Change log for tomcat7 package in Ubuntu

175 of 80 results
Published in xenial-updates on 2018-10-30
Published in xenial-security on 2018-10-30
tomcat7 (7.0.68-1ubuntu0.4) xenial-security; urgency=medium

  * SECURITY REGRESSION: security manager startup issue (LP: #1799990)
    - debian/patches/0009-Use-java.security.policy-file-in-catalina.sh.patch:
      update to new /var/lib/tomcat7/policy location.
    - debian/tomcat7.postrm.in: remove policy directory.

 -- Eduardo Barretto <email address hidden>  Tue, 30 Oct 2018 09:54:52 -0300
Superseded in xenial-updates on 2018-10-30
Superseded in xenial-security on 2018-10-30
tomcat7 (7.0.68-1ubuntu0.3) xenial-security; urgency=medium

  * SECURITY UPDATE: Timing attack can determine valid user names.
    - debian/patches/CVE-2016-0762.patch: fix in the Realm
      implementation.
    - CVE-2016-0762
  * SECURITY UPDATE: privilege escalation via insecure init script
    - debian/tomcat7.init: don't follow symlinks when handling the
      catalina.out file.
    - CVE-2016-1240
  * SECURITY UPDATE: SecurityManager bypass via a utility method.
    - debian/patches/CVE-2016-5018.patch: remove unnecessary code in
      java/org/apache/jasper/compiler/JspRuntimeContext.java,
      java/org/apache/jasper/runtime/JspRuntimeLibrary.java,
      java/org/apache/jasper/security/SecurityClassLoad.java.
    - debian/patches/CVE-2016-5018-part2.patch: fix a regression when
      using Jasper with SecurityManager enabled.
    - CVE-2016-5018
  * SECURITY UPDATE: system properties read SecurityManager bypass
    - debian/patches/CVE-2016-6794.patch: extend SecurityManager
      protection to the system property replacement feature of the
      digester in java/org/apache/catalina/loader/WebappClassLoader.java,
      java/org/apache/tomcat/util/digester/Digester.java,
      java/org/apache/tomcat/util/security/PermissionCheck.java.
    - CVE-2016-6794
  * SECURITY UPDATE: SecurityManager bypass via JSP Servlet configuration
    parameters.
    - debian/patches/CVE-2016-6796.patch: ignore some JSP options when
      running under a SecurityManager in conf/web.xml,
      java/org/apache/jasper/EmbeddedServletOptions.java,
      java/org/apache/jasper/resources/LocalStrings.properties,
      java/org/apache/jasper/servlet/JspServlet.java,
      webapps/docs/jasper-howto.xml.
    - CVE-2016-6796
  * SECURITY UPDATE: web application global JNDI resource access
    - debian/patches/CVE-2016-6797.patch: ensure that the global resource
      is only visible via the ResourceLinkFactory when it is meant to be
      in java/org/apache/catalina/core/NamingContextListener.java,
      java/org/apache/naming/factory/ResourceLinkFactory.java,
      test/org/apache/naming/TestNamingContext.java.
    - CVE-2016-6797
  * SECURITY UPDATE: HTTP response injection via invalid characters
    - debian/patches/CVE-2016-6816.patch: add additional checks for valid
      characters in
      java/org/apache/coyote/http11/AbstractInputBuffer.java,
      java/org/apache/coyote/http11/AbstractNioInputBuffer.java,
      java/org/apache/coyote/http11/InternalAprInputBuffer.java,
      java/org/apache/coyote/http11/InternalInputBuffer.java,
      java/org/apache/coyote/http11/LocalStrings.properties,
      java/org/apache/tomcat/util/http/parser/HttpParser.java.
    - CVE-2016-6816
  * SECURITY UPDATE: remote code execution via JmxRemoteLifecycleListener
    - debian/patches/CVE-2016-8735.patch: explicitly configure allowed
      credential types in
      java/org/apache/catalina/mbeans/JmxRemoteLifecycleListener.java.
    - CVE-2016-8735
  * SECURITY UPDATE: information leakage between requests
    - debian/patches/CVE-2016-8745.patch: properly handle cache when
      unable to complete sendfile request in
      java/org/apache/tomcat/util/net/NioEndpoint.java.
    - CVE-2016-8745
  * SECURITY UPDATE: privilege escalation during package upgrade
    - debian/rules, debian/tomcat7.postinst: properly set permissions on
      /etc/tomcat7/Catalina/localhost.
    - CVE-2016-9774
  * SECURITY UPDATE: privilege escalation during package removal
    - debian/tomcat7.postrm.in: don't reset permissions before removing
      user.
    - CVE-2016-9775
  * debian/tomcat7.init: further hardening.

 -- Eduardo Barretto <email address hidden>  Fri, 19 Oct 2018 10:46:37 -0300
Published in trusty-updates on 2018-10-10
Published in trusty-security on 2018-10-10
tomcat7 (7.0.52-1ubuntu0.16) trusty-security; urgency=medium

  * SECURITY UPDATE: arbitrary redirect issue
    - debian/patches/CVE-2018-11784.patch: avoid protocol relative
      redirects in java/org/apache/catalina/servlets/DefaultServlet.java.
    - CVE-2018-11784

 -- Marc Deslauriers <email address hidden>  Tue, 09 Oct 2018 11:25:36 -0400
Superseded in trusty-updates on 2018-10-10
Superseded in trusty-security on 2018-10-10
tomcat7 (7.0.52-1ubuntu0.15) trusty-security; urgency=medium

  * SECURITY UPDATE: DoS via issue in UTF-8 decoder
    - debian/patches/CVE-2018-1336.patch: fix logic in
      java/org/apache/tomcat/util/buf/Utf8Decoder.java.
    - CVE-2018-1336
  * SECURITY UPDATE: missing hostname verification in WebSocket client
    - debian/patches/CVE-2018-8034.patch: enable hostname verification by
      default in webapps/docs/web-socket-howto.xml,
      java/org/apache/tomcat/websocket/WsWebSocketContainer.java.
    - CVE-2018-8034

 -- Marc Deslauriers <email address hidden>  Wed, 25 Jul 2018 08:27:25 -0400
Superseded in trusty-updates on 2018-07-25
Superseded in trusty-security on 2018-07-25
tomcat7 (7.0.52-1ubuntu0.14) trusty-security; urgency=medium

  * SECURITY UPDATE: missing checks when HTTP PUTs enabled (LP: #1721749)
    - debian/patches/CVE-2017-1261x.patch: add checks to
      java/org/apache/catalina/servlets/DefaultServlet.java
      java/org/apache/naming/resources/FileDirContext.java,
      java/org/apache/naming/resources/JrePlatform.java,
      java/org/apache/naming/resources/LocalStrings.properties,
      java/org/apache/naming/resources/VirtualDirContext.java,
      test/org/apache/naming/resources/TestFileDirContext.java.
    - CVE-2017-12616
    - CVE-2017-12617
  * SECURITY UPDATE: security constraints mapped to context root are ignored
    - debian/patches/CVE-2018-1304.patch: add check to
      java/org/apache/catalina/realm/RealmBase.java.
    - CVE-2018-1304
  * SECURITY UPDATE: security constraint annotations applied too late
    - debian/patches/CVE-2018-1305.patch: change ordering in
      java/org/apache/catalina/Wrapper.java,
      java/org/apache/catalina/authenticator/AuthenticatorBase.java,
      java/org/apache/catalina/core/ApplicationContext.java,
      java/org/apache/catalina/core/ApplicationServletRegistration.java,
      java/org/apache/catalina/core/StandardContext.java,
      java/org/apache/catalina/core/StandardWrapper.java,
      java/org/apache/catalina/startup/ContextConfig.java,
      java/org/apache/catalina/startup/Tomcat.java,
      java/org/apache/catalina/startup/WebAnnotationSet.java.
    - CVE-2018-1305
  * SECURITY UPDATE: CORS filter has insecure defaults
    - debian/patches/CVE-2018-8014.patch: change defaults in
      java/org/apache/catalina/filters/CorsFilter.java,
      java/org/apache/catalina/filters/LocalStrings.properties,
      test/org/apache/catalina/filters/TestCorsFilter.java,
      test/org/apache/catalina/filters/TesterFilterConfigs.java.
    - CVE-2018-8014

 -- Marc Deslauriers <email address hidden>  Tue, 29 May 2018 10:22:42 -0400
Superseded in trusty-updates on 2018-05-30
Superseded in trusty-security on 2018-05-30
tomcat7 (7.0.52-1ubuntu0.13) trusty-security; urgency=medium

