/apache/coyote/http11/Http11AprProcessor.java, java/org/apache/coyote/http11/LocalStrings.properties, java/org/apache/tomcat/util/net/AprEndpoint.java, java/org/apache/tomcat/util/net/NioEndpoint.java. - CVE-2011-2526 -- Marc Deslauriers <email address hidden> Thu, 13 Oct 2011 16:41:43 -0400
Available diffs
tomcat6 (6.0.28-10ubuntu2.2) natty-security; urgency=low * SECURITY UPDATE: information disclosure via log file - debian/patches/0015-CVE-2011-2204.patch: fix logging in java/org/apache/catalina/mbeans/MemoryUserDatabaseMBean.java, java/org/apache/catalina/users/MemoryUserDatabase.java, java/org/apache/catalina/users/MemoryUser.java. - CVE-2011-2204 * SECURITY UPDATE: file restriction bypass or denial of service via untrusted web application. - debian/patches/0016-CVE-2011-2526.patch: check canonical name in java/org/apache/catalina/connector/LocalStrings.properties, java/org/apache/catalina/connector/Request.java, java/org/apache/catalina/servlets/DefaultServlet.java, java/org/apache/coyote/http11/Http11AprProcessor.java, java/org/apache/coyote/http11/LocalStrings.properties, java/org/apache/tomcat/util/net/AprEndpoint.java, java/org/apache/tomcat/util/net/NioEndpoint.java. - CVE-2011-2526 * SECURITY UPDATE: AJP request spoofing and authentication bypass (LP: #843701) - debian/patches/0017-CVE-2011-3190.patch: Properly handle request bodies in java/org/apache/coyote/ajp/AjpAprProcessor.java, java/org/apache/coyote/ajp/AjpProcessor.java. - CVE-2011-3190 * SECURITY UPDATE: HTTP DIGEST authentication weaknesses - debian/patches/0018-CVE-2011-1184.patch: add new nonce options in java/org/apache/catalina/authenticator/DigestAuthenticator.java, java/org/apache/catalina/authenticator/LocalStrings.properties, java/org/apache/catalina/authenticator/mbeans-descriptors.xml, java/org/apache/catalina/realm/RealmBase.java, webapps/docs/config/valve.xml. - CVE-2011-1184 -- Marc Deslauriers <email address hidden> Mon, 26 Sep 2011 11:27:14 -0400
Available diffs
tomcat6 (6.0.24-2ubuntu1.9) lucid-security; urgency=low * SECURITY UPDATE: information disclosure via log file - debian/patches/0015-CVE-2011-2204.patch: fix logging in java/org/apache/catalina/mbeans/MemoryUserDatabaseMBean.java, java/org/apache/catalina/users/MemoryUserDatabase.java, java/org/apache/catalina/users/MemoryUser.java. - CVE-2011-2204 * SECURITY UPDATE: file restriction bypass or denial of service via untrusted web application. - debian/patches/0016-CVE-2011-2526.patch: check canonical name in java/org/apache/catalina/connector/LocalStrings.properties, java/org/apache/catalina/connector/Request.java, java/org/apache/catalina/servlets/DefaultServlet.java, java/org/apache/coyote/http11/Http11AprProcessor.java, java/org/apache/coyote/http11/LocalStrings.properties, java/org/apache/tomcat/util/net/AprEndpoint.java, java/org/apache/tomcat/util/net/NioEndpoint.java. - CVE-2011-2526 * SECURITY UPDATE: AJP request spoofing and authentication bypass (LP: #843701) - debian/patches/0017-CVE-2011-3190.patch: Properly handle request bodies in java/org/apache/coyote/ajp/AjpAprProcessor.java, java/org/apache/coyote/ajp/AjpProcessor.java. - CVE-2011-3190 * SECURITY UPDATE: HTTP DIGEST authentication weaknesses - debian/patches/0018-CVE-2011-1184.patch: add new nonce options in java/org/apache/catalina/authenticator/DigestAuthenticator.java, java/org/apache/catalina/authenticator/LocalStrings.properties, java/org/apache/catalina/authenticator/mbeans-descriptors.xml, java/org/apache/catalina/realm/RealmBase.java, webapps/docs/config/valve.xml. - CVE-2011-1184 -- Marc Deslauriers <email address hidden> Mon, 26 Sep 2011 11:53:28 -0400
