Change log for tomcat7 package in Ubuntu
| 1 → 75 of 80 results | First • Previous • Next • Last |
tomcat7 (7.0.68-1ubuntu0.4) xenial-security; urgency=medium * SECURITY REGRESSION: security manager startup issue (LP: #1799990) - debian/patches/0009-Use-java.security.policy-file-in-catalina.sh.patch: update to new /var/lib/tomcat7/policy location. - debian/tomcat7.postrm.in: remove policy directory. -- Eduardo Barretto <email address hidden> Tue, 30 Oct 2018 09:54:52 -0300
Available diffs
tomcat7 (7.0.68-1ubuntu0.3) xenial-security; urgency=medium
* SECURITY UPDATE: Timing attack can determine valid user names.
- debian/patches/CVE-2016-0762.patch: fix in the Realm
implementation.
- CVE-2016-0762
* SECURITY UPDATE: privilege escalation via insecure init script
- debian/tomcat7.init: don't follow symlinks when handling the
catalina.out file.
- CVE-2016-1240
* SECURITY UPDATE: SecurityManager bypass via a utility method.
- debian/patches/CVE-2016-5018.patch: remove unnecessary code in
java/org/apache/jasper/compiler/JspRuntimeContext.java,
java/org/apache/jasper/runtime/JspRuntimeLibrary.java,
java/org/apache/jasper/security/SecurityClassLoad.java.
- debian/patches/CVE-2016-5018-part2.patch: fix a regression when
using Jasper with SecurityManager enabled.
- CVE-2016-5018
* SECURITY UPDATE: system properties read SecurityManager bypass
- debian/patches/CVE-2016-6794.patch: extend SecurityManager
protection to the system property replacement feature of the
digester in java/org/apache/catalina/loader/WebappClassLoader.java,
java/org/apache/tomcat/util/digester/Digester.java,
java/org/apache/tomcat/util/security/PermissionCheck.java.
- CVE-2016-6794
* SECURITY UPDATE: SecurityManager bypass via JSP Servlet configuration
parameters.
- debian/patches/CVE-2016-6796.patch: ignore some JSP options when
running under a SecurityManager in conf/web.xml,
java/org/apache/jasper/EmbeddedServletOptions.java,
java/org/apache/jasper/resources/LocalStrings.properties,
java/org/apache/jasper/servlet/JspServlet.java,
webapps/docs/jasper-howto.xml.
- CVE-2016-6796
* SECURITY UPDATE: web application global JNDI resource access
- debian/patches/CVE-2016-6797.patch: ensure that the global resource
is only visible via the ResourceLinkFactory when it is meant to be
in java/org/apache/catalina/core/NamingContextListener.java,
java/org/apache/naming/factory/ResourceLinkFactory.java,
test/org/apache/naming/TestNamingContext.java.
- CVE-2016-6797
* SECURITY UPDATE: HTTP response injection via invalid characters
- debian/patches/CVE-2016-6816.patch: add additional checks for valid
characters in
java/org/apache/coyote/http11/AbstractInputBuffer.java,
java/org/apache/coyote/http11/AbstractNioInputBuffer.java,
java/org/apache/coyote/http11/InternalAprInputBuffer.java,
java/org/apache/coyote/http11/InternalInputBuffer.java,
java/org/apache/coyote/http11/LocalStrings.properties,
java/org/apache/tomcat/util/http/parser/HttpParser.java.
- CVE-2016-6816
* SECURITY UPDATE: remote code execution via JmxRemoteLifecycleListener
- debian/patches/CVE-2016-8735.patch: explicitly configure allowed
credential types in
java/org/apache/catalina/mbeans/JmxRemoteLifecycleListener.java.
- CVE-2016-8735
* SECURITY UPDATE: information leakage between requests
- debian/patches/CVE-2016-8745.patch: properly handle cache when
unable to complete sendfile request in
java/org/apache/tomcat/util/net/NioEndpoint.java.
- CVE-2016-8745
* SECURITY UPDATE: privilege escalation during package upgrade
- debian/rules, debian/tomcat7.postinst: properly set permissions on
/etc/tomcat7/Catalina/localhost.
- CVE-2016-9774
* SECURITY UPDATE: privilege escalation during package removal
- debian/tomcat7.postrm.in: don't reset permissions before removing
user.
- CVE-2016-9775
* debian/tomcat7.init: further hardening.
-- Eduardo Barretto <email address hidden> Fri, 19 Oct 2018 10:46:37 -0300
Available diffs
tomcat7 (7.0.52-1ubuntu0.16) trusty-security; urgency=medium
* SECURITY UPDATE: arbitrary redirect issue
- debian/patches/CVE-2018-11784.patch: avoid protocol relative
redirects in java/org/apache/catalina/servlets/DefaultServlet.java.
- CVE-2018-11784
-- Marc Deslauriers <email address hidden> Tue, 09 Oct 2018 11:25:36 -0400
Available diffs
tomcat7 (7.0.52-1ubuntu0.15) trusty-security; urgency=medium
* SECURITY UPDATE: DoS via issue in UTF-8 decoder
- debian/patches/CVE-2018-1336.patch: fix logic in
java/org/apache/tomcat/util/buf/Utf8Decoder.java.
- CVE-2018-1336
* SECURITY UPDATE: missing hostname verification in WebSocket client
- debian/patches/CVE-2018-8034.patch: enable hostname verification by
default in webapps/docs/web-socket-howto.xml,
java/org/apache/tomcat/websocket/WsWebSocketContainer.java.
- CVE-2018-8034
-- Marc Deslauriers <email address hidden> Wed, 25 Jul 2018 08:27:25 -0400
Available diffs
tomcat7 (7.0.52-1ubuntu0.14) trusty-security; urgency=medium * SECURITY UPDATE: missing checks when HTTP PUTs enabled (LP: #1721749) - debian/patches/CVE-2017-1261x.patch: add checks to java/org/apache/catalina/servlets/DefaultServlet.java java/org/apache/naming/resources/FileDirContext.java, java/org/apache/naming/resources/JrePlatform.java, java/org/apache/naming/resources/LocalStrings.properties, java/org/apache/naming/resources/VirtualDirContext.java, test/org/apache/naming/resources/TestFileDirContext.java. - CVE-2017-12616 - CVE-2017-12617 * SECURITY UPDATE: security constraints mapped to context root are ignored - debian/patches/CVE-2018-1304.patch: add check to java/org/apache/catalina/realm/RealmBase.java. - CVE-2018-1304 * SECURITY UPDATE: security constraint annotations applied too late - debian/patches/CVE-2018-1305.patch: change ordering in java/org/apache/catalina/Wrapper.java, java/org/apache/catalina/authenticator/AuthenticatorBase.java, java/org/apache/catalina/core/ApplicationContext.java, java/org/apache/catalina/core/ApplicationServletRegistration.java, java/org/apache/catalina/core/StandardContext.java, java/org/apache/catalina/core/StandardWrapper.java, java/org/apache/catalina/startup/ContextConfig.java, java/org/apache/catalina/startup/Tomcat.java, java/org/apache/catalina/startup/WebAnnotationSet.java. - CVE-2018-1305 * SECURITY UPDATE: CORS filter has insecure defaults - debian/patches/CVE-2018-8014.patch: change defaults in java/org/apache/catalina/filters/CorsFilter.java, java/org/apache/catalina/filters/LocalStrings.properties, test/org/apache/catalina/filters/TestCorsFilter.java, test/org/apache/catalina/filters/TesterFilterConfigs.java. - CVE-2018-8014 -- Marc Deslauriers <email address hidden> Tue, 29 May 2018 10:22:42 -0400
Available diffs
tomcat7 (7.0.52-1ubuntu0.13) trusty-security; urgency=medium
* SECURITY UPDATE: loss of pipeline requests
- debian/patches/CVE-2017-5647.patch: improve sendfile handling when
requests are pipelined in
java/org/apache/coyote/AbstractProtocol.java,
java/org/apache/coyote/http11/Http11AprProcessor.java,
java/org/apache/coyote/http11/Http11NioProcessor.java,
java/org/apache/tomcat/util/net/AprEndpoint.java,
java/org/apache/tomcat/util/net/NioEndpoint.java,
java/org/apache/tomcat/util/net/SendfileKeepAliveState.java,
java/org/apache/tomcat/util/net/SendfileState.java.