  * SECURITY UPDATE: loss of pipeline requests
    - debian/patches/CVE-2017-5647.patch: improve sendfile handling when
      requests are pipelined in
      java/org/apache/coyote/AbstractProtocol.java,
      java/org/apache/coyote/http11/Http11AprProcessor.java,
      java/org/apache/coyote/http11/Http11NioProcessor.java,
      java/org/apache/tomcat/util/net/AprEndpoint.java,
      java/org/apache/tomcat/util/net/NioEndpoint.java,
      java/org/apache/tomcat/util/net/SendfileKeepAliveState.java,
      java/org/apache/tomcat/util/net/SendfileState.java.
    - CVE-2017-5647
  * SECURITY UPDATE: incorrect facade object use
    - debian/patches/CVE-2017-5648-pre.patch: fix keep-alive with
      asynchronous servlet in
      java/org/apache/catalina/core/AsyncContextImpl.java,
      java/org/apache/coyote/AsyncContextCallback.java,
      java/org/apache/coyote/AsyncStateMachine.java,
      test/org/apache/catalina/core/TestAsyncContextImpl.java.
    - debian/patches/CVE-2017-5648.patch: ensure request and response
      facades are used when firing application listeners in
      java/org/apache/catalina/authenticator/FormAuthenticator.java,
      java/org/apache/catalina/core/StandardHostValve.java.
    - CVE-2017-5648
  * SECURITY UPDATE: unexpected and undesirable results for static error
    pages
    - debian/patches/CVE-2017-5664.patch: use a more reliable mechanism in
      java/org/apache/catalina/servlets/DefaultServlet.java,
      java/org/apache/catalina/servlets/WebdavServlet.java.
    - CVE-2017-5664
  * SECURITY UPDATE: client and server side cache poisoning in CORS filter
    - debian/patches/CVE-2017-7674.patch: set Vary header in response in
      java/org/apache/catalina/filters/CorsFilter.java.
    - CVE-2017-7674

 -- Marc Deslauriers <email address hidden>  Wed, 27 Sep 2017 16:28:58 -0400
Deleted in disco-release (Reason: (From Debian) ROM; No longer used; Debian bug #914497)
Obsolete in cosmic-release on 2020-07-13
Published in bionic-release on 2017-10-24
Obsolete in artful-release on 2020-07-10
Deleted in artful-proposed (Reason: moved to release)
tomcat7 (7.0.78-1) unstable; urgency=medium

  * New upstream release
    - Refreshed the patches

 -- Emmanuel Bourg <email address hidden>  Wed, 24 May 2017 18:03:19 +0200

Available diffs

Obsolete in yakkety-proposed on 2018-01-23
tomcat7 (7.0.72-1ubuntu0.1) yakkety; urgency=medium

  * Fix an upgrade error when JAVA_OPTS in /etc/default/tomcat7 contains
    the '%' character (LP: #1666570).
  * Fix javax.servlet.jsp POM to use servlet-api version 3.0 instead of
    2.2 (LP: #1664179).

 -- Joshua Powers <email address hidden>  Tue, 28 Mar 2017 16:04:14 -0700
Deleted in xenial-proposed on 2018-06-29 (Reason: The package was removed due to its SRU bug(s) not being v...)
tomcat7 (7.0.68-1ubuntu0.2) xenial; urgency=medium

  * Fix an upgrade error when JAVA_OPTS in /etc/default/tomcat7 contains
    the '%' character (LP: #1666570).
  * Fix javax.servlet.jsp POM to use servlet-api version 3.0 instead of
    2.2 (LP: #1664179).

 -- Joshua Powers <email address hidden>  Tue, 28 Mar 2017 16:15:05 -0700
Superseded in trusty-updates on 2018-01-08
Deleted in trusty-proposed on 2018-01-09 (Reason: moved to -updates)
tomcat7 (7.0.52-1ubuntu0.11) trusty; urgency=medium

  * Fix an upgrade error when JAVA_OPTS in /etc/default/tomcat7 contains
    the '%' character (LP: #1666570).
  * Fix javax.servlet.jsp POM to use servlet-api version 3.0 instead of
    2.2 (LP: #1664179).

 -- Joshua Powers <email address hidden>  Wed, 22 Mar 2017 13:42:56 -0600
Superseded in trusty-updates on 2017-04-24
Superseded in trusty-security on 2018-01-08
tomcat7 (7.0.52-1ubuntu0.10) trusty-security; urgency=medium

  * SECURITY UPDATE: DoS via CPU consumption (LP: #1663318)
    - debian/patches/CVE-2017-6056.patch: fix infinite loop in
      java/org/apache/coyote/http11/AbstractInputBuffer.java.
    - CVE-2017-6056

 -- Marc Deslauriers <email address hidden>  Fri, 17 Feb 2017 08:51:12 -0500
Superseded in trusty-updates on 2017-02-20
Superseded in trusty-security on 2017-02-20
tomcat7 (7.0.52-1ubuntu0.9) trusty-security; urgency=medium

  * SECURITY REGRESSION: security manager startup issue (LP: #1659589)
    - debian/patches/0009-Use-java.security.policy-file-in-catalina.sh.patch:
      update to new /var/lib/tomcat7/policy location.
    - debian/tomcat7.postrm.in: remove policy directory.

 -- Marc Deslauriers <email address hidden>  Wed, 01 Feb 2017 10:40:22 -0500
Superseded in artful-release on 2017-05-24
Obsolete in zesty-release on 2018-06-22
Deleted in zesty-proposed on 2018-06-22 (Reason: moved to release)
tomcat7 (7.0.75-1) unstable; urgency=medium

  * New upstream release
    - Refreshed the patches

 -- Emmanuel Bourg <email address hidden>  Tue, 24 Jan 2017 13:13:38 +0100

Available diffs

Superseded in trusty-updates on 2017-02-02
Superseded in trusty-security on 2017-02-02
tomcat7 (7.0.52-1ubuntu0.8) trusty-security; urgency=medium

  * SECURITY UPDATE: SecurityManager bypass via a utility method
    - debian/patches/CVE-2016-5018.patch: remove unnecessary code in
      java/org/apache/jasper/compiler/JspRuntimeContext.java,
      java/org/apache/jasper/runtime/JspRuntimeLibrary.java,
      java/org/apache/jasper/security/SecurityClassLoad.java.
    - CVE-2016-5018
  * SECURITY UPDATE: mitigaton for httpoxy issue
    - debian/patches/CVE-2016-5388.patch: add envHttpHeaders initialization
      parameter to conf/web.xml, webapps/docs/cgi-howto.xml,
      java/org/apache/catalina/servlets/CGIServlet.java.
    - CVE-2016-5388
  * SECURITY UPDATE: system properties read SecurityManager bypass
    - debian/patches/CVE-2016-6794.patch: extend SecurityManager protection
      to the system property replacement feature of the digester in
      java/org/apache/catalina/loader/WebappClassLoader.java,
      java/org/apache/tomcat/util/digester/Digester.java,
      java/org/apache/tomcat/util/security/PermissionCheck.java.
    - CVE-2016-6794
  * SECURITY UPDATE: SecurityManager bypass via JSP Servlet configuration
    parameters
    - debian/patches/CVE-2016-6796.patch: ignore some JSP options when
      running under a SecurityManager in conf/web.xml,
      java/org/apache/jasper/EmbeddedServletOptions.java,
      java/org/apache/jasper/resources/LocalStrings.properties,
      java/org/apache/jasper/servlet/JspServlet.java,
      webapps/docs/jasper-howto.xml.
    - CVE-2016-6796
  * SECURITY UPDATE: web application global JNDI resource access
    - debian/patches/CVE-2016-6797.patch: ensure that the global resource
      is only visible via the ResourceLinkFactory when it is meant to be in
      java/org/apache/catalina/core/NamingContextListener.java,
      java/org/apache/naming/factory/ResourceLinkFactory.java,
      test/org/apache/naming/TestNamingContext.java.
    - CVE-2016-6797
  * SECURITY UPDATE: HTTP response injection via invalid characters
    - debian/patches/CVE-2016-6816.patch: add additional checks for valid
      characters in java/org/apache/coyote/http11/AbstractInputBuffer.java,
      java/org/apache/coyote/http11/AbstractNioInputBuffer.java,
      java/org/apache/coyote/http11/InternalAprInputBuffer.java,
      java/org/apache/coyote/http11/InternalInputBuffer.java,
      java/org/apache/coyote/http11/LocalStrings.properties,
      java/org/apache/tomcat/util/http/parser/HttpParser.java.
    - CVE-2016-6816
  * SECURITY UPDATE: remote code execution via JmxRemoteLifecycleListener
    - debian/patches/CVE-2016-8735-pre.patch: remove the restriction that
      prevented the use of SSL when specifying a bind address in
      java/org/apache/catalina/mbeans/JmxRemoteLifecycleListener.java,
      java/org/apache/catalina/mbeans/LocalStrings.properties,
      webapps/docs/config/listeners.xml.
    - debian/patches/CVE-2016-8735.patch: explicitly configure allowed
      credential types in
      java/org/apache/catalina/mbeans/JmxRemoteLifecycleListener.java.
    - CVE-2016-8735
  * SECURITY UPDATE: information leakage between requests
    - debian/patches/CVE-2016-8745.patch: properly handle cache when unable
      to complete sendfile request in
      java/org/apache/tomcat/util/net/NioEndpoint.java.
    - CVE-2016-8745
  * SECURITY UPDATE: privilege escalation during package upgrade
    - debian/rules, debian/tomcat7.postinst: properly set permissions on
      /etc/tomcat7/Catalina/localhost.
    - CVE-2016-9774
  * SECURITY UPDATE: privilege escalation during package removal
    - debian/tomcat7.postrm.in: don't reset permissions before removing
      user.
    - CVE-2016-9775
  * debian/tomcat7.init: further hardening.