Available diffs
tomcat6 (6.0.28-2ubuntu1.5) maverick-security; urgency=low * SECURITY UPDATE: information disclosure via log file - debian/patches/0015-CVE-2011-2204.patch: fix logging in java/org/apache/catalina/mbeans/MemoryUserDatabaseMBean.java, java/org/apache/catalina/users/MemoryUserDatabase.java, java/org/apache/catalina/users/MemoryUser.java. - CVE-2011-2204 * SECURITY UPDATE: file restriction bypass or denial of service via untrusted web application. - debian/patches/0016-CVE-2011-2526.patch: check canonical name in java/org/apache/catalina/connector/LocalStrings.properties, java/org/apache/catalina/connector/Request.java, java/org/apache/catalina/servlets/DefaultServlet.java, java/org/apache/coyote/http11/Http11AprProcessor.java, java/org/apache/coyote/http11/LocalStrings.properties, java/org/apache/tomcat/util/net/AprEndpoint.java, java/org/apache/tomcat/util/net/NioEndpoint.java. - CVE-2011-2526 * SECURITY UPDATE: AJP request spoofing and authentication bypass (LP: #843701) - debian/patches/0017-CVE-2011-3190.patch: Properly handle request bodies in java/org/apache/coyote/ajp/AjpAprProcessor.java, java/org/apache/coyote/ajp/AjpProcessor.java. - CVE-2011-3190 * SECURITY UPDATE: HTTP DIGEST authentication weaknesses - debian/patches/0018-CVE-2011-1184.patch: add new nonce options in java/org/apache/catalina/authenticator/DigestAuthenticator.java, java/org/apache/catalina/authenticator/LocalStrings.properties, java/org/apache/catalina/authenticator/mbeans-descriptors.xml, java/org/apache/catalina/realm/RealmBase.java, webapps/docs/config/valve.xml. - CVE-2011-1184 * This package does _not_ contain the changes that were in 6.0.28-2ubuntu1.3 in -proposed. -- Marc Deslauriers <email address hidden> Mon, 26 Sep 2011 11:48:20 -0400
Available diffs
tomcat6 (6.0.32-6) unstable; urgency=medium [ tony mancill ] * Team upload. * Update Korean debconf translation. (Closes: #630950, 631482) Thanks to si-cheol Ko. * Add Dutch debconf translation. (Closes: #637507) Thanks to Jeroen Schot. [ Niels Thykier ] * Removed myself from uploaders. [ James Page ] * Added patch for CVE-2011-3190 (LP: #843701). -- tony mancill <email address hidden> Sat, 17 Sep 2011 09:48:42 -0700
tomcat6 (6.0.32-5ubuntu1) oneiric; urgency=low * Added patch for CVE-2011-3190 (LP: #843701). -- James Page <email address hidden> Thu, 08 Sep 2011 14:45:34 +0100
Available diffs
- diff from 6.0.32-5 to 6.0.32-5ubuntu1 (1.5 KiB)
tomcat6 (6.0.32-5) unstable; urgency=low * Team upload. * Add Catalan debconf translation ca.po (Closes: #630073). * Correct Suggests for libtcnative-1 (tomcat-native) (Closes: #631919) * Add patch for CVE-2011-2204 (Closes: #632882) -- James Page <email address hidden> Mon, 11 Jul 2011 11:21:44 +0000
Available diffs
- diff from 6.0.32-4 to 6.0.32-5 (2.9 KiB)
tomcat6 (6.0.32-4) unstable; urgency=low * Team upload. * Add Italian debconf translation. Thanks to Dario Santamaria (Closes: #624376) * Add logrotate for catalina.out (Closes: 607050) * Bump standards version to 3.9.2 (no changes needed). -- Ubuntu Archive Auto-Sync <email address hidden> Thu, 09 Jun 2011 09:37:34 +0000
Available diffs
- diff from 6.0.32-3 to 6.0.32-4 (2.3 KiB)
tomcat6 (6.0.32-3) unstable; urgency=low * Team upload. * Include upstream patch for ASF Bugzilla - Bug 50700 (Context parameters are being overridden with parameters from the web application deployment descriptor) (Closes: #623242)