- CVE-2017-5647
* SECURITY UPDATE: incorrect facade object use
- debian/patches/CVE-2017-5648-pre.patch: fix keep-alive with
asynchronous servlet in
java/org/apache/catalina/core/AsyncContextImpl.java,
java/org/apache/coyote/AsyncContextCallback.java,
java/org/apache/coyote/AsyncStateMachine.java,
test/org/apache/catalina/core/TestAsyncContextImpl.java.
- debian/patches/CVE-2017-5648.patch: ensure request and response
facades are used when firing application listeners in
java/org/apache/catalina/authenticator/FormAuthenticator.java,
java/org/apache/catalina/core/StandardHostValve.java.
- CVE-2017-5648
* SECURITY UPDATE: unexpected and undesirable results for static error
pages
- debian/patches/CVE-2017-5664.patch: use a more reliable mechanism in
java/org/apache/catalina/servlets/DefaultServlet.java,
java/org/apache/catalina/servlets/WebdavServlet.java.
- CVE-2017-5664
* SECURITY UPDATE: client and server side cache poisoning in CORS filter
- debian/patches/CVE-2017-7674.patch: set Vary header in response in
java/org/apache/catalina/filters/CorsFilter.java.
- CVE-2017-7674
-- Marc Deslauriers <email address hidden> Wed, 27 Sep 2017 16:28:58 -0400
Available diffs
| Deleted in disco-release (Reason: (From Debian) ROM; No longer used; Debian bug #914497) |
| Obsolete in cosmic-release |
| Published in bionic-release |
| Obsolete in artful-release |
| Deleted in artful-proposed (Reason: moved to release) |
tomcat7 (7.0.78-1) unstable; urgency=medium
* New upstream release
- Refreshed the patches
-- Emmanuel Bourg <email address hidden> Wed, 24 May 2017 18:03:19 +0200
Available diffs
- diff from 7.0.75-1 to 7.0.78-1 (77.0 KiB)
| Obsolete in yakkety-proposed |
tomcat7 (7.0.72-1ubuntu0.1) yakkety; urgency=medium
* Fix an upgrade error when JAVA_OPTS in /etc/default/tomcat7 contains
the '%' character (LP: #1666570).
* Fix javax.servlet.jsp POM to use servlet-api version 3.0 instead of
2.2 (LP: #1664179).
-- Joshua Powers <email address hidden> Tue, 28 Mar 2017 16:04:14 -0700
Available diffs
| Deleted in xenial-proposed (Reason: The package was removed due to its SRU bug(s) not being v...) |
tomcat7 (7.0.68-1ubuntu0.2) xenial; urgency=medium
* Fix an upgrade error when JAVA_OPTS in /etc/default/tomcat7 contains
the '%' character (LP: #1666570).
* Fix javax.servlet.jsp POM to use servlet-api version 3.0 instead of
2.2 (LP: #1664179).
-- Joshua Powers <email address hidden> Tue, 28 Mar 2017 16:15:05 -0700
Available diffs
tomcat7 (7.0.52-1ubuntu0.11) trusty; urgency=medium
* Fix an upgrade error when JAVA_OPTS in /etc/default/tomcat7 contains
the '%' character (LP: #1666570).
* Fix javax.servlet.jsp POM to use servlet-api version 3.0 instead of
2.2 (LP: #1664179).
-- Joshua Powers <email address hidden> Wed, 22 Mar 2017 13:42:56 -0600
Available diffs
tomcat7 (7.0.52-1ubuntu0.10) trusty-security; urgency=medium * SECURITY UPDATE: DoS via CPU consumption (LP: #1663318) - debian/patches/CVE-2017-6056.patch: fix infinite loop in java/org/apache/coyote/http11/AbstractInputBuffer.java. - CVE-2017-6056 -- Marc Deslauriers <email address hidden> Fri, 17 Feb 2017 08:51:12 -0500
Available diffs
tomcat7 (7.0.52-1ubuntu0.9) trusty-security; urgency=medium * SECURITY REGRESSION: security manager startup issue (LP: #1659589) - debian/patches/0009-Use-java.security.policy-file-in-catalina.sh.patch: update to new /var/lib/tomcat7/policy location. - debian/tomcat7.postrm.in: remove policy directory. -- Marc Deslauriers <email address hidden> Wed, 01 Feb 2017 10:40:22 -0500
Available diffs
- diff from 7.0.52-1ubuntu0.8 to 7.0.52-1ubuntu0.9 (899 bytes)
| Superseded in artful-release |
| Obsolete in zesty-release |
| Deleted in zesty-proposed (Reason: moved to release) |
tomcat7 (7.0.75-1) unstable; urgency=medium
* New upstream release
- Refreshed the patches
-- Emmanuel Bourg <email address hidden> Tue, 24 Jan 2017 13:13:38 +0100
Available diffs
- diff from 7.0.73-1 to 7.0.75-1 (116.1 KiB)
tomcat7 (7.0.52-1ubuntu0.8) trusty-security; urgency=medium
* SECURITY UPDATE: SecurityManager bypass via a utility method
- debian/patches/CVE-2016-5018.patch: remove unnecessary code in
java/org/apache/jasper/compiler/JspRuntimeContext.java,
java/org/apache/jasper/runtime/JspRuntimeLibrary.java,
java/org/apache/jasper/security/SecurityClassLoad.java.
- CVE-2016-5018
* SECURITY UPDATE: mitigaton for httpoxy issue
- debian/patches/CVE-2016-5388.patch: add envHttpHeaders initialization
parameter to conf/web.xml, webapps/docs/cgi-howto.xml,
java/org/apache/catalina/servlets/CGIServlet.java.
- CVE-2016-5388
* SECURITY UPDATE: system properties read SecurityManager bypass
- debian/patches/CVE-2016-6794.patch: extend SecurityManager protection
to the system property replacement feature of the digester in
java/org/apache/catalina/loader/WebappClassLoader.java,
java/org/apache/tomcat/util/digester/Digester.java,
java/org/apache/tomcat/util/security/PermissionCheck.java.
- CVE-2016-6794
* SECURITY UPDATE: SecurityManager bypass via JSP Servlet configuration
parameters
- debian/patches/CVE-2016-6796.patch: ignore some JSP options when
running under a SecurityManager in conf/web.xml,
java/org/apache/jasper/EmbeddedServletOptions.java,
java/org/apache/jasper/resources/LocalStrings.properties,
java/org/apache/jasper/servlet/JspServlet.java,
webapps/docs/jasper-howto.xml.
- CVE-2016-6796
* SECURITY UPDATE: web application global JNDI resource access
- debian/patches/CVE-2016-6797.patch: ensure that the global resource
is only visible via the ResourceLinkFactory when it is meant to be in
java/org/apache/catalina/core/NamingContextListener.java,
java/org/apache/naming/factory/ResourceLinkFactory.java,
test/org/apache/naming/TestNamingContext.java.
- CVE-2016-6797
* SECURITY UPDATE: HTTP response injection via invalid characters
- debian/patches/CVE-2016-6816.patch: add additional checks for valid
characters in java/org/apache/coyote/http11/AbstractInputBuffer.java,
java/org/apache/coyote/http11/AbstractNioInputBuffer.java,
java/org/apache/coyote/http11/InternalAprInputBuffer.java,
java/org/apache/coyote/http11/InternalInputBuffer.java,
java/org/apache/coyote/http11/LocalStrings.properties,
java/org/apache/tomcat/util/http/parser/HttpParser.java.
- CVE-2016-6816
* SECURITY UPDATE: remote code execution via JmxRemoteLifecycleListener
- debian/patches/CVE-2016-8735-pre.patch: remove the restriction that
prevented the use of SSL when specifying a bind address in
java/org/apache/catalina/mbeans/JmxRemoteLifecycleListener.java,
java/org/apache/catalina/mbeans/LocalStrings.properties,
webapps/docs/config/listeners.xml.
- debian/patches/CVE-2016-8735.patch: explicitly configure allowed
credential types in
java/org/apache/catalina/mbeans/JmxRemoteLifecycleListener.java.