 -- Marc Deslauriers <email address hidden>  Thu, 19 Jan 2017 12:38:29 -0500
Superseded in zesty-release on 2017-01-25
Deleted in zesty-proposed on 2017-01-27 (Reason: moved to release)
tomcat7 (7.0.73-1) unstable; urgency=medium

  * New upstream release

 -- Emmanuel Bourg <email address hidden>  Wed, 16 Nov 2016 10:53:00 +0100

Available diffs

Superseded in zesty-release on 2016-11-16
Deleted in zesty-proposed on 2016-11-17 (Reason: moved to release)
tomcat7 (7.0.72-4) unstable; urgency=medium

  * Depend on libcglib-nodep-java instead of libcglib3-java

 -- Emmanuel Bourg <email address hidden>  Mon, 07 Nov 2016 16:55:48 +0100

Available diffs

Superseded in zesty-proposed on 2016-11-07
tomcat7 (7.0.72-3) unstable; urgency=medium

  * Build only the Servlet API (Closes: #819259, #834680)

 -- Emmanuel Bourg <email address hidden>  Sat, 05 Nov 2016 22:57:29 +0100

Available diffs

Superseded in zesty-release on 2016-11-11
Deleted in zesty-proposed on 2016-11-16 (Reason: moved to release)
tomcat7 (7.0.72-2) unstable; urgency=high

  * Team upload.
  * CVE-2016-1240 follow-up:
    - The previous init.d fix was vulnerable to a race condition that could
      be exploited to make any existing file writable by the tomcat user.
      Thanks to Paul Szabo for the report and the fix.
    - The catalina.policy file generated on startup was affected by a similar
      vulnerability that could be exploited to overwrite any file on the system.
      Thanks to Paul Szabo for the report.
  * Hardened the init.d script, thanks to Paul Szabo
  * Switch to debhelper level 10

 -- Emmanuel Bourg <email address hidden>  Fri, 28 Oct 2016 01:34:22 +0200

Available diffs

Superseded in zesty-release on 2016-11-02
Obsolete in yakkety-release on 2018-01-23
Deleted in yakkety-proposed on 2018-01-23 (Reason: moved to release)
tomcat7 (7.0.72-1) unstable; urgency=medium

  * New upstream release

 -- Emmanuel Bourg <email address hidden>  Tue, 20 Sep 2016 13:28:54 +0200

Available diffs

Superseded in trusty-updates on 2017-01-23
Superseded in trusty-security on 2017-01-23
tomcat7 (7.0.52-1ubuntu0.7) trusty-security; urgency=medium

  * SECURITY UPDATE: privilege escalation via insecure init script
    - debian/tomcat7.init: don't follow symlinks when handling the
      catalina.out file.
    - CVE-2016-1240
  * SECURITY REGRESSION: change in behaviour after security update
    (LP: #1609819)
    - debian/patches/CVE-2015-5345-2.patch: fix using the new
      mapperContextRootRedirectEnabled option in
      java/org/apache/catalina/connector/MapperListener.java, change
      mapperContextRootRedirectEnabled default to true in
      java/org/apache/catalina/core/StandardContext.java,
      webapps/docs/config/context.xml. This reverts the change in behaviour
      following the CVE-2015-5345 security update and was also done
      upstream in later releases.

 -- Marc Deslauriers <email address hidden>  Fri, 16 Sep 2016 09:19:37 -0400
Superseded in yakkety-release on 2016-10-05
Deleted in yakkety-proposed on 2016-10-06 (Reason: moved to release)
tomcat7 (7.0.70-3) unstable; urgency=high

  * Team upload.
  * Fixed CVE-2016-1240: A flaw in the init.d startup script allows local
    attackers who have gained access to the server in the context of the
    tomcat user through a vulnerability in a web application to replace
    the catalina.out file with a symlink to an arbitrary file on the system,
    potentially leading to a root privilege escalation.
    Thanks to Dawid Golunski for the report.

 -- Emmanuel Bourg <email address hidden>  Wed, 14 Sep 2016 10:56:45 +0200

Available diffs

Superseded in yakkety-release on 2016-09-16
Deleted in yakkety-proposed on 2016-09-18 (Reason: moved to release)
tomcat7 (7.0.70-2) unstable; urgency=medium

  * Team upload.
  * Do not unconditionally override files in /etc/tomcat7. (Closes: #821391)

 -- Markus Koschany <email address hidden>  Tue, 02 Aug 2016 11:43:11 +0200

Available diffs

Superseded in trusty-updates on 2016-09-19
Superseded in trusty-security on 2016-09-19
tomcat7 (7.0.52-1ubuntu0.6) trusty-security; urgency=medium

  * SECURITY UPDATE: directory traversal vulnerability in RequestUtil.java
    - debian/patches/CVE-2015-5174.patch: fix normalization edge cases in
      java/org/apache/tomcat/util/http/RequestUtil.java,
      test/org/apache/tomcat/util/http/TestRequestUtil.java.
    - CVE-2015-5174
  * SECURITY UPDATE: information disclosure via redirects by mapper
    - debian/patches/CVE-2015-5345.patch: fix redirect logic in
      java/org/apache/catalina/Context.java,
      java/org/apache/catalina/authenticator/FormAuthenticator.java,
      java/org/apache/catalina/core/StandardContext.java,
      java/org/apache/catalina/core/mbeans-descriptors.xml,
      java/org/apache/catalina/servlets/DefaultServlet.java,
      java/org/apache/catalina/servlets/WebdavServlet.java,
      java/org/apache/catalina/startup/FailedContext.java,
      java/org/apache/tomcat/util/http/mapper/Mapper.java,
      test/org/apache/catalina/startup/TomcatBaseTest.java,
      webapps/docs/config/context.xml,
      test/org/apache/catalina/core/TesterContext.java.
    - CVE-2015-5345
  * SECURITY UPDATE: session fixation vulnerability
    - debian/patches/CVE-2015-5346.patch: handle different session settings
      in java/org/apache/catalina/connector/CoyoteAdapter.java,
      java/org/apache/catalina/connector/Request.java.
    - CVE-2015-5346
  * SECURITY UPDATE: CSRF protection mechanism bypass
    - debian/patches/CVE-2015-5351.patch: don't create sessions
      unnecessarily in webapps/host-manager/WEB-INF/jsp/401.jsp,
      webapps/host-manager/WEB-INF/jsp/403.jsp,
      webapps/host-manager/WEB-INF/jsp/404.jsp,
      webapps/host-manager/index.jsp,
      webapps/manager/WEB-INF/web.xml,
      webapps/manager/index.jsp.
    - CVE-2015-5351
  * SECURITY UPDATE: securityManager restrictions bypass via
    StatusManagerServlet
    - debian/patches/CVE-2016-0706.patch: place servlet in restricted list
      in java/org/apache/catalina/core/RestrictedServlets.properties.
    - CVE-2016-0706
  * SECURITY UPDATE: securityManager restrictions bypass via
    session-persistence implementation
    - debian/patches/CVE-2016-0714.patch: extend the session attribute
      filtering options in
      java/org/apache/catalina/ha/session/ClusterManagerBase.java
      java/org/apache/catalina/ha/session/mbeans-descriptors.xml,
      java/org/apache/catalina/session/LocalStrings.properties,
      java/org/apache/catalina/session/ManagerBase.java,
      java/org/apache/catalina/session/StandardManager.java,
      java/org/apache/catalina/session/mbeans-descriptors.xml,
      java/org/apache/catalina/util/CustomObjectInputStream.java,
      java/org/apache/catalina/util/LocalStrings.properties,
      webapps/docs/config/cluster-manager.xml,
      webapps/docs/config/manager.xml.
    - CVE-2016-0714
  * SECURITY UPDATE: securityManager restrictions bypass via crafted global
    context
    - debian/patches/CVE-2016-0763.patch: protect initialization in
      java/org/apache/naming/factory/ResourceLinkFactory.java.
    - CVE-2016-0763
  * SECURITY UPDATE: denial of service in FileUpload
    - debian/patches/CVE-2016-3092.patch: properly handle size in
      java/org/apache/tomcat/util/http/fileupload/MultipartStream.java.
    - CVE-2016-3092
  * debian/patches/fix_cookie_names_in_tests.patch: fix FTBFS by removing
    colons in cookie names which is illegal in newer java versions in
    test/org/apache/catalina/authenticator/*.java.