Available diffs
- diff from 6.0.28-10ubuntu2 to 6.0.32-3 (178.7 KiB)
Deleted in maverick-proposed (Reason: moved to -updates) |
tomcat6 (6.0.28-2ubuntu1.3) maverick-proposed; urgency=low * Fix update failures when JAVA_OPTS contains / (LP: #654549) - debian/tomcat6.postinst: amended sed calls to use % instead of / when generating /etc/default/tomcat6. -- James Page <email address hidden> Fri, 15 Apr 2011 12:30:47 +0100
Available diffs
tomcat6 (6.0.28-2ubuntu1.2) maverick-security; urgency=low * SECURITY UPDATE: directory traversal via incorrect ServetContext attribute (LP: #717396) - debian/patches/0012-CVE-2010-3718.patch: mark as read only in java/org/apache/catalina/core/StandardContext.java. - CVE-2010-3718 * SECURITY UPDATE: cross-site scripting in HTML Manager interface - debian/patches/0013-CVE-2011-0013.patch: properly filter values in java/org/apache/catalina/manager/{HTMLManagerServlet.java, StatusTransformer.java}. - CVE-2011-0013 * SECURITY UPDATE: denial of service via NIOS HTTP connector (LP: #714239, LP: #717396) - debian/patches/0014-CVE-2011-0534.patch: enforce proper size in java/org/apache/coyote/http11/InternalNioInputBuffer.java. - CVE-2011-0534 -- Marc Deslauriers <email address hidden> Thu, 24 Mar 2011 10:10:09 -0400
Available diffs
tomcat6 (6.0.24-2ubuntu1.7) lucid-security; urgency=low * SECURITY UPDATE: directory traversal via incorrect ServetContext attribute (LP: #717396) - debian/patches/0012-CVE-2010-3718.patch: mark as read only in java/org/apache/catalina/core/StandardContext.java. - CVE-2010-3718 * SECURITY UPDATE: cross-site scripting in HTML Manager interface - debian/patches/0013-CVE-2011-0013.patch: properly filter values in java/org/apache/catalina/manager/{HTMLManagerServlet.java, StatusTransformer.java}. - CVE-2011-0013 * SECURITY UPDATE: denial of service via NIOS HTTP connector (LP: #714239, LP: #717396) - debian/patches/0014-CVE-2011-0534.patch: enforce proper size in java/org/apache/coyote/http11/InternalNioInputBuffer.java. - CVE-2011-0534 -- Marc Deslauriers <email address hidden> Thu, 24 Mar 2011 11:08:39 -0400
Available diffs
tomcat6 (6.0.20-2ubuntu2.4) karmic-security; urgency=low * SECURITY UPDATE: directory traversal via incorrect ServetContext attribute (LP: #717396) - debian/patches/0012-CVE-2010-3718.patch: mark as read only in java/org/apache/catalina/core/StandardContext.java. - CVE-2010-3718 * SECURITY UPDATE: cross-site scripting in HTML Manager interface - debian/patches/0013-CVE-2011-0013.patch: properly filter values in java/org/apache/catalina/manager/{HTMLManagerServlet.java, StatusTransformer.java}. - CVE-2011-0013 * SECURITY UPDATE: denial of service via NIOS HTTP connector (LP: #714239, LP: #717396) - debian/patches/0014-CVE-2011-0534.patch: enforce proper size in java/org/apache/coyote/http11/InternalNioInputBuffer.java. - CVE-2011-0534 -- Marc Deslauriers <email address hidden> Thu, 24 Mar 2011 13:58:06 -0400
Available diffs
tomcat6 (6.0.28-10ubuntu2) natty; urgency=low * debian/tomcat6-instance-create: Eclipse can now be configured to use a user instance of tomcat6 using tomcat6-instance-create without any additional work. tomcat6-instance-create will setup all the necessary symlinks to make eclipse work. (Closes: #551091) (LP: #297675) -- Abhinav Upadhyay <email address hidden> Fri, 11 Mar 2011 13:55:28 +0530
Available diffs
- diff from 6.0.28-10ubuntu1 to 6.0.28-10ubuntu2 (832 bytes)
Superseded in natty-release |