- CVE-2016-8735
* SECURITY UPDATE: information leakage between requests
- debian/patches/CVE-2016-8745.patch: properly handle cache when unable
to complete sendfile request in
java/org/apache/tomcat/util/net/NioEndpoint.java.
- CVE-2016-8745
* SECURITY UPDATE: privilege escalation during package upgrade
- debian/rules, debian/tomcat7.postinst: properly set permissions on
/etc/tomcat7/Catalina/localhost.
- CVE-2016-9774
* SECURITY UPDATE: privilege escalation during package removal
- debian/tomcat7.postrm.in: don't reset permissions before removing
user.
- CVE-2016-9775
* debian/tomcat7.init: further hardening.
-- Marc Deslauriers <email address hidden> Thu, 19 Jan 2017 12:38:29 -0500
Available diffs
tomcat7 (7.0.73-1) unstable; urgency=medium * New upstream release -- Emmanuel Bourg <email address hidden> Wed, 16 Nov 2016 10:53:00 +0100
Available diffs
- diff from 7.0.72-4 to 7.0.73-1 (29.4 KiB)
tomcat7 (7.0.72-4) unstable; urgency=medium * Depend on libcglib-nodep-java instead of libcglib3-java -- Emmanuel Bourg <email address hidden> Mon, 07 Nov 2016 16:55:48 +0100
Available diffs
- diff from 7.0.72-2 to 7.0.72-4 (3.1 KiB)
- diff from 7.0.72-3 to 7.0.72-4 (610 bytes)
tomcat7 (7.0.72-3) unstable; urgency=medium * Build only the Servlet API (Closes: #819259, #834680) -- Emmanuel Bourg <email address hidden> Sat, 05 Nov 2016 22:57:29 +0100
Available diffs
- diff from 7.0.72-2 to 7.0.72-3 (2.8 KiB)
tomcat7 (7.0.72-2) unstable; urgency=high
* Team upload.
* CVE-2016-1240 follow-up:
- The previous init.d fix was vulnerable to a race condition that could
be exploited to make any existing file writable by the tomcat user.
Thanks to Paul Szabo for the report and the fix.
- The catalina.policy file generated on startup was affected by a similar
vulnerability that could be exploited to overwrite any file on the system.
Thanks to Paul Szabo for the report.
* Hardened the init.d script, thanks to Paul Szabo
* Switch to debhelper level 10
-- Emmanuel Bourg <email address hidden> Fri, 28 Oct 2016 01:34:22 +0200
Available diffs
- diff from 7.0.72-1 to 7.0.72-2 (1.6 KiB)
| Superseded in zesty-release |
| Obsolete in yakkety-release |
| Deleted in yakkety-proposed (Reason: moved to release) |
tomcat7 (7.0.72-1) unstable; urgency=medium * New upstream release -- Emmanuel Bourg <email address hidden> Tue, 20 Sep 2016 13:28:54 +0200
Available diffs
- diff from 7.0.70-3 to 7.0.72-1 (87.9 KiB)
tomcat7 (7.0.52-1ubuntu0.7) trusty-security; urgency=medium
* SECURITY UPDATE: privilege escalation via insecure init script
- debian/tomcat7.init: don't follow symlinks when handling the
catalina.out file.
- CVE-2016-1240
* SECURITY REGRESSION: change in behaviour after security update
(LP: #1609819)
- debian/patches/CVE-2015-5345-2.patch: fix using the new
mapperContextRootRedirectEnabled option in
java/org/apache/catalina/connector/MapperListener.java, change
mapperContextRootRedirectEnabled default to true in
java/org/apache/catalina/core/StandardContext.java,
webapps/docs/config/context.xml. This reverts the change in behaviour
following the CVE-2015-5345 security update and was also done
upstream in later releases.
-- Marc Deslauriers <email address hidden> Fri, 16 Sep 2016 09:19:37 -0400
Available diffs
tomcat7 (7.0.70-3) unstable; urgency=high
* Team upload.
* Fixed CVE-2016-1240: A flaw in the init.d startup script allows local
attackers who have gained access to the server in the context of the
tomcat user through a vulnerability in a web application to replace
the catalina.out file with a symlink to an arbitrary file on the system,
potentially leading to a root privilege escalation.
Thanks to Dawid Golunski for the report.
-- Emmanuel Bourg <email address hidden> Wed, 14 Sep 2016 10:56:45 +0200
Available diffs
- diff from 7.0.70-2 to 7.0.70-3 (903 bytes)
tomcat7 (7.0.70-2) unstable; urgency=medium * Team upload. * Do not unconditionally override files in /etc/tomcat7. (Closes: #821391) -- Markus Koschany <email address hidden> Tue, 02 Aug 2016 11:43:11 +0200
Available diffs
- diff from 7.0.70-1 to 7.0.70-2 (848 bytes)
tomcat7 (7.0.52-1ubuntu0.6) trusty-security; urgency=medium
* SECURITY UPDATE: directory traversal vulnerability in RequestUtil.java
- debian/patches/CVE-2015-5174.patch: fix normalization edge cases in
java/org/apache/tomcat/util/http/RequestUtil.java,
test/org/apache/tomcat/util/http/TestRequestUtil.java.
- CVE-2015-5174
* SECURITY UPDATE: information disclosure via redirects by mapper
- debian/patches/CVE-2015-5345.patch: fix redirect logic in
java/org/apache/catalina/Context.java,
java/org/apache/catalina/authenticator/FormAuthenticator.java,
java/org/apache/catalina/core/StandardContext.java,
java/org/apache/catalina/core/mbeans-descriptors.xml,
java/org/apache/catalina/servlets/DefaultServlet.java,
java/org/apache/catalina/servlets/WebdavServlet.java,
java/org/apache/catalina/startup/FailedContext.java,
java/org/apache/tomcat/util/http/mapper/Mapper.java,
test/org/apache/catalina/startup/TomcatBaseTest.java,
webapps/docs/config/context.xml,
test/org/apache/catalina/core/TesterContext.java.
- CVE-2015-5345
* SECURITY UPDATE: session fixation vulnerability
- debian/patches/CVE-2015-5346.patch: handle different session settings
in java/org/apache/catalina/connector/CoyoteAdapter.java,
java/org/apache/catalina/connector/Request.java.
- CVE-2015-5346
* SECURITY UPDATE: CSRF protection mechanism bypass
- debian/patches/CVE-2015-5351.patch: don't create sessions
unnecessarily in webapps/host-manager/WEB-INF/jsp/401.jsp,
webapps/host-manager/WEB-INF/jsp/403.jsp,
webapps/host-manager/WEB-INF/jsp/404.jsp,
webapps/host-manager/index.jsp,
webapps/manager/WEB-INF/web.xml,
webapps/manager/index.jsp.
- CVE-2015-5351
* SECURITY UPDATE: securityManager restrictions bypass via
StatusManagerServlet
- debian/patches/CVE-2016-0706.patch: place servlet in restricted list
in java/org/apache/catalina/core/RestrictedServlets.properties.
- CVE-2016-0706
* SECURITY UPDATE: securityManager restrictions bypass via
session-persistence implementation
- debian/patches/CVE-2016-0714.patch: extend the session attribute
filtering options in
java/org/apache/catalina/ha/session/ClusterManagerBase.java
java/org/apache/catalina/ha/session/mbeans-descriptors.xml,
java/org/apache/catalina/session/LocalStrings.properties,
java/org/apache/catalina/session/ManagerBase.java,
java/org/apache/catalina/session/StandardManager.java,
java/org/apache/catalina/session/mbeans-descriptors.xml,
java/org/apache/catalina/util/CustomObjectInputStream.java,
java/org/apache/catalina/util/LocalStrings.properties,
webapps/docs/config/cluster-manager.xml,
webapps/docs/config/manager.xml.
- CVE-2016-0714
* SECURITY UPDATE: securityManager restrictions bypass via crafted global
context
- debian/patches/CVE-2016-0763.patch: protect initialization in
java/org/apache/naming/factory/ResourceLinkFactory.java.
- CVE-2016-0763
* SECURITY UPDATE: denial of service in FileUpload
- debian/patches/CVE-2016-3092.patch: properly handle size in
java/org/apache/tomcat/util/http/fileupload/MultipartStream.java.