 -- Marc Deslauriers <email address hidden>  Wed, 29 Jun 2016 12:50:02 -0400
Obsolete in wily-updates on 2018-01-22
Obsolete in wily-security on 2018-01-22
tomcat7 (7.0.64-1ubuntu0.3) wily-security; urgency=medium

  * SECURITY UPDATE: directory traversal vulnerability in RequestUtil.java
    - debian/patches/CVE-2015-5174.patch: fix more normalization edge cases
      in java/org/apache/tomcat/util/http/RequestUtil.java,
      test/org/apache/tomcat/util/http/TestRequestUtil.java.
    - CVE-2015-5174
  * SECURITY UPDATE: information disclosure via redirects by mapper
    - debian/patches/CVE-2015-5345.patch: fix redirect logic in
      java/org/apache/catalina/Context.java,
      java/org/apache/catalina/authenticator/FormAuthenticator.java,
      java/org/apache/catalina/core/StandardContext.java,
      java/org/apache/catalina/core/mbeans-descriptors.xml,
      java/org/apache/catalina/servlets/DefaultServlet.java,
      java/org/apache/catalina/servlets/WebdavServlet.java,
      java/org/apache/catalina/startup/FailedContext.java,
      java/org/apache/tomcat/util/http/mapper/Mapper.java,
      test/org/apache/catalina/startup/TomcatBaseTest.java,
      webapps/docs/config/context.xml,
      test/org/apache/catalina/core/TesterContext.java,
      test/org/apache/tomcat/util/http/mapper/TestMapperWebapps.java.
    - CVE-2015-5345
  * SECURITY UPDATE: session fixation vulnerability
    - debian/patches/CVE-2015-5346.patch: handle different session settings
      in java/org/apache/catalina/connector/CoyoteAdapter.java,
      java/org/apache/catalina/connector/Request.java.
    - CVE-2015-5346
  * SECURITY UPDATE: CSRF protection mechanism bypass
    - debian/patches/CVE-2015-5351.patch: don't create sessions
      unnecessarily in webapps/host-manager/WEB-INF/jsp/401.jsp,
      webapps/host-manager/WEB-INF/jsp/403.jsp,
      webapps/host-manager/WEB-INF/jsp/404.jsp,
      webapps/host-manager/index.jsp,
      webapps/manager/WEB-INF/web.xml,
      webapps/manager/index.jsp.
    - CVE-2015-5351
  * SECURITY UPDATE: securityManager restrictions bypass via
    StatusManagerServlet
    - debian/patches/CVE-2016-0706.patch: place servlet in restricted list
      in java/org/apache/catalina/core/RestrictedServlets.properties.
    - CVE-2016-0706
  * SECURITY UPDATE: securityManager restrictions bypass via
    session-persistence implementation
    - debian/patches/CVE-2016-0714.patch: extend the session attribute
      filtering options in
      java/org/apache/catalina/ha/session/ClusterManagerBase.java
      java/org/apache/catalina/ha/session/mbeans-descriptors.xml,
      java/org/apache/catalina/session/LocalStrings.properties,
      java/org/apache/catalina/session/ManagerBase.java,
      java/org/apache/catalina/session/StandardManager.java,
      java/org/apache/catalina/session/mbeans-descriptors.xml,
      java/org/apache/catalina/util/CustomObjectInputStream.java,
      java/org/apache/catalina/util/LocalStrings.properties,
      webapps/docs/config/cluster-manager.xml,
      webapps/docs/config/manager.xml.
    - CVE-2016-0714
  * SECURITY UPDATE: securityManager restrictions bypass via crafted global
    context
    - debian/patches/CVE-2016-0763.patch: protect initialization in
      java/org/apache/naming/factory/ResourceLinkFactory.java.
    - CVE-2016-0763
  * SECURITY UPDATE: denial of service in FileUpload
    - debian/patches/CVE-2016-3092.patch: properly handle size in
      java/org/apache/tomcat/util/http/fileupload/MultipartStream.java.
    - CVE-2016-3092
  * debian/patches/fix_cookie_names_in_tests.patch: fix FTBFS by removing
    colons in cookie names which is illegal in newer java versions in
    test/org/apache/catalina/authenticator/*.java.

 -- Marc Deslauriers <email address hidden>  Wed, 29 Jun 2016 08:48:32 -0400
Superseded in xenial-updates on 2018-10-24
Superseded in xenial-security on 2018-10-24
tomcat7 (7.0.68-1ubuntu0.1) xenial-security; urgency=medium

  * SECURITY UPDATE: denial of service in FileUpload
    - debian/patches/CVE-2016-3092.patch: properly handle size in
      java/org/apache/tomcat/util/http/fileupload/MultipartStream.java.
    - CVE-2016-3092

 -- Marc Deslauriers <email address hidden>  Mon, 27 Jun 2016 14:13:17 -0400
Superseded in yakkety-release on 2016-08-03
Deleted in yakkety-proposed on 2016-08-04 (Reason: moved to release)
tomcat7 (7.0.70-1) unstable; urgency=medium

  * New upstream release
    - Refreshed the patches

 -- Emmanuel Bourg <email address hidden>  Mon, 20 Jun 2016 10:58:56 +0200

Available diffs

Superseded in yakkety-release on 2016-06-21
Deleted in yakkety-proposed on 2016-06-22 (Reason: moved to release)
tomcat7 (7.0.69-1) unstable; urgency=medium

  * New upstream release
    - Refreshed the patches
  * Standards-Version updated to 3.9.8 (no changes)

 -- Emmanuel Bourg <email address hidden>  Sat, 23 Apr 2016 11:30:01 +0200

Available diffs

Superseded in yakkety-release on 2016-04-27
Published in xenial-release on 2016-02-27
Deleted in xenial-proposed (Reason: moved to release)
tomcat7 (7.0.68-1) unstable; urgency=medium

  * Team upload.
  * New upstream release (Closes: #814640)
    - Refreshed the patches
    - New build dependencies on easymock, cglib and objenesis
    - Added ASM to the test classpath (required by Easymock)
  * Use LC_ALL instead of LANG to format the date and make the documentation
    reproducible on the builders
  * Standards-Version updated to 3.9.7 (no changes)
  * Use secure Vcs-* URLs

 -- Emmanuel Bourg <email address hidden>  Thu, 18 Feb 2016 22:26:43 +0100

Available diffs

Superseded in xenial-release on 2016-02-27
Superseded in xenial-release on 2016-02-22
Obsolete in wily-release on 2018-01-22
Deleted in wily-proposed on 2018-01-22 (Reason: moved to release)
tomcat7 (7.0.64-1) unstable; urgency=medium

  * Team upload.
  * New upstream release
    - Refreshed the patches
  * Install the missing WebSocket jars in /usr/share/tomcat7/lib/
    (Closes: #787220, LP: #1326687)
  * Changed the authbind configuration to allow IPv6 connections (LP: #1443041)
  * Fixed an upgrade error when /etc/tomcat7/tomcat-users.xml is removed
    (LP: #1010791)
  * Fixed a minor HTML error in the default index.html file (LP: #1236132)

 -- Emmanuel Bourg <email address hidden>  Fri, 28 Aug 2015 09:47:33 +0200

Available diffs

Superseded in wily-release on 2015-08-30
Deleted in wily-proposed on 2015-09-01 (Reason: moved to release)
tomcat7 (7.0.63-1) unstable; urgency=medium

  * New upstream release
    - Refreshed the patches
  * debian/rules: Use an english locale when generating the documentation
    to improve the reproducibility

 -- Emmanuel Bourg <email address hidden>  Wed, 08 Jul 2015 12:18:47 +0200

Available diffs

Superseded in trusty-updates on 2016-07-05
Superseded in trusty-security on 2016-07-05
tomcat7 (7.0.52-1ubuntu0.3) trusty-security; urgency=medium