tomcat6 (6.0.28-10ubuntu1) natty; urgency=low [ Abhinav Upadhyay ] * tomcat6-instance-create should accept -1 as the value of -c option as per http://tomcat.apache.org/tomcat-6.0-doc/config/server.html (LP: #707405) [ Dave Walker (Daviey) ] * debian/control: Updated Maintainer as per policy. -- Abhinav Upadhyay <email address hidden> Mon, 07 Mar 2011 13:38:05 +0530
Available diffs
- diff from 6.0.28-10 to 6.0.28-10ubuntu1 (1.2 KiB)
tomcat6 (6.0.28-10) unstable; urgency=medium * Team upload. * Add Portuguese/Brazilian debconf translation. Thanks to José de Figueiredo (Closes: #608527) * Add patches for CVE-2011-0534, CVE-2010-3718, CVE-2011-0013 (Closes: #612257) -- Jamie Strandboge <email address hidden> Fri, 11 Feb 2011 20:51:04 +0000
Available diffs
- diff from 6.0.28-9 to 6.0.28-10 (4.5 KiB)
tomcat6 (6.0.20-2ubuntu2.3) karmic-security; urgency=low * SECURITY UPDATE: cross-site scripting in Manager application - debian/patches/0011-CVE-2010-4172.patch: add proper escaping to java/org/apache/catalina/manager/JspHelper.java, webapps/manager/{sessionDetail,sessionsList}.jsp. - patch backported from Debian 6.0.28-9 package - CVE-2010-4172 -- Marc Deslauriers <email address hidden> Thu, 13 Jan 2011 15:52:00 -0600
Available diffs
tomcat6 (6.0.24-2ubuntu1.6) lucid-security; urgency=low * SECURITY UPDATE: cross-site scripting in Manager application - debian/patches/0011-CVE-2010-4172.patch: add proper escaping to java/org/apache/catalina/manager/JspHelper.java, webapps/manager/{sessionDetail,sessionsList}.jsp. - patch backported from Debian 6.0.28-9 package - CVE-2010-4172 -- Marc Deslauriers <email address hidden> Thu, 13 Jan 2011 15:32:24 -0600
Available diffs
tomcat6 (6.0.28-2ubuntu1.1) maverick-security; urgency=low * SECURITY UPDATE: cross-site scripting in Manager application - debian/patches/0011-CVE-2010-4172.patch: add proper escaping to java/org/apache/catalina/manager/JspHelper.java, webapps/manager/WEB-INF/jsp/{sessionDetail,sessionsList}.jsp. - patch from Debian 6.0.28-9 package - CVE-2010-4172 -- Marc Deslauriers <email address hidden> Thu, 13 Jan 2011 15:16:35 -0600
Available diffs
tomcat6 (6.0.28-9) unstable; urgency=medium * Team upload. * Update URL for manager application in README.Debian Thanks to Ernesto Ongaro (Closes: #606170) * Add patch for CVE-2010-4172. (Closes: #606388) -- Ubuntu Archive Auto-Sync <email address hidden> Fri, 10 Dec 2010 16:44:11 +0000
Available diffs
- diff from 6.0.28-8 to 6.0.28-9 (3.9 KiB)
tomcat6 (6.0.28-8) unstable; urgency=low * Team upload. [ Thierry Carrez (ttx) ] * Do not fail to purge if /etc/tomcat6 was manually removed (LP: #648619) * Add missing -p option in start-stop-daemon when starting tomcat6 to avoid failing to start due to /bin/bash running (LP: #632554) * Fix build failure (missing TraXLiaison class) by adding ant-nodeps to the classpath. [ tony mancill ] * Use debconf to determine tomcat6 user and group to delete upon purge. Thanks to Misha Koshelev. (Closes: #599458) * Add tomcat-native to Suggests: for tomcat6 binary package. Thanks to Eddy Petrisor (Closes: #600590) * Add Danish debconf template translation. Thanks to Joe Dalton (Closes: #605070) * Actually add the Czech debconf template translation. Thanks this time to Christian PERRIER (Closes: #597863) -- Thierry Carrez <email address hidden> Wed, 08 Dec 2010 21:32:52 +0000
Available diffs
- diff from 6.0.28-7ubuntu4 to 6.0.28-8 (3.2 KiB)