- CVE-2016-3092
* debian/patches/fix_cookie_names_in_tests.patch: fix FTBFS by removing
colons in cookie names which is illegal in newer java versions in
test/org/apache/catalina/authenticator/*.java.
-- Marc Deslauriers <email address hidden> Wed, 29 Jun 2016 12:50:02 -0400
Available diffs
tomcat7 (7.0.64-1ubuntu0.3) wily-security; urgency=medium
* SECURITY UPDATE: directory traversal vulnerability in RequestUtil.java
- debian/patches/CVE-2015-5174.patch: fix more normalization edge cases
in java/org/apache/tomcat/util/http/RequestUtil.java,
test/org/apache/tomcat/util/http/TestRequestUtil.java.
- CVE-2015-5174
* SECURITY UPDATE: information disclosure via redirects by mapper
- debian/patches/CVE-2015-5345.patch: fix redirect logic in
java/org/apache/catalina/Context.java,
java/org/apache/catalina/authenticator/FormAuthenticator.java,
java/org/apache/catalina/core/StandardContext.java,
java/org/apache/catalina/core/mbeans-descriptors.xml,
java/org/apache/catalina/servlets/DefaultServlet.java,
java/org/apache/catalina/servlets/WebdavServlet.java,
java/org/apache/catalina/startup/FailedContext.java,
java/org/apache/tomcat/util/http/mapper/Mapper.java,
test/org/apache/catalina/startup/TomcatBaseTest.java,
webapps/docs/config/context.xml,
test/org/apache/catalina/core/TesterContext.java,
test/org/apache/tomcat/util/http/mapper/TestMapperWebapps.java.
- CVE-2015-5345
* SECURITY UPDATE: session fixation vulnerability
- debian/patches/CVE-2015-5346.patch: handle different session settings
in java/org/apache/catalina/connector/CoyoteAdapter.java,
java/org/apache/catalina/connector/Request.java.
- CVE-2015-5346
* SECURITY UPDATE: CSRF protection mechanism bypass
- debian/patches/CVE-2015-5351.patch: don't create sessions
unnecessarily in webapps/host-manager/WEB-INF/jsp/401.jsp,
webapps/host-manager/WEB-INF/jsp/403.jsp,
webapps/host-manager/WEB-INF/jsp/404.jsp,
webapps/host-manager/index.jsp,
webapps/manager/WEB-INF/web.xml,
webapps/manager/index.jsp.
- CVE-2015-5351
* SECURITY UPDATE: securityManager restrictions bypass via
StatusManagerServlet
- debian/patches/CVE-2016-0706.patch: place servlet in restricted list
in java/org/apache/catalina/core/RestrictedServlets.properties.
- CVE-2016-0706
* SECURITY UPDATE: securityManager restrictions bypass via
session-persistence implementation
- debian/patches/CVE-2016-0714.patch: extend the session attribute
filtering options in
java/org/apache/catalina/ha/session/ClusterManagerBase.java
java/org/apache/catalina/ha/session/mbeans-descriptors.xml,
java/org/apache/catalina/session/LocalStrings.properties,
java/org/apache/catalina/session/ManagerBase.java,
java/org/apache/catalina/session/StandardManager.java,
java/org/apache/catalina/session/mbeans-descriptors.xml,
java/org/apache/catalina/util/CustomObjectInputStream.java,
java/org/apache/catalina/util/LocalStrings.properties,
webapps/docs/config/cluster-manager.xml,
webapps/docs/config/manager.xml.
- CVE-2016-0714
* SECURITY UPDATE: securityManager restrictions bypass via crafted global
context
- debian/patches/CVE-2016-0763.patch: protect initialization in
java/org/apache/naming/factory/ResourceLinkFactory.java.
- CVE-2016-0763
* SECURITY UPDATE: denial of service in FileUpload
- debian/patches/CVE-2016-3092.patch: properly handle size in
java/org/apache/tomcat/util/http/fileupload/MultipartStream.java.
- CVE-2016-3092
* debian/patches/fix_cookie_names_in_tests.patch: fix FTBFS by removing
colons in cookie names which is illegal in newer java versions in
test/org/apache/catalina/authenticator/*.java.
-- Marc Deslauriers <email address hidden> Wed, 29 Jun 2016 08:48:32 -0400
Available diffs
tomcat7 (7.0.68-1ubuntu0.1) xenial-security; urgency=medium
* SECURITY UPDATE: denial of service in FileUpload
- debian/patches/CVE-2016-3092.patch: properly handle size in
java/org/apache/tomcat/util/http/fileupload/MultipartStream.java.
- CVE-2016-3092
-- Marc Deslauriers <email address hidden> Mon, 27 Jun 2016 14:13:17 -0400
Available diffs
tomcat7 (7.0.70-1) unstable; urgency=medium
* New upstream release
- Refreshed the patches
-- Emmanuel Bourg <email address hidden> Mon, 20 Jun 2016 10:58:56 +0200
Available diffs
- diff from 7.0.69-1 to 7.0.70-1 (50.0 KiB)
tomcat7 (7.0.69-1) unstable; urgency=medium
* New upstream release
- Refreshed the patches
* Standards-Version updated to 3.9.8 (no changes)
-- Emmanuel Bourg <email address hidden> Sat, 23 Apr 2016 11:30:01 +0200
Available diffs
- diff from 7.0.68-1 to 7.0.69-1 (41.1 KiB)
| Superseded in yakkety-release |
| Published in xenial-release |
| Deleted in xenial-proposed (Reason: moved to release) |
tomcat7 (7.0.68-1) unstable; urgency=medium
* Team upload.
* New upstream release (Closes: #814640)
- Refreshed the patches
- New build dependencies on easymock, cglib and objenesis
- Added ASM to the test classpath (required by Easymock)
* Use LC_ALL instead of LANG to format the date and make the documentation
reproducible on the builders
* Standards-Version updated to 3.9.7 (no changes)
* Use secure Vcs-* URLs
-- Emmanuel Bourg <email address hidden> Thu, 18 Feb 2016 22:26:43 +0100
Available diffs
- diff from 7.0.64-1 to 7.0.68-1 (286.4 KiB)
| Superseded in xenial-release |
| Superseded in xenial-release |
| Obsolete in wily-release |
| Deleted in wily-proposed (Reason: moved to release) |
tomcat7 (7.0.64-1) unstable; urgency=medium
* Team upload.
* New upstream release
- Refreshed the patches
* Install the missing WebSocket jars in /usr/share/tomcat7/lib/
(Closes: #787220, LP: #1326687)
* Changed the authbind configuration to allow IPv6 connections (LP: #1443041)
* Fixed an upgrade error when /etc/tomcat7/tomcat-users.xml is removed
(LP: #1010791)
* Fixed a minor HTML error in the default index.html file (LP: #1236132)
-- Emmanuel Bourg <email address hidden> Fri, 28 Aug 2015 09:47:33 +0200
Available diffs
- diff from 7.0.63-1 to 7.0.64-1 (40.7 KiB)
tomcat7 (7.0.63-1) unstable; urgency=medium
* New upstream release
- Refreshed the patches
* debian/rules: Use an english locale when generating the documentation
to improve the reproducibility
-- Emmanuel Bourg <email address hidden> Wed, 08 Jul 2015 12:18:47 +0200
Available diffs
- diff from 7.0.62-1 to 7.0.63-1 (81.3 KiB)
tomcat7 (7.0.52-1ubuntu0.3) trusty-security; urgency=medium
* SECURITY UPDATE: arbitrary file disclosure via XML parser
(LP: #1449975)
- debian/patches/CVE-2014-0119.patch: add defensive coding and ensure
TLD parser obtained from cache has correct value of blockExternal in
java/org/apache/catalina/security/SecurityClassLoad.java,
java/org/apache/catalina/servlets/DefaultServlet.java,
java/org/apache/catalina/startup/TldConfig.java,
java/org/apache/jasper/compiler/JspDocumentParser.java,
java/org/apache/jasper/xmlparser/ParserUtils.java,
java/org/apache/tomcat/util/security/PrivilegedGetTccl.java,
java/org/apache/tomcat/util/security/PrivilegedSetTccl.java.