  * SECURITY UPDATE: arbitrary file disclosure via XML parser
    (LP: #1449975)
    - debian/patches/CVE-2014-0119.patch: add defensive coding and ensure
      TLD parser obtained from cache has correct value of blockExternal in
      java/org/apache/catalina/security/SecurityClassLoad.java,
      java/org/apache/catalina/servlets/DefaultServlet.java,
      java/org/apache/catalina/startup/TldConfig.java,
      java/org/apache/jasper/compiler/JspDocumentParser.java,
      java/org/apache/jasper/xmlparser/ParserUtils.java,
      java/org/apache/tomcat/util/security/PrivilegedGetTccl.java,
      java/org/apache/tomcat/util/security/PrivilegedSetTccl.java.
    - CVE-2014-0119
  * SECURITY UPDATE: HTTP request smuggling or denial of service via
    streaming with malformed chunked transfer encoding (LP: #1449975)
    - debian/patches/CVE-2014-0227.patch: add error flag and improve i18n
      in java/org/apache/coyote/http11/filters/ChunkedInputFilter.java,
      java/org/apache/coyote/http11/filters/LocalStrings.properties.
    - CVE-2014-0227
  * SECURITY UPDATE: denial of service via aborted upload attempts
    (LP: #1449975)
    - debian/patches/CVE-2014-0230.patch: limit amount of data in
      java/org/apache/coyote/http11/AbstractHttp11Processor.java,
      java/org/apache/coyote/http11/AbstractHttp11Protocol.java,
      java/org/apache/coyote/http11/Http11AprProcessor.java,
      java/org/apache/coyote/http11/Http11AprProtocol.java,
      java/org/apache/coyote/http11/Http11NioProcessor.java,
      java/org/apache/coyote/http11/Http11NioProtocol.java,
      java/org/apache/coyote/http11/Http11Processor.java,
      java/org/apache/coyote/http11/Http11Protocol.java,
      java/org/apache/coyote/http11/filters/ChunkedInputFilter.java,
      java/org/apache/coyote/http11/filters/IdentityInputFilter.java,
      java/org/apache/coyote/http11/filters/LocalStrings.properties,
      test/org/apache/catalina/core/TestSwallowAbortedUploads.java,
      webapps/docs/config/http.xml.
    - CVE-2014-0230
  * SECURITY UPDATE: SecurityManager bypass via Expression Language
    - debian/patches/CVE-2014-7810.patch: handle classes that may not be
      accessible but have accessible interfaces in
      java/javax/el/BeanELResolver.java, remove unnecessary code in
      java/org/apache/jasper/runtime/PageContextImpl.java,
      java/org/apache/jasper/security/SecurityClassLoad.java.
    - CVE-2014-7810
  * Replace expired ssl certs and use TLS to fix tests causing FTBFS:
    - debian/patches/0022-use-tls-in-ssl-unit-tests.patch
    - debian/patches/0023-replace-expired-ssl-certificates.patch
    - debian/source/include-binaries

 -- Marc Deslauriers <email address hidden>  Fri, 19 Jun 2015 12:30:21 -0400
Obsolete in utopic-updates on 2016-11-03
Obsolete in utopic-security on 2016-11-03
tomcat7 (7.0.55-1ubuntu0.2) utopic-security; urgency=medium

  * SECURITY UPDATE: SecurityManager bypass via Expression Language
    - debian/patches/CVE-2014-7810.patch: handle classes that may not be
      accessible but have accessible interfaces in
      java/javax/el/BeanELResolver.java, remove unnecessary code in
      java/org/apache/jasper/runtime/PageContextImpl.java,
      java/org/apache/jasper/security/SecurityClassLoad.java.
    - CVE-2014-7810
  * Replace expired ssl certs and use TLS to fix tests causing FTBFS:
    - debian/patches/0022-use-tls-in-ssl-unit-tests.patch
    - debian/patches/0023-replace-expired-ssl-certificates.patch
    - debian/source/include-binaries

 -- Marc Deslauriers <email address hidden>  Fri, 19 Jun 2015 09:52:59 -0400
Obsolete in vivid-updates on 2018-01-18
Obsolete in vivid-security on 2018-01-18
tomcat7 (7.0.56-2ubuntu0.1) vivid-security; urgency=medium

  * SECURITY UPDATE: SecurityManager bypass via Expression Language
    - debian/patches/CVE-2014-7810.patch: handle classes that may not be
      accessible but have accessible interfaces in
      java/javax/el/BeanELResolver.java, remove unnecessary code in
      java/org/apache/jasper/runtime/PageContextImpl.java,
      java/org/apache/jasper/security/SecurityClassLoad.java.
    - CVE-2014-7810

 -- Marc Deslauriers <email address hidden>  Fri, 19 Jun 2015 09:47:50 -0400
Superseded in wily-release on 2015-07-08
Deleted in wily-proposed on 2015-07-10 (Reason: moved to release)
tomcat7 (7.0.62-1) unstable; urgency=medium

  * New upstream release
    - Refreshed the patches
  * Replaced the date in ServerInfo.properties and in the documentation
    with the latest date in debian/changelog to make the build reproducible
  * debian/rules:
    - Modified to use the dh sequencer
    - Simplified the ant invocation and moved some properties
      to debian/ant.properties
    - Do not set the version.* properties already defined
      in build.properties.default
    - Renamed T_VER to VERSION
    - Removed the RWFILES and RWLOC variables
    - Merged the ANT_ARGS and ANT_INVOKE variables
    - No longer remove the long gone .svn directories under
      /usr/share/tomcat8/webapps/default_root
    - Let dh_fixperms set the permissions instead of calling chmod +x
    - Use debian/tomcat7-user.manpages instead of calling dh_installman
    - Updated the copyright year in the Javadoc

 -- Emmanuel Bourg <email address hidden>  Wed, 27 May 2015 11:43:31 +0200

Available diffs

Superseded in wily-release on 2015-05-28
Deleted in wily-proposed on 2015-05-29 (Reason: moved to release)
tomcat7 (7.0.61-1) unstable; urgency=medium

  * Upload to unstable
  * New upstream release
    - Refreshed the patches
    - Updated the test certificates
    - Added a patch renaming the taglibs-standard-*.jar files used in the tests
  * debian/rules: export JAVA_HOME to fix a build failure
  * debian/orig-tar.sh: Exclude the taglibs-standard-*.jar files
    from the upstream tarball
  * Removed the timestamp from the Javadoc of the Servlet API
    to make the build reproducible

 -- Emmanuel Bourg <email address hidden>  Wed, 06 May 2015 17:12:36 +0200

Available diffs

Superseded in wily-release on 2015-05-07
Deleted in wily-proposed on 2015-05-08 (Reason: moved to release)
tomcat7 (7.0.56-3) unstable; urgency=medium


  * Provide a fix for #780519 more clear/maintainable and with an approach
    similar to used one by Emmanuel to fix an issue similar in stable in
    the past.

 -- Miguel Landaeta <email address hidden>  Sat, 28 Mar 2015 13:14:04 -0300

Available diffs

Superseded in wily-release on 2015-05-06
Obsolete in vivid-release on 2018-01-18
Deleted in vivid-proposed on 2018-01-19 (Reason: moved to release)
tomcat7 (7.0.56-2) unstable; urgency=medium


  * Fix FTBFS error by making sure SSL unit tests use TLS protocols.
    - SSLv3 and previous protocols are not secure and deprecated
      in JDK7.
    - Additionally, some X509 certificates provided by upstream expired
      and were causing failures in unit tests as well, so they were
      regenerated. (Closes: #780519).
  * Fix FTBFS error by disabling some unit tests that depends on
    having network access.

 -- Miguel Landaeta <email address hidden>  Thu, 26 Mar 2015 00:15:03 -0300

Available diffs

Superseded in vivid-release on 2015-03-27
Deleted in vivid-proposed on 2015-03-28 (Reason: moved to release)
tomcat7 (7.0.56-1) unstable; urgency=medium


  * New upstream release
  * Install the extra jar catalina-jmx-remote.jar (Closes: #719921)
  * Removed the note about the authbind IPv6 incompatibility
    in /etc/defaults/tomcat7
  * Added the SimpleInstanceManager class from Tomcat 8 to help integrating
    the JSP compiler into Jetty 8

 -- Emmanuel Bourg <email address hidden>  Mon, 06 Oct 2014 10:25:48 +0200

Available diffs

Superseded in vivid-release on 2014-10-25
Obsolete in utopic-release on 2016-11-03
Deleted in utopic-proposed on 2016-11-03 (Reason: moved to release)
tomcat7 (7.0.55-1) unstable; urgency=medium


  * New upstream release
  * Refreshed the patches

 -- Emmanuel Bourg <email address hidden>  Tue, 29 Jul 2014 17:25:50 +0200

Available diffs

Superseded in trusty-updates on 2015-06-25
Superseded in trusty-security on 2015-06-25
tomcat7 (7.0.52-1ubuntu0.1) trusty-security; urgency=medium

  * SECURITY UPDATE: denial of service via malformed chunk size
    - debian/patches/CVE-2014-0075.patch: fix overflow and added tests to
      java/org/apache/coyote/http11/filters/ChunkedInputFilter.java,
      test/org/apache/coyote/http11/filters/TestChunkedInputFilter.java.
    - CVE-2014-0075
  * SECURITY UPDATE: file disclosure via XXE issue
    - debian/patches/CVE-2014-0096.patch: change globalXsltFile to be a
      relative path in conf/web.xml,
      java/org/apache/catalina/servlets/DefaultServlet.java,
      java/org/apache/catalina/servlets/LocalStrings.properties,
      webapps/docs/default-servlet.xml.
    - CVE-2014-0096
  * SECURITY UPDATE: HTTP request smuggling attack via crafted
    Content-Length HTTP header
    - debian/patches/CVE-2014-0099.patch: correctly handle long values in
      java/org/apache/tomcat/util/buf/Ascii.java, added test to
      test/org/apache/tomcat/util/buf/TestAscii.java.
    - CVE-2014-0099
 -- Marc Deslauriers <email address hidden>   Thu, 24 Jul 2014 13:24:54 -0400
Superseded in utopic-release on 2014-07-30
Deleted in utopic-proposed on 2014-07-31 (Reason: moved to release)
tomcat7 (7.0.54-2) unstable; urgency=medium