tomcat6 (6.0.24-2ubuntu1.5) lucid-proposed; urgency=low * debian/tomcat6.init: Add missing -p option in start-stop-daemon when starting tomcat6 to avoid failing to start due to /bin/bash running (LP: #632554) -- Michael Jeanson <email address hidden> Wed, 08 Dec 2010 11:51:33 -0500
Available diffs
- diff from 6.0.24-2ubuntu1.4 to 6.0.24-2ubuntu1.5 (650 bytes)
Superseded in natty-release |
tomcat6 (6.0.28-7ubuntu4) natty; urgency=low * debian/control: Reapply ant1.7-optional to ant-optional change, was accidentally reverted in last upload. -- Thierry Carrez (ttx) <email address hidden> Tue, 23 Nov 2010 17:02:19 +0100
Available diffs
- diff from 6.0.28-7ubuntu3 to 6.0.28-7ubuntu4 (683 bytes)
Superseded in natty-release |
tomcat6 (6.0.28-7ubuntu3) natty; urgency=low * debian/tomcat6.init: Add missing -p option in start-stop-daemon when starting tomcat6 to avoid failing to start due to /bin/bash running (LP: #632554) -- Thierry Carrez (ttx) <email address hidden> Tue, 23 Nov 2010 16:35:40 +0100
Available diffs
- diff from 6.0.28-7ubuntu2 to 6.0.28-7ubuntu3 (906 bytes)
Superseded in natty-release |
tomcat6 (6.0.28-7ubuntu2) natty; urgency=low * Build-depend on ant/ant-optional (1.8.1) * Amended debian/rules, fix xslt processing in ant 1.8.1 to fix FTBFS (LP: #662588) -- James Page <email address hidden> Mon, 08 Nov 2010 13:19:04 +0000
Available diffs
- diff from 6.0.28-7ubuntu1 to 6.0.28-7ubuntu2 (884 bytes)
Superseded in natty-release |
tomcat6 (6.0.28-7ubuntu1) natty; urgency=low * Build-depend on ant1.7 / ant1.7-optional to fix FTBFS (LP: #662588) -- Thierry Carrez (ttx) <email address hidden> Wed, 20 Oct 2010 15:15:33 +0200
Available diffs
- diff from 6.0.28-7 to 6.0.28-7ubuntu1 (766 bytes)
tomcat6 (6.0.28-7) unstable; urgency=low * Team upload. * Add Czech debconf template translation. Thanks to Michal Simunek. (Closes: #597863) * Add Spanish debconf template translation. Thanks to Javier Fernández-Sanguino (Closes: #599230) * Modify postinst to handle JAVA_OPTS strings containing the '/' character. This was causing upgrade failures for users. (Closes: #597814)
Available diffs
- diff from 6.0.28-2ubuntu1 to 6.0.28-7 (7.5 KiB)
tomcat6 (6.0.24-2ubuntu1.4) lucid-proposed; urgency=low * Check for group existence to avoid postinst failure (LP: #611721) -- Thierry Carrez (ttx) <email address hidden> Thu, 07 Oct 2010 14:06:00 +0100
Available diffs
tomcat6 (6.0.28-2ubuntu1) maverick; urgency=low * Check for group existence to avoid postinst failure (LP: #611721) -- Thierry Carrez (ttx) <email address hidden> Wed, 25 Aug 2010 09:07:03 +0200
Available diffs
- diff from 6.0.28-2 to 6.0.28-2ubuntu1 (913 bytes)
tomcat6 (6.0.18-0ubuntu6.3) jaunty-security; urgency=low * SECURITY UPDATE: denial of service and possible information disclosure via crafted header - debian/patches/CVE-2010-2227.patch: fix filter logic in java/org/apache/coyote/http11/{Http11AprProcessor,Http11NioProcessor, Http11Processor,filters/BufferedInputFilter}.java. - CVE-2010-2227 -- Marc Deslauriers <email address hidden> Thu, 19 Aug 2010 11:04:50 -0400
Available diffs
tomcat6 (6.0.20-2ubuntu2.2) karmic-security; urgency=low * SECURITY UPDATE: denial of service and possible information disclosure via crafted header - debian/patches/CVE-2010-2227.patch: fix filter logic in java/org/apache/coyote/http11/{Http11AprProcessor,Http11NioProcessor, Http11Processor,filters/BufferedInputFilter}.java. - CVE-2010-2227 -- Marc Deslauriers <email address hidden> Thu, 19 Aug 2010 11:02:58 -0400
Available diffs
1 → 75 of 107 results | First • Previous • Next • Last |