- CVE-2014-0119
* SECURITY UPDATE: HTTP request smuggling or denial of service via
streaming with malformed chunked transfer encoding (LP: #1449975)
- debian/patches/CVE-2014-0227.patch: add error flag and improve i18n
in java/org/apache/coyote/http11/filters/ChunkedInputFilter.java,
java/org/apache/coyote/http11/filters/LocalStrings.properties.
- CVE-2014-0227
* SECURITY UPDATE: denial of service via aborted upload attempts
(LP: #1449975)
- debian/patches/CVE-2014-0230.patch: limit amount of data in
java/org/apache/coyote/http11/AbstractHttp11Processor.java,
java/org/apache/coyote/http11/AbstractHttp11Protocol.java,
java/org/apache/coyote/http11/Http11AprProcessor.java,
java/org/apache/coyote/http11/Http11AprProtocol.java,
java/org/apache/coyote/http11/Http11NioProcessor.java,
java/org/apache/coyote/http11/Http11NioProtocol.java,
java/org/apache/coyote/http11/Http11Processor.java,
java/org/apache/coyote/http11/Http11Protocol.java,
java/org/apache/coyote/http11/filters/ChunkedInputFilter.java,
java/org/apache/coyote/http11/filters/IdentityInputFilter.java,
java/org/apache/coyote/http11/filters/LocalStrings.properties,
test/org/apache/catalina/core/TestSwallowAbortedUploads.java,
webapps/docs/config/http.xml.
- CVE-2014-0230
* SECURITY UPDATE: SecurityManager bypass via Expression Language
- debian/patches/CVE-2014-7810.patch: handle classes that may not be
accessible but have accessible interfaces in
java/javax/el/BeanELResolver.java, remove unnecessary code in
java/org/apache/jasper/runtime/PageContextImpl.java,
java/org/apache/jasper/security/SecurityClassLoad.java.
- CVE-2014-7810
* Replace expired ssl certs and use TLS to fix tests causing FTBFS:
- debian/patches/0022-use-tls-in-ssl-unit-tests.patch
- debian/patches/0023-replace-expired-ssl-certificates.patch
- debian/source/include-binaries
-- Marc Deslauriers <email address hidden> Fri, 19 Jun 2015 12:30:21 -0400
Available diffs
tomcat7 (7.0.55-1ubuntu0.2) utopic-security; urgency=medium
* SECURITY UPDATE: SecurityManager bypass via Expression Language
- debian/patches/CVE-2014-7810.patch: handle classes that may not be
accessible but have accessible interfaces in
java/javax/el/BeanELResolver.java, remove unnecessary code in
java/org/apache/jasper/runtime/PageContextImpl.java,
java/org/apache/jasper/security/SecurityClassLoad.java.
- CVE-2014-7810
* Replace expired ssl certs and use TLS to fix tests causing FTBFS:
- debian/patches/0022-use-tls-in-ssl-unit-tests.patch
- debian/patches/0023-replace-expired-ssl-certificates.patch
- debian/source/include-binaries
-- Marc Deslauriers <email address hidden> Fri, 19 Jun 2015 09:52:59 -0400
Available diffs
tomcat7 (7.0.56-2ubuntu0.1) vivid-security; urgency=medium
* SECURITY UPDATE: SecurityManager bypass via Expression Language
- debian/patches/CVE-2014-7810.patch: handle classes that may not be
accessible but have accessible interfaces in
java/javax/el/BeanELResolver.java, remove unnecessary code in
java/org/apache/jasper/runtime/PageContextImpl.java,
java/org/apache/jasper/security/SecurityClassLoad.java.
- CVE-2014-7810
-- Marc Deslauriers <email address hidden> Fri, 19 Jun 2015 09:47:50 -0400
Available diffs
tomcat7 (7.0.62-1) unstable; urgency=medium
* New upstream release
- Refreshed the patches
* Replaced the date in ServerInfo.properties and in the documentation
with the latest date in debian/changelog to make the build reproducible
* debian/rules:
- Modified to use the dh sequencer
- Simplified the ant invocation and moved some properties
to debian/ant.properties
- Do not set the version.* properties already defined
in build.properties.default
- Renamed T_VER to VERSION
- Removed the RWFILES and RWLOC variables
- Merged the ANT_ARGS and ANT_INVOKE variables
- No longer remove the long gone .svn directories under
/usr/share/tomcat8/webapps/default_root
- Let dh_fixperms set the permissions instead of calling chmod +x
- Use debian/tomcat7-user.manpages instead of calling dh_installman
- Updated the copyright year in the Javadoc
-- Emmanuel Bourg <email address hidden> Wed, 27 May 2015 11:43:31 +0200
Available diffs
- diff from 7.0.61-1 to 7.0.62-1 (57.1 KiB)
tomcat7 (7.0.61-1) unstable; urgency=medium
* Upload to unstable
* New upstream release
- Refreshed the patches
- Updated the test certificates
- Added a patch renaming the taglibs-standard-*.jar files used in the tests
* debian/rules: export JAVA_HOME to fix a build failure
* debian/orig-tar.sh: Exclude the taglibs-standard-*.jar files
from the upstream tarball
* Removed the timestamp from the Javadoc of the Servlet API
to make the build reproducible
-- Emmanuel Bourg <email address hidden> Wed, 06 May 2015 17:12:36 +0200
Available diffs
- diff from 7.0.56-3 to 7.0.61-1 (226.9 KiB)
tomcat7 (7.0.56-3) unstable; urgency=medium
* Provide a fix for #780519 more clear/maintainable and with an approach
similar to used one by Emmanuel to fix an issue similar in stable in
the past.
-- Miguel Landaeta <email address hidden> Sat, 28 Mar 2015 13:14:04 -0300
Available diffs
- diff from 7.0.56-2 to 7.0.56-3 (15.6 KiB)
| Superseded in wily-release |
| Obsolete in vivid-release |
| Deleted in vivid-proposed (Reason: moved to release) |
tomcat7 (7.0.56-2) unstable; urgency=medium
* Fix FTBFS error by making sure SSL unit tests use TLS protocols.
- SSLv3 and previous protocols are not secure and deprecated
in JDK7.
- Additionally, some X509 certificates provided by upstream expired
and were causing failures in unit tests as well, so they were
regenerated. (Closes: #780519).
* Fix FTBFS error by disabling some unit tests that depends on
having network access.
-- Miguel Landaeta <email address hidden> Thu, 26 Mar 2015 00:15:03 -0300
Available diffs
- diff from 7.0.56-1 to 7.0.56-2 (18.8 KiB)
tomcat7 (7.0.56-1) unstable; urgency=medium
* New upstream release
* Install the extra jar catalina-jmx-remote.jar (Closes: #719921)
* Removed the note about the authbind IPv6 incompatibility
in /etc/defaults/tomcat7
* Added the SimpleInstanceManager class from Tomcat 8 to help integrating
the JSP compiler into Jetty 8
-- Emmanuel Bourg <email address hidden> Mon, 06 Oct 2014 10:25:48 +0200
Available diffs
- diff from 7.0.55-1 to 7.0.56-1 (109.2 KiB)
| Superseded in vivid-release |
| Obsolete in utopic-release |
| Deleted in utopic-proposed (Reason: moved to release) |
tomcat7 (7.0.55-1) unstable; urgency=medium * New upstream release * Refreshed the patches -- Emmanuel Bourg <email address hidden> Tue, 29 Jul 2014 17:25:50 +0200
Available diffs
- diff from 7.0.54-2 to 7.0.55-1 (83.6 KiB)
tomcat7 (7.0.52-1ubuntu0.1) trusty-security; urgency=medium
* SECURITY UPDATE: denial of service via malformed chunk size
- debian/patches/CVE-2014-0075.patch: fix overflow and added tests to
java/org/apache/coyote/http11/filters/ChunkedInputFilter.java,
test/org/apache/coyote/http11/filters/TestChunkedInputFilter.java.
- CVE-2014-0075
* SECURITY UPDATE: file disclosure via XXE issue
- debian/patches/CVE-2014-0096.patch: change globalXsltFile to be a
relative path in conf/web.xml,
java/org/apache/catalina/servlets/DefaultServlet.java,
java/org/apache/catalina/servlets/LocalStrings.properties,
webapps/docs/default-servlet.xml.
