Change log for tomcat7 package in Ubuntu
1 → 75 of 80 results | First • Previous • Next • Last |
tomcat7 (7.0.68-1ubuntu0.4) xenial-security; urgency=medium * SECURITY REGRESSION: security manager startup issue (LP: #1799990) - debian/patches/0009-Use-java.security.policy-file-in-catalina.sh.patch: update to new /var/lib/tomcat7/policy location. - debian/tomcat7.postrm.in: remove policy directory. -- Eduardo Barretto <email address hidden> Tue, 30 Oct 2018 09:54:52 -0300
Available diffs
tomcat7 (7.0.68-1ubuntu0.3) xenial-security; urgency=medium * SECURITY UPDATE: Timing attack can determine valid user names. - debian/patches/CVE-2016-0762.patch: fix in the Realm implementation. - CVE-2016-0762 * SECURITY UPDATE: privilege escalation via insecure init script - debian/tomcat7.init: don't follow symlinks when handling the catalina.out file. - CVE-2016-1240 * SECURITY UPDATE: SecurityManager bypass via a utility method. - debian/patches/CVE-2016-5018.patch: remove unnecessary code in java/org/apache/jasper/compiler/JspRuntimeContext.java, java/org/apache/jasper/runtime/JspRuntimeLibrary.java, java/org/apache/jasper/security/SecurityClassLoad.java. - debian/patches/CVE-2016-5018-part2.patch: fix a regression when using Jasper with SecurityManager enabled. - CVE-2016-5018 * SECURITY UPDATE: system properties read SecurityManager bypass - debian/patches/CVE-2016-6794.patch: extend SecurityManager protection to the system property replacement feature of the digester in java/org/apache/catalina/loader/WebappClassLoader.java, java/org/apache/tomcat/util/digester/Digester.java, java/org/apache/tomcat/util/security/PermissionCheck.java. - CVE-2016-6794 * SECURITY UPDATE: SecurityManager bypass via JSP Servlet configuration parameters. - debian/patches/CVE-2016-6796.patch: ignore some JSP options when running under a SecurityManager in conf/web.xml, java/org/apache/jasper/EmbeddedServletOptions.java, java/org/apache/jasper/resources/LocalStrings.properties, java/org/apache/jasper/servlet/JspServlet.java, webapps/docs/jasper-howto.xml. - CVE-2016-6796 * SECURITY UPDATE: web application global JNDI resource access - debian/patches/CVE-2016-6797.patch: ensure that the global resource is only visible via the ResourceLinkFactory when it is meant to be in java/org/apache/catalina/core/NamingContextListener.java, java/org/apache/naming/factory/ResourceLinkFactory.java, test/org/apache/naming/TestNamingContext.java. - CVE-2016-6797 * SECURITY UPDATE: HTTP response injection via invalid characters - debian/patches/CVE-2016-6816.patch: add additional checks for valid characters in java/org/apache/coyote/http11/AbstractInputBuffer.java, java/org/apache/coyote/http11/AbstractNioInputBuffer.java, java/org/apache/coyote/http11/InternalAprInputBuffer.java, java/org/apache/coyote/http11/InternalInputBuffer.java, java/org/apache/coyote/http11/LocalStrings.properties, java/org/apache/tomcat/util/http/parser/HttpParser.java. - CVE-2016-6816 * SECURITY UPDATE: remote code execution via JmxRemoteLifecycleListener - debian/patches/CVE-2016-8735.patch: explicitly configure allowed credential types in java/org/apache/catalina/mbeans/JmxRemoteLifecycleListener.java. - CVE-2016-8735 * SECURITY UPDATE: information leakage between requests - debian/patches/CVE-2016-8745.patch: properly handle cache when unable to complete sendfile request in java/org/apache/tomcat/util/net/NioEndpoint.java. - CVE-2016-8745 * SECURITY UPDATE: privilege escalation during package upgrade - debian/rules, debian/tomcat7.postinst: properly set permissions on /etc/tomcat7/Catalina/localhost. - CVE-2016-9774 * SECURITY UPDATE: privilege escalation during package removal - debian/tomcat7.postrm.in: don't reset permissions before removing user. - CVE-2016-9775 * debian/tomcat7.init: further hardening. -- Eduardo Barretto <email address hidden> Fri, 19 Oct 2018 10:46:37 -0300
Available diffs
tomcat7 (7.0.52-1ubuntu0.16) trusty-security; urgency=medium * SECURITY UPDATE: arbitrary redirect issue - debian/patches/CVE-2018-11784.patch: avoid protocol relative redirects