  [ Emmanuel Bourg ]
  * debian/defaults.template: Bumped the required version of Java mentioned
    in the comment on the JAVA_HOME variable
  * debian/tomcat7.init: Search for OpenJDK 8 and Oracle JDKs when starting
    the server (Closes: #714349)
  * Updated the version required for libtcnative-1 (>= 1.1.30)
    (Closes: #750454)

 -- tony mancill <email address hidden>  Sat, 14 Jun 2014 08:09:02 -0700

Available diffs

Superseded in utopic-release on 2014-06-15
Deleted in utopic-proposed on 2014-06-16 (Reason: moved to release)
tomcat7 (7.0.54-1) unstable; urgency=medium


  * New upstream release
  * Refreshed the patches
  * Use XZ compression for the upstream tarball

 -- Emmanuel Bourg <email address hidden>  Thu, 22 May 2014 10:27:10 +0200

Available diffs

Superseded in utopic-release on 2014-05-24
Deleted in utopic-proposed on 2014-05-25 (Reason: moved to release)
tomcat7 (7.0.53-1) unstable; urgency=low


  * New upstream release.
  * Refresh patches:
    - debian/patches/0011-fix-classpath-lintian-warnings.patch.
    - debian/patches/0015_disable_test_TestCometProcessor.patch.
  * Add new patch:
    - Disabled Java 8 support in JSPs (requires an Eclipse compiler update).
  * Update my email address in Uploaders list.

 -- Miguel Landaeta <email address hidden>  Thu, 01 May 2014 23:33:35 -0300

Available diffs

Obsolete in quantal-updates on 2015-04-24
Obsolete in quantal-security on 2015-04-24
tomcat7 (7.0.30-0ubuntu1.3) quantal-security; urgency=medium

  * SECURITY UPDATE: request smuggling attack via content-length headers
    - debian/patches/CVE-2013-4286.patch: use long as content length in
      java/org/apache/coyote/Request.java, handle multiple content lengths
      in java/org/apache/coyote/ajp/AbstractAjpProcessor.java, handle
      content length and chunked encoding being both specified in
      java/org/apache/coyote/http11/AbstractHttp11Processor.java.
    - CVE-2013-4286
  * SECURITY UPDATE: denial of service via chunked transfer coding
    - debian/patches/CVE-2013-4322.patch: enforce maximum size in
      java/org/apache/coyote/http11/{AbstractHttp11Processor.java,
      AbstractHttp11Protocol.java, Http11AprProcessor.java,
      Http11AprProtocol.java, Http11NioProcessor.java,
      Http11NioProtocol.java, Http11Processor.java, Http11Protocol.java},
      java/org/apache/coyote/http11/filters/ChunkedInputFilter.java,
      test/org/apache/coyote/http11/filters/TestChunkedInputFilter.java,
      webapps/docs/config/http.xml.
    - CVE-2013-4322
  * SECURITY UPDATE: denial of service via malformed content-type header
    - debian/patches/CVE-2014-0050.patch: validate sizes in
      java/org/apache/tomcat/util/http/fileupload/FileUploadBase.java,
      java/org/apache/tomcat/util/http/fileupload/MultipartStream.java.
    - CVE-2014-0050
  * d/p/0018-update-test-certificates.patch: remove binary parts to
    support newer quilt.
 -- Marc Deslauriers <email address hidden>   Tue, 04 Mar 2014 10:45:20 -0500
Obsolete in saucy-updates on 2015-04-24
Obsolete in saucy-security on 2015-04-24
tomcat7 (7.0.42-1ubuntu0.1) saucy-security; urgency=medium

  * SECURITY UPDATE: request smuggling attack via content-length headers
    - debian/patches/CVE-2013-4286.patch: use long as content length in
      java/org/apache/coyote/Request.java, handle multiple content lengths
      in java/org/apache/coyote/ajp/AbstractAjpProcessor.java, handle
      content length and chunked encoding being both specified in
      java/org/apache/coyote/http11/AbstractHttp11Processor.java.
    - CVE-2013-4286
  * SECURITY UPDATE: denial of service via chunked transfer coding
    - debian/patches/CVE-2013-4322.patch: enforce maximum size in
      java/org/apache/coyote/http11/{AbstractHttp11Processor.java,
      AbstractHttp11Protocol.java, Http11AprProcessor.java,
      Http11AprProtocol.java, Http11NioProcessor.java,
      Http11NioProtocol.java, Http11Processor.java, Http11Protocol.java},
      java/org/apache/coyote/http11/filters/ChunkedInputFilter.java,
      test/org/apache/coyote/http11/filters/TestChunkedInputFilter.java,
      webapps/docs/config/http.xml.
    - CVE-2013-4322
  * SECURITY UPDATE: denial of service via malformed content-type header
    - debian/patches/CVE-2014-0050.patch: validate sizes in
      java/org/apache/tomcat/util/http/fileupload/FileUploadBase.java,
      java/org/apache/tomcat/util/http/fileupload/MultipartStream.java.
    - CVE-2014-0050
 -- Marc Deslauriers <email address hidden>   Tue, 04 Mar 2014 10:22:07 -0500
Superseded in utopic-release on 2014-05-03
Published in trusty-release on 2014-02-27
Deleted in trusty-proposed (Reason: moved to release)
tomcat7 (7.0.52-1) unstable; urgency=low


  * Team upload.
  * New upstream release.
    - Addresses security issue: CVE-2014-0050

 -- Gianfranco Costamagna <email address hidden>  Wed, 19 Feb 2014 14:09:48 +0100

Available diffs

Superseded in trusty-release on 2014-02-27
Deleted in trusty-proposed on 2014-02-28 (Reason: moved to release)
tomcat7 (7.0.50-1) unstable; urgency=medium


  * New upstream release.

 -- James Page <email address hidden>  Tue, 14 Jan 2014 18:09:28 +0000

Available diffs

Superseded in trusty-release on 2014-01-15
Deleted in trusty-proposed on 2014-01-16 (Reason: moved to release)
tomcat7 (7.0.47-1) unstable; urgency=low


  [ Gianfranco Costamagna ]
  * Team upload.
  * New upstream release, patch refresh.
  * Renamed patch fix-manager-webapp.path
    to fix-manager-webapp.patch (extension typo).
  * Refresh patches for upstream release.
  * Removed -Djava.net.preferIPv4Stack=true
    from init script (lp: #1088681),
    thanks Hendrik Haddorp.
  * Added webapp manager path patch (lp: #1128067)
    thanks TJ.

  [ tony mancill ]
  * Bump Standards-Version to 3.9.5.
  * Change copyright year in javadocs to 2013.
  * Add patch to include the distribution name in error pages.
    (Closes: #729840)

 -- tony mancill <email address hidden>  Tue, 24 Dec 2013 16:46:34 +0000

Available diffs

Superseded in trusty-release on 2013-12-25
Superseded in trusty-release on 2013-11-19
Superseded in trusty-release on 2013-11-15
Obsolete in saucy-release on 2015-04-24
Deleted in saucy-proposed on 2015-04-28 (Reason: moved to release)
tomcat7 (7.0.42-1) unstable; urgency=low


  [ Gianfranco Costamagna ]
  * Team upload.
  * New upstream release.
  * Added libhamcrest-java >= 1.3 as build-dep,
    tweaked debian/rules.
  * Bumped compat level to 9.
  * Removed some version checks, newer releases already in oldstable.
  * Refresh patches.
  * debian/control: changed Vcs-Git and Vcs-Browser fields,
    now they are canonical.
  * Fixed error message in Tomcat init script,
    patch by Thijs Kinkhorst (Closes: #714348)

 -- Gianfranco Costamagna <email address hidden>  Tue, 16 Jul 2013 17:34:58 +0200

Available diffs

Superseded in quantal-updates on 2014-03-06
Superseded in quantal-security on 2014-03-06
tomcat7 (7.0.30-0ubuntu1.2) quantal-security; urgency=low