- CVE-2014-0096
* SECURITY UPDATE: HTTP request smuggling attack via crafted
Content-Length HTTP header
- debian/patches/CVE-2014-0099.patch: correctly handle long values in
java/org/apache/tomcat/util/buf/Ascii.java, added test to
test/org/apache/tomcat/util/buf/TestAscii.java.
- CVE-2014-0099
-- Marc Deslauriers <email address hidden> Thu, 24 Jul 2014 13:24:54 -0400
Available diffs
tomcat7 (7.0.54-2) unstable; urgency=medium
[ Emmanuel Bourg ]
* debian/defaults.template: Bumped the required version of Java mentioned
in the comment on the JAVA_HOME variable
* debian/tomcat7.init: Search for OpenJDK 8 and Oracle JDKs when starting
the server (Closes: #714349)
* Updated the version required for libtcnative-1 (>= 1.1.30)
(Closes: #750454)
-- tony mancill <email address hidden> Sat, 14 Jun 2014 08:09:02 -0700
Available diffs
- diff from 7.0.54-1 to 7.0.54-2 (1.4 KiB)
tomcat7 (7.0.54-1) unstable; urgency=medium * New upstream release * Refreshed the patches * Use XZ compression for the upstream tarball -- Emmanuel Bourg <email address hidden> Thu, 22 May 2014 10:27:10 +0200
Available diffs
- diff from 7.0.53-1 to 7.0.54-1 (138.1 KiB)
tomcat7 (7.0.53-1) unstable; urgency=low
* New upstream release.
* Refresh patches:
- debian/patches/0011-fix-classpath-lintian-warnings.patch.
- debian/patches/0015_disable_test_TestCometProcessor.patch.
* Add new patch:
- Disabled Java 8 support in JSPs (requires an Eclipse compiler update).
* Update my email address in Uploaders list.
-- Miguel Landaeta <email address hidden> Thu, 01 May 2014 23:33:35 -0300
Available diffs
- diff from 7.0.52-1 to 7.0.53-1 (63.0 KiB)
tomcat7 (7.0.30-0ubuntu1.3) quantal-security; urgency=medium
* SECURITY UPDATE: request smuggling attack via content-length headers
- debian/patches/CVE-2013-4286.patch: use long as content length in
java/org/apache/coyote/Request.java, handle multiple content lengths
in java/org/apache/coyote/ajp/AbstractAjpProcessor.java, handle
content length and chunked encoding being both specified in
java/org/apache/coyote/http11/AbstractHttp11Processor.java.
- CVE-2013-4286
* SECURITY UPDATE: denial of service via chunked transfer coding
- debian/patches/CVE-2013-4322.patch: enforce maximum size in
java/org/apache/coyote/http11/{AbstractHttp11Processor.java,
AbstractHttp11Protocol.java, Http11AprProcessor.java,
Http11AprProtocol.java, Http11NioProcessor.java,
Http11NioProtocol.java, Http11Processor.java, Http11Protocol.java},
java/org/apache/coyote/http11/filters/ChunkedInputFilter.java,
test/org/apache/coyote/http11/filters/TestChunkedInputFilter.java,
webapps/docs/config/http.xml.
- CVE-2013-4322
* SECURITY UPDATE: denial of service via malformed content-type header
- debian/patches/CVE-2014-0050.patch: validate sizes in
java/org/apache/tomcat/util/http/fileupload/FileUploadBase.java,
java/org/apache/tomcat/util/http/fileupload/MultipartStream.java.
- CVE-2014-0050
* d/p/0018-update-test-certificates.patch: remove binary parts to
support newer quilt.
-- Marc Deslauriers <email address hidden> Tue, 04 Mar 2014 10:45:20 -0500
Available diffs
tomcat7 (7.0.42-1ubuntu0.1) saucy-security; urgency=medium
* SECURITY UPDATE: request smuggling attack via content-length headers
- debian/patches/CVE-2013-4286.patch: use long as content length in
java/org/apache/coyote/Request.java, handle multiple content lengths
in java/org/apache/coyote/ajp/AbstractAjpProcessor.java, handle
content length and chunked encoding being both specified in
java/org/apache/coyote/http11/AbstractHttp11Processor.java.
- CVE-2013-4286
* SECURITY UPDATE: denial of service via chunked transfer coding
- debian/patches/CVE-2013-4322.patch: enforce maximum size in
java/org/apache/coyote/http11/{AbstractHttp11Processor.java,
AbstractHttp11Protocol.java, Http11AprProcessor.java,
Http11AprProtocol.java, Http11NioProcessor.java,
Http11NioProtocol.java, Http11Processor.java, Http11Protocol.java},
java/org/apache/coyote/http11/filters/ChunkedInputFilter.java,
test/org/apache/coyote/http11/filters/TestChunkedInputFilter.java,
webapps/docs/config/http.xml.
- CVE-2013-4322
* SECURITY UPDATE: denial of service via malformed content-type header
- debian/patches/CVE-2014-0050.patch: validate sizes in
java/org/apache/tomcat/util/http/fileupload/FileUploadBase.java,
java/org/apache/tomcat/util/http/fileupload/MultipartStream.java.
- CVE-2014-0050
-- Marc Deslauriers <email address hidden> Tue, 04 Mar 2014 10:22:07 -0500
Available diffs
| Superseded in utopic-release |
| Published in trusty-release |
| Deleted in trusty-proposed (Reason: moved to release) |
tomcat7 (7.0.52-1) unstable; urgency=low
* Team upload.
* New upstream release.
- Addresses security issue: CVE-2014-0050
-- Gianfranco Costamagna <email address hidden> Wed, 19 Feb 2014 14:09:48 +0100
Available diffs
- diff from 7.0.50-1 to 7.0.52-1 (114.0 KiB)
tomcat7 (7.0.50-1) unstable; urgency=medium * New upstream release. -- James Page <email address hidden> Tue, 14 Jan 2014 18:09:28 +0000
Available diffs
- diff from 7.0.47-1 to 7.0.50-1 (121.4 KiB)
tomcat7 (7.0.47-1) unstable; urgency=low
[ Gianfranco Costamagna ]
* Team upload.
* New upstream release, patch refresh.
* Renamed patch fix-manager-webapp.path
to fix-manager-webapp.patch (extension typo).
* Refresh patches for upstream release.
* Removed -Djava.net.preferIPv4Stack=true
from init script (lp: #1088681),
thanks Hendrik Haddorp.
* Added webapp manager path patch (lp: #1128067)
thanks TJ.
[ tony mancill ]
* Bump Standards-Version to 3.9.5.
* Change copyright year in javadocs to 2013.
* Add patch to include the distribution name in error pages.
(Closes: #729840)
-- tony mancill <email address hidden> Tue, 24 Dec 2013 16:46:34 +0000
Available diffs
- diff from 7.0.42-1 to 7.0.47-1 (252.9 KiB)
| Superseded in trusty-release |
| Superseded in trusty-release |
| Superseded in trusty-release |
| Obsolete in saucy-release |
| Deleted in saucy-proposed (Reason: moved to release) |
tomcat7 (7.0.42-1) unstable; urgency=low
[ Gianfranco Costamagna ]
* Team upload.
* New upstream release.
* Added libhamcrest-java >= 1.3 as build-dep,
tweaked debian/rules.
* Bumped compat level to 9.
* Removed some version checks, newer releases already in oldstable.
* Refresh patches.
* debian/control: changed Vcs-Git and Vcs-Browser fields,
now they are canonical.
* Fixed error message in Tomcat init script,
patch by Thijs Kinkhorst (Closes: #714348)
-- Gianfranco Costamagna <email address hidden> Tue, 16 Jul 2013 17:34:58 +0200
Available diffs
- diff from 7.0.40-2 to 7.0.42-1 (86.9 KiB)
tomcat7 (7.0.30-0ubuntu1.2) quantal-security; urgency=low
* SECURITY UPDATE: FORM authentication request injection
- debian/patches/CVE-2013-2067.patch: properly change session ID
in java/org/apache/catalina/authenticator/FormAuthenticator.java.
- CVE-2013-2067
* SECURITY UPDATE: information leak via AsyncListeners and
RuntimeExceptions (LP: #1178645)
- debian/patches/CVE-2013-2071.patch: catch RuntimeExceptions in
java/org/apache/catalina/core/AsyncContextImpl.java, added tests to
test/org/apache/catalina/core/TestAsyncContextImpl.java.
- CVE-2013-2071
* Fix FTBFS due to expired test certificates:
- d/keystores/*.jks: Newer keystores from upstream 7.0.39.
- d/rules: Install newer keystores for testing, tidy up after use.
- d/p/0018-update-test-certificates.patch: Cherry picked fixes from
upstream VCS to update text based certificates.
-- Marc Deslauriers <email address hidden> Thu, 23 May 2013 09:04:36 -0400
Available diffs
tomcat7 (7.0.35-1~exp2ubuntu1.1) raring-security; urgency=low
* SECURITY UPDATE: information leak via AsyncListeners and
RuntimeExceptions (LP: #1178645)
- debian/patches/CVE-2013-2071.patch: catch RuntimeExceptions in
java/org/apache/catalina/core/AsyncContextImpl.java, added tests to
test/org/apache/catalina/core/TestAsyncContextImpl.java.
- CVE-2013-2071
-- Marc Deslauriers <email address hidden> Tue, 21 May 2013 10:07:15 -0400
Available diffs
tomcat7 (7.0.40-2) unstable; urgency=low
* Fix deployment of POMs for libservlet-3.0-java JARs into javax
coordinates.
- JARs were deployed into maven-repo, but not POMs.
* Fix servlet-api groupId in d/javaxpoms/jsp-api.pom.
-- Jakub Adam <email address hidden> Thu, 16 May 2013 17:35:52 +0200
Available diffs
- diff from 7.0.40-1 to 7.0.40-2 (621 bytes)
tomcat7 (7.0.40-1) unstable; urgency=low
* New upstream release.
- Addresses security issue: CVE-2013-2071
* Refresh patches:
- 0015_disable_test_TestCometProcessor.patch
-- Miguel Landaeta <email address hidden> Fri, 10 May 2013 19:10:36 -0300
Available diffs
| Superseded in saucy-release |
| Obsolete in raring-release |
| Deleted in raring-proposed (Reason: moved to release) |
tomcat7 (7.0.35-1~exp2ubuntu1) raring; urgency=low * Fix FTBFS due to expired test certificates (LP: #1166187): - d/keystores/*.jks: Newer keystores from upstream 7.0.39. - d/rules: Install newer keystores for testing, tidy up after use. - d/p/0018-update-test-certificates.patch: Cherry picked fixes from upstream VCS to update text based certificates. -- James Page <email address hidden> Mon, 08 Apr 2013 14:02:42 +0100
Available diffs
tomcat7 (7.0.26-1ubuntu1.2) precise-security; urgency=low
[Christian Kuersteiner]
* SECURITY UPDATE: Fix multiple vulnerabilities in Tomcat7
(LP: #1115053)
- debian/patches/0013-CVE-2012-2733.patch: Fix for Apache Tomcat Denial of
Service. Based on upstream patch.
- CVE-2012-2733
- debian/patches/0014-CVE-2012-3546.patch: Fix for bypass of security
constraints. Based on upstream patch.
- CVE-2012-3546
- debian/patches/0015-CVE-2012-4431.patch: Fix for bypass of CSRF prevention
filter. Based on upstream patch.
- CVE-2012-4431
- debian/patches/0016-CVE-2012-4534.patch: Fix for CVE-2012-4534 Denial of
Service Vulnerability. Based on upstream patch.
- CVE-2012-4534
- debian/patches/CVE-2012-3439.patch: Fix for DIGEST authentication
weaknesses. Based on upstream patch.
- CVE-2012-3439, CVE-2012-5885, CVE-2012-5886, 2012-5887
[ Jamie Strandboge ]
* allow for easily running the testsuite:
- debian/control: add testsuite build-depends
- debian/rules:
+ add 'testsuite' target
+ add ANT_TS_ARGS for use in the testsuite target
+ cleanup the testsuite
- add debian/README.source for information on how to use the testsuite
-- Christian Kuersteiner <email address hidden> Tue, 19 Mar 2013 14:48:19 +0100
Available diffs
tomcat7 (7.0.21-1ubuntu0.1) oneiric-security; urgency=low
[Christian Kuersteiner]
* SECURITY UPDATE: Fix multiple vulnerabilities in Tomcat7
(LP: #1115053)
- debian/patches/CVE-2012-0022.patch: Fix for Denial of service. Based on
upstream patch.
- CVE-2012-0022, CVE-2011-4858
- debian/patches/CVE-2011-3375.patch: Fix for information disclosure. Based
on upstream patch.
- CVE-2011-3375
- debian/patches/CVE-2011-3376.patch: Fix for privilege escalation. Based on
upstream patch.
- CVE-2011-3376
- debian/patches/CVE-2012-2733.patch: Fix for Apache Tomcat Denial of
Service. Based on upstream patch.
- CVE-2012-2733
- debian/patches/CVE-2012-3546.patch: Fix for bypass of security
constraints. Based on upstream patch.
- CVE-2012-3546
- debian/patches/CVE-2012-4431.patch: Fix for bypass of CSRF prevention
filter. Based on upstream patch.
- CVE-2012-4431
- debian/patches/CVE-2012-4534.patch: Fix for CVE-2012-4534 Denial of
Service Vulnerability. Based on upstream patch.
- CVE-2012-4534
- debian/patches/CVE-2012-3439.patch: Fix for DIGEST authentication
weaknesses. Based on upstream patch.
- CVE-2012-3439, CVE-2012-5885, CVE-2012-5886, 2012-5887
[ Jamie Strandboge ]
* allow for easily running the testsuite:
- debian/control: add testsuite build-depends
- debian/rules:
+ add 'testsuite' target
+ add ANT_TS_ARGS for use in the testsuite target
+ cleanup the testsuite
- add debian/README.source for information on how to use the testsuite
-- Christian Kuersteiner <email address hidden> Fri, 15 Mar 2013 15:40:27 -0700
Available diffs
tomcat7 (7.0.35-1~exp2) experimental; urgency=low
* Switch from Commons DBCP to Tomcat JDBC Pool as default connection
pool implementation (Closes: #701023).
-- James Page <email address hidden> Sun, 24 Feb 2013 22:08:22 +0000
Available diffs
tomcat7 (7.0.35-1~exp1ubuntu1) raring; urgency=low
* Merge from Debian experimental, remaining changes:
+ Enabled Tomcat jdbc-pool module, aligning more closely to upstream and
providing improved multi-threaded performance over commons-dbcp:
- d/rules,d/libtomcat7-java.poms: Install tomcat-dbcp.jar file.
- d/patches/0005-change-default-DBCP-factory-class.patch: Drop patch
which switches the default DBCP factory to commons-dbcp.
- d/p/0015-use-jdbc-pool-default.patch: Make jdbc-pool module the
default pool implementation for DataSources.
- d/NEWS: let users know about this change.
* Dropped changes, included in Debian:
- d/p/0014-fix-override.patch: Fix FTBFS due to differing dependency
versions compared to upstream.
-- James Page <email address hidden> Wed, 20 Feb 2013 15:34:18 +0000
Available diffs
tomcat7 (7.0.30-0ubuntu1.1) quantal-security; urgency=low
* SECURITY UPDATE: CSRF bypass via request with no session identifier
- debian/patches/CVE-2012-4431.patch: check for session identifier in
java/org/apache/catalina/filters/CsrfPreventionFilter.java.
- CVE-2012-4431
-- Marc Deslauriers <email address hidden> Thu, 10 Jan 2013 09:35:41 -0500
Available diffs
tomcat7 (7.0.34-0ubuntu1) raring; urgency=low
* New upstream release.
- d/p/0014-fix-override.patch: Fix FTBFS due to differing dependency
versions compared to upstream.
* d/p/0015-use-jdbc-pool-default.patch: Make jdbc-pool module the default
pool implementation for DataSources (LP: #1071817).
-- James Page <email address hidden> Thu, 06 Dec 2012 13:47:08 +0000
Available diffs
- diff from 7.0.30-0ubuntu1 to 7.0.34-0ubuntu1 (130.9 KiB)
tomcat7 (7.0.30-0ubuntu1) quantal; urgency=low
* New upstream point release including several fixes for Java 7
specific issues.