  * SECURITY UPDATE: FORM authentication request injection
    - debian/patches/CVE-2013-2067.patch: properly change session ID
      in java/org/apache/catalina/authenticator/FormAuthenticator.java.
    - CVE-2013-2067
  * SECURITY UPDATE: information leak via AsyncListeners and
    RuntimeExceptions (LP: #1178645)
    - debian/patches/CVE-2013-2071.patch: catch RuntimeExceptions in
      java/org/apache/catalina/core/AsyncContextImpl.java, added tests to
      test/org/apache/catalina/core/TestAsyncContextImpl.java.
    - CVE-2013-2071
  * Fix FTBFS due to expired test certificates:
    - d/keystores/*.jks: Newer keystores from upstream 7.0.39.
    - d/rules: Install newer keystores for testing, tidy up after use.
    - d/p/0018-update-test-certificates.patch: Cherry picked fixes from
      upstream VCS to update text based certificates.
 -- Marc Deslauriers <email address hidden>   Thu, 23 May 2013 09:04:36 -0400
Obsolete in raring-updates on 2015-04-24
Obsolete in raring-security on 2015-04-24
tomcat7 (7.0.35-1~exp2ubuntu1.1) raring-security; urgency=low

  * SECURITY UPDATE: information leak via AsyncListeners and
    RuntimeExceptions (LP: #1178645)
    - debian/patches/CVE-2013-2071.patch: catch RuntimeExceptions in
      java/org/apache/catalina/core/AsyncContextImpl.java, added tests to
      test/org/apache/catalina/core/TestAsyncContextImpl.java.
    - CVE-2013-2071
 -- Marc Deslauriers <email address hidden>   Tue, 21 May 2013 10:07:15 -0400
Superseded in saucy-release on 2013-08-01
Deleted in saucy-proposed on 2013-08-02 (Reason: moved to release)
tomcat7 (7.0.40-2) unstable; urgency=low


  * Fix deployment of POMs for libservlet-3.0-java JARs into javax
    coordinates.
    - JARs were deployed into maven-repo, but not POMs.
  * Fix servlet-api groupId in d/javaxpoms/jsp-api.pom.

 -- Jakub Adam <email address hidden>  Thu, 16 May 2013 17:35:52 +0200

Available diffs

Superseded in saucy-release on 2013-05-23
Deleted in saucy-proposed on 2013-05-24 (Reason: moved to release)
tomcat7 (7.0.40-1) unstable; urgency=low


  * New upstream release.
    - Addresses security issue: CVE-2013-2071
  * Refresh patches:
    - 0015_disable_test_TestCometProcessor.patch

 -- Miguel Landaeta <email address hidden>  Fri, 10 May 2013 19:10:36 -0300
Superseded in saucy-release on 2013-05-13
Obsolete in raring-release on 2015-04-24
Deleted in raring-proposed on 2015-04-27 (Reason: moved to release)
tomcat7 (7.0.35-1~exp2ubuntu1) raring; urgency=low

  * Fix FTBFS due to expired test certificates (LP: #1166187):
    - d/keystores/*.jks: Newer keystores from upstream 7.0.39.
    - d/rules: Install newer keystores for testing, tidy up after use.
    - d/p/0018-update-test-certificates.patch: Cherry picked fixes from
      upstream VCS to update text based certificates.
 -- James Page <email address hidden>   Mon, 08 Apr 2013 14:02:42 +0100
Published in precise-updates on 2013-04-01
Published in precise-security on 2013-04-01
tomcat7 (7.0.26-1ubuntu1.2) precise-security; urgency=low

  [Christian Kuersteiner]
  * SECURITY UPDATE: Fix multiple vulnerabilities in Tomcat7
    (LP: #1115053)
    - debian/patches/0013-CVE-2012-2733.patch: Fix for Apache Tomcat Denial of
      Service. Based on upstream patch.
    - CVE-2012-2733
    - debian/patches/0014-CVE-2012-3546.patch: Fix for bypass of security
      constraints. Based on upstream patch.
    - CVE-2012-3546
    - debian/patches/0015-CVE-2012-4431.patch: Fix for bypass of CSRF prevention
      filter. Based on upstream patch.
    - CVE-2012-4431
    - debian/patches/0016-CVE-2012-4534.patch: Fix for CVE-2012-4534 Denial of
      Service Vulnerability. Based on upstream patch.
    - CVE-2012-4534
    - debian/patches/CVE-2012-3439.patch: Fix for DIGEST authentication
      weaknesses. Based on upstream patch.
    - CVE-2012-3439, CVE-2012-5885, CVE-2012-5886, 2012-5887

  [ Jamie Strandboge ]
  * allow for easily running the testsuite:
    - debian/control: add testsuite build-depends
    - debian/rules:
      + add 'testsuite' target
      + add ANT_TS_ARGS for use in the testsuite target
      + cleanup the testsuite
    - add debian/README.source for information on how to use the testsuite
 -- Christian Kuersteiner <email address hidden>   Tue, 19 Mar 2013 14:48:19 +0100
Obsolete in oneiric-updates on 2015-04-24
Obsolete in oneiric-security on 2015-04-24
tomcat7 (7.0.21-1ubuntu0.1) oneiric-security; urgency=low

  [Christian Kuersteiner]
  * SECURITY UPDATE: Fix multiple vulnerabilities in Tomcat7
    (LP: #1115053)
    - debian/patches/CVE-2012-0022.patch: Fix for Denial of service. Based on
      upstream patch.
    - CVE-2012-0022, CVE-2011-4858
    - debian/patches/CVE-2011-3375.patch: Fix for information disclosure. Based
      on upstream patch.
    - CVE-2011-3375
    - debian/patches/CVE-2011-3376.patch: Fix for privilege escalation. Based on
      upstream patch.
    - CVE-2011-3376
    - debian/patches/CVE-2012-2733.patch: Fix for Apache Tomcat Denial of
      Service. Based on upstream patch.
    - CVE-2012-2733
    - debian/patches/CVE-2012-3546.patch: Fix for bypass of security
      constraints. Based on upstream patch.
    - CVE-2012-3546
    - debian/patches/CVE-2012-4431.patch: Fix for bypass of CSRF prevention
      filter. Based on upstream patch.
    - CVE-2012-4431
    - debian/patches/CVE-2012-4534.patch: Fix for CVE-2012-4534 Denial of
      Service Vulnerability. Based on upstream patch.
    - CVE-2012-4534
    - debian/patches/CVE-2012-3439.patch: Fix for DIGEST authentication
      weaknesses. Based on upstream patch.
    - CVE-2012-3439, CVE-2012-5885, CVE-2012-5886, 2012-5887

  [ Jamie Strandboge ]
  * allow for easily running the testsuite:
    - debian/control: add testsuite build-depends
    - debian/rules:
      + add 'testsuite' target
      + add ANT_TS_ARGS for use in the testsuite target
      + cleanup the testsuite
    - add debian/README.source for information on how to use the testsuite
 -- Christian Kuersteiner <email address hidden>   Fri, 15 Mar 2013 15:40:27 -0700
Superseded in raring-release on 2013-04-08
Deleted in raring-proposed on 2013-04-09 (Reason: moved to release)
tomcat7 (7.0.35-1~exp2) experimental; urgency=low


  * Switch from Commons DBCP to Tomcat JDBC Pool as default connection
    pool implementation (Closes: #701023).

 -- James Page <email address hidden>  Sun, 24 Feb 2013 22:08:22 +0000
Superseded in raring-release on 2013-02-26
Deleted in raring-proposed on 2013-02-27 (Reason: moved to release)
tomcat7 (7.0.35-1~exp1ubuntu1) raring; urgency=low

  * Merge from Debian experimental, remaining changes:
    + Enabled Tomcat jdbc-pool module, aligning more closely to upstream and
      providing improved multi-threaded performance over commons-dbcp:
      - d/rules,d/libtomcat7-java.poms: Install tomcat-dbcp.jar file.
      - d/patches/0005-change-default-DBCP-factory-class.patch: Drop patch
        which switches the default DBCP factory to commons-dbcp.
      - d/p/0015-use-jdbc-pool-default.patch: Make jdbc-pool module the
        default pool implementation for DataSources.
      - d/NEWS: let users know about this change.
  * Dropped changes, included in Debian:
    - d/p/0014-fix-override.patch: Fix FTBFS due to differing dependency
      versions compared to upstream.
 -- James Page <email address hidden>   Wed, 20 Feb 2013 15:34:18 +0000
Superseded in quantal-updates on 2013-05-28
Superseded in quantal-security on 2013-05-28
tomcat7 (7.0.30-0ubuntu1.1) quantal-security; urgency=low

  * SECURITY UPDATE: CSRF bypass via request with no session identifier
    - debian/patches/CVE-2012-4431.patch: check for session identifier in
      java/org/apache/catalina/filters/CsrfPreventionFilter.java.
    - CVE-2012-4431
 -- Marc Deslauriers <email address hidden>   Thu, 10 Jan 2013 09:35:41 -0500
Superseded in raring-release on 2013-02-20
Deleted in raring-proposed on 2013-02-27 (Reason: moved to release)
tomcat7 (7.0.34-0ubuntu1) raring; urgency=low

  * New upstream release.
    - d/p/0014-fix-override.patch: Fix FTBFS due to differing dependency
      versions compared to upstream.
  * d/p/0015-use-jdbc-pool-default.patch: Make jdbc-pool module the default
    pool implementation for DataSources (LP: #1071817).
 -- James Page <email address hidden>   Thu, 06 Dec 2012 13:47:08 +0000

Available diffs

Superseded in raring-release on 2012-12-06
Obsolete in quantal-release on 2015-04-24
tomcat7 (7.0.30-0ubuntu1) quantal; urgency=low

  * New upstream point release including several fixes for Java 7
    specific issues.
  * Refreshed patches.
 -- James Page <email address hidden>   Mon, 17 Sep 2012 10:52:06 +0100
Superseded in quantal-release on 2012-09-17
tomcat7 (7.0.29-0ubuntu1) quantal; urgency=low

  * Re-sync with Debian unstable.
  * New upstream release:
    - Refreshed patches.
  * Enabled Tomcat jdbc-pool module, aligning more closely to upstream and
    providing improved multi-threaded performance over commons-dbcp:
    - d/rules,d/libtomcat7-java.poms: Install tomcat-dbcp.jar file.
    - d/patches/0005-change-default-DBCP-factory-class.patch: Drop patch
      which switches the default DBCP factory to commons-dbcp.
    - d/NEWS: let users know about this change.