* Refreshed patches.
-- James Page <email address hidden> Mon, 17 Sep 2012 10:52:06 +0100
Available diffs
- diff from 7.0.29-0ubuntu1 to 7.0.30-0ubuntu1 (78.3 KiB)
| Superseded in quantal-release |
tomcat7 (7.0.29-0ubuntu1) quantal; urgency=low
* Re-sync with Debian unstable.
* New upstream release:
- Refreshed patches.
* Enabled Tomcat jdbc-pool module, aligning more closely to upstream and
providing improved multi-threaded performance over commons-dbcp:
- d/rules,d/libtomcat7-java.poms: Install tomcat-dbcp.jar file.
- d/patches/0005-change-default-DBCP-factory-class.patch: Drop patch
which switches the default DBCP factory to commons-dbcp.
- d/NEWS: let users know about this change.
Available diffs
tomcat7 (7.0.26-1ubuntu1.1) precise-proposed; urgency=low * Fix handling of JNDI lookups using javax.naming.Name (LP: #1012794): - d/patches/0012-lp-1012794-fix-jndi-lookup.patch: Cherry picked patch from upstream VCS which ensures that JNDI lookups that use Name rather than String don't fail. -- James Page <email address hidden> Thu, 12 Jul 2012 21:52:17 +0100
Available diffs
tomcat7 (7.0.28-1) unstable; urgency=low
[ Miguel Landaeta ]
* Add Slovak debconf translation (Closes: #677913).
- Thanks to Ivan Masár.
[ James Page ]
* New upstream release.
* Enable test suite during package build:
- d/control: Add junit4, libjstl1.1-java and
libjakarta-taglibs-standard-java to BDI's.
- d/rules:
+ Add ant/junit4 jars files to build classpath.
+ Target java 1.6 to support test suite exection.
+ Specify location of junit jar file.
+ Install jstl jar files to example webapp during build.
+ Conditionally execute test target if required.
+ Purge jar files from example webapp during clean.
* Fix JSTL examples in examples web application:
- d/control: Add dependencies on libjstl1.1-java and
libjakarta-taglibs-standard-java for tomcat7-examples.
- d/tomcat7-examples.links: Add links to jstl and standard jar
files for examples web application.
- d/context/examples.xml: Allow linking to jar files in examples
webapp.
* Fix mapping to javax packages for API jar files:
- d/maven.[rules,publishedRules]: Ensure all javax.[servlet|el] jar files
are published to the correct locations in /usr/share/[maven-repo|java].
- d/libservlet3.0-java.manifest: Update jar file locations for javax
remapping.
- d/libservlet3.0-java.links: Provide backwards compatible links for
deprecated tomcat-*.jar files in /usr/share/java.
[ tony mancill ]
* Set DMUA flag.
-- tony mancill <email address hidden> Fri, 22 Jun 2012 07:06:46 -0700
Available diffs
| Superseded in quantal-release |
tomcat7 (7.0.27-1ubuntu2) quantal; urgency=low
* Enable test suite during package build:
- d/control: Add junit4, libjstl1.1-java and
libjakarta-taglibs-standard-java to BDI's.
- d/rules:
+ Add ant/junit4 jars files to build classpath.
+ Target java 1.6 to support test suite exection.
+ Specify location of junit jar file.
+ Install jstl jar files to example webapp during build.
+ Conditionally execute test target if required.
+ Purge jar files from example webapp during clean.
* Fix JSTL examples in examples web application:
- d/control: Add dependencies on libjstl1.1-java and
libjakarta-taglibs-standard-java for tomcat7-examples.
- d/tomcat7-examples.links: Add links to jstl and standard jar
files for examples web application.
- d/context/examples.xml: Allow linking to jar files in examples
webapp.
-- James Page <email address hidden> Sun, 17 Jun 2012 20:07:56 +0100
Available diffs
| Superseded in quantal-release |
tomcat7 (7.0.27-1ubuntu1) quantal; urgency=low
* Fix mapping to javax packages for API jar files:
- d/maven.[rules,publishedRules]: Ensure all javax.[servlet|el] jar files
are published to the correct locations in /usr/share/[maven-repo|java].
- d/libservlet3.0-java.manifest: Update jar file locations for javax
remapping.
- d/libservlet3.0-java.links: Provide backwards compatible links for
deprecated tomcat-*.jar files in /usr/share/java.
-- James Page <email address hidden> Fri, 15 Jun 2012 15:51:19 +0100
Available diffs
tomcat7 (7.0.27-1) unstable; urgency=low * New upstream release. -- tony mancill <email address hidden> Thu, 07 Jun 2012 22:43:21 -0700
Available diffs
- diff from 7.0.26-4 to 7.0.27-1 (139.6 KiB)
tomcat7 (7.0.26-4) unstable; urgency=low
* Address regression leaving ROOT webapp files after purge.
(Closes: #670440)
* Update copyright year in javadoc to 2012.
-- tony mancill <email address hidden> Mon, 28 May 2012 18:45:07 -0700
Available diffs
- diff from 7.0.26-3 to 7.0.26-4 (1.2 KiB)
tomcat7 (7.0.26-3) unstable; urgency=low
* Team upload.
* Apply patches provided by James Page (Closes: #671370)
- d/patches/0012-java7-compat.patch: Added compatibility patch to
support compilation with openjdk-7 as default-jdk (LP: #889002).
- d/default_root/index.html: Fixup instructions for enabling
manager web application access (LP: #910368).
* Fix README.Debian symlink; file is not compressed. (Closes: #674119)
-- tony mancill <email address hidden> Wed, 23 May 2012 22:13:23 -0700
Available diffs
| Superseded in quantal-release |
tomcat7 (7.0.26-2ubuntu1) quantal; urgency=low
* Resync with Debian.
* d/patches/0012-java7-compat.patch: Added compatibility patch to
support compilation with openjdk-7 as default-jdk (LP: #889002).
* d/default_root/index.html: Fixup instructions for enabling
manager web application access (LP: #910368).
Available diffs
tomcat7 (7.0.26-1ubuntu1) precise; urgency=low
* Handle creation of user instances with pathnames containing spaces
(LP: #977498):
- d/tomcat7-instance-create: Quote access to files and directories
so that spaces can be used when creating user instances.
-- James Page <email address hidden> Wed, 11 Apr 2012 10:49:51 +0100
Available diffs
tomcat7 (7.0.26-1) unstable; urgency=low
[ Jakub Adam ]
* New upstream release.
* Add Jakub Adam to Uploaders.
* Bump Standards-Version to 3.9.3.
* Don't Depend libservlet3.0-java-doc on package it documents, relax
to Suggests.
[ tony mancill ]
* Add Polish debconf translation. (Closes: #661644)
- Thanks to Michał Kułach.
-- tony mancill <email address hidden> Thu, 01 Mar 2012 21:22:50 -0800
Available diffs
- diff from 7.0.23-1 (in Ubuntu) to 7.0.26-1 (154.3 KiB)
tomcat7 (7.0.23-1) unstable; urgency=low * New upstream release. * Refresh patches. -- Ubuntu Archive Auto-Sync <email address hidden> Mon, 12 Dec 2011 12:02:13 +0000
Available diffs
- diff from 7.0.22-1 to 7.0.23-1 (525.5 KiB)
tomcat7 (7.0.22-1) unstable; urgency=low [ Miguel Landaeta ] * New upstream release. * Fix lintian warning about format specification of copyright file. [ tony mancill ] * Add dependency on JRE to tomcat7-common (Closes: #644340) * Modify init script to look for JVM in /usr/lib/jvm/default-java -- Ubuntu Archive Auto-Sync <email address hidden> Wed, 19 Oct 2011 09:20:55 +0000
Available diffs
- diff from 7.0.21-1 to 7.0.22-1 (61.6 KiB)
tomcat7 (7.0.21-1) unstable; urgency=low
* New upstream release.
- Includes fix for CVE-2011-3190.
* Updated my email address.
-- James Page <email address hidden> Thu, 08 Sep 2011 13:18:11 +0000
Available diffs
- diff from 7.0.19-1 (in Debian) to 7.0.21-1 (122.2 KiB)
| 1 → 75 of 80 results | First • Previous • Next • Last |