Superseded in precise-updates on 2013-04-01
Deleted in precise-proposed on 2013-04-03 (Reason: moved to -updates)
tomcat7 (7.0.26-1ubuntu1.1) precise-proposed; urgency=low

  * Fix handling of JNDI lookups using javax.naming.Name (LP: #1012794):
    - d/patches/0012-lp-1012794-fix-jndi-lookup.patch: Cherry picked patch
      from upstream VCS which ensures that JNDI lookups that use Name
      rather than String don't fail.
 -- James Page <email address hidden>   Thu, 12 Jul 2012 21:52:17 +0100
Superseded in quantal-release on 2012-07-16
Superseded in quantal-release on 2012-07-11
tomcat7 (7.0.28-1) unstable; urgency=low


  [ Miguel Landaeta ]
  * Add Slovak debconf translation (Closes: #677913).
    - Thanks to Ivan Masár.

  [ James Page ]
  * New upstream release.
  * Enable test suite during package build:
    - d/control: Add junit4, libjstl1.1-java and
      libjakarta-taglibs-standard-java to BDI's.
    - d/rules:
      + Add ant/junit4 jars files to build classpath.
      + Target java 1.6 to support test suite exection.
      + Specify location of junit jar file.
      + Install jstl jar files to example webapp during build.
      + Conditionally execute test target if required.
      + Purge jar files from example webapp during clean.
  * Fix JSTL examples in examples web application:
    - d/control: Add dependencies on libjstl1.1-java and
      libjakarta-taglibs-standard-java for tomcat7-examples.
    - d/tomcat7-examples.links: Add links to jstl and standard jar
      files for examples web application.
    - d/context/examples.xml: Allow linking to jar files in examples
      webapp.
  * Fix mapping to javax packages for API jar files:
    - d/maven.[rules,publishedRules]: Ensure all javax.[servlet|el] jar files
      are published to the correct locations in /usr/share/[maven-repo|java].
    - d/libservlet3.0-java.manifest: Update jar file locations for javax
      remapping.
    - d/libservlet3.0-java.links: Provide backwards compatible links for
      deprecated tomcat-*.jar files in /usr/share/java.

  [ tony mancill ]
  * Set DMUA flag.

 -- tony mancill <email address hidden>  Fri, 22 Jun 2012 07:06:46 -0700
Superseded in quantal-release on 2012-06-24
tomcat7 (7.0.27-1ubuntu2) quantal; urgency=low

  * Enable test suite during package build:
    - d/control: Add junit4, libjstl1.1-java and
      libjakarta-taglibs-standard-java to BDI's.
    - d/rules:
      + Add ant/junit4 jars files to build classpath.
      + Target java 1.6 to support test suite exection.
      + Specify location of junit jar file.
      + Install jstl jar files to example webapp during build.
      + Conditionally execute test target if required.
      + Purge jar files from example webapp during clean.
  * Fix JSTL examples in examples web application:
    - d/control: Add dependencies on libjstl1.1-java and
      libjakarta-taglibs-standard-java for tomcat7-examples.
    - d/tomcat7-examples.links: Add links to jstl and standard jar
      files for examples web application.
    - d/context/examples.xml: Allow linking to jar files in examples
      webapp.
 -- James Page <email address hidden>   Sun, 17 Jun 2012 20:07:56 +0100
Superseded in quantal-release on 2012-06-17
tomcat7 (7.0.27-1ubuntu1) quantal; urgency=low

  * Fix mapping to javax packages for API jar files:
    - d/maven.[rules,publishedRules]: Ensure all javax.[servlet|el] jar files
      are published to the correct locations in /usr/share/[maven-repo|java].
    - d/libservlet3.0-java.manifest: Update jar file locations for javax
      remapping.
    - d/libservlet3.0-java.links: Provide backwards compatible links for
      deprecated tomcat-*.jar files in /usr/share/java.
 -- James Page <email address hidden>   Fri, 15 Jun 2012 15:51:19 +0100
Superseded in quantal-release on 2012-06-15
tomcat7 (7.0.27-1) unstable; urgency=low


  * New upstream release.

 -- tony mancill <email address hidden>  Thu, 07 Jun 2012 22:43:21 -0700

Available diffs

Superseded in quantal-release on 2012-06-08
tomcat7 (7.0.26-4) unstable; urgency=low


  * Address regression leaving ROOT webapp files after purge.  
    (Closes: #670440)
  * Update copyright year in javadoc to 2012.

 -- tony mancill <email address hidden>  Mon, 28 May 2012 18:45:07 -0700

Available diffs

Superseded in quantal-release on 2012-05-31
tomcat7 (7.0.26-3) unstable; urgency=low


  * Team upload.
  * Apply patches provided by James Page (Closes: #671370)
    - d/patches/0012-java7-compat.patch: Added compatibility patch to
      support compilation with openjdk-7 as default-jdk (LP: #889002).
    - d/default_root/index.html: Fixup instructions for enabling
      manager web application access (LP: #910368).
  * Fix README.Debian symlink; file is not compressed. (Closes: #674119)

 -- tony mancill <email address hidden>  Wed, 23 May 2012 22:13:23 -0700
Superseded in quantal-release on 2012-05-29
tomcat7 (7.0.26-2ubuntu1) quantal; urgency=low

  * Resync with Debian.
  * d/patches/0012-java7-compat.patch: Added compatibility patch to
    support compilation with openjdk-7 as default-jdk (LP: #889002).
  * d/default_root/index.html: Fixup instructions for enabling
    manager web application access (LP: #910368).

Superseded in quantal-release on 2012-05-03
Published in precise-release on 2012-04-11
tomcat7 (7.0.26-1ubuntu1) precise; urgency=low

  * Handle creation of user instances with pathnames containing spaces
    (LP: #977498):
    - d/tomcat7-instance-create: Quote access to files and directories
      so that spaces can be used when creating user instances.
 -- James Page <email address hidden>   Wed, 11 Apr 2012 10:49:51 +0100
Superseded in precise-release on 2012-04-11
tomcat7 (7.0.26-1) unstable; urgency=low


  [ Jakub Adam ]
  * New upstream release.
  * Add Jakub Adam to Uploaders.
  * Bump Standards-Version to 3.9.3.
  * Don't Depend libservlet3.0-java-doc on package it documents, relax
    to Suggests.

  [ tony mancill ]
  * Add Polish debconf translation. (Closes: #661644)
    - Thanks to Michał Kułach.

 -- tony mancill <email address hidden>  Thu, 01 Mar 2012 21:22:50 -0800

Available diffs

Superseded in precise-release on 2012-04-03
tomcat7 (7.0.23-1) unstable; urgency=low

  * New upstream release.
  * Refresh patches.
 -- Ubuntu Archive Auto-Sync <email address hidden>   Mon,  12 Dec 2011 12:02:13 +0000

Available diffs

Superseded in precise-release on 2011-12-12
tomcat7 (7.0.22-1) unstable; urgency=low

  [ Miguel Landaeta ]
  * New upstream release.
  * Fix lintian warning about format specification of copyright file.

  [ tony mancill ]
  * Add dependency on JRE to tomcat7-common (Closes: #644340)
  * Modify init script to look for JVM in /usr/lib/jvm/default-java
 -- Ubuntu Archive Auto-Sync <email address hidden>   Wed,  19 Oct 2011 09:20:55 +0000

Available diffs

Superseded in precise-release on 2011-10-19
Obsolete in oneiric-release on 2015-04-24
tomcat7 (7.0.21-1) unstable; urgency=low

  * New upstream release.
    - Includes fix for CVE-2011-3190.
  * Updated my email address.
 -- James Page <email address hidden>   Thu,  08 Sep 2011 13:18:11 +0000

Available diffs

175 of 80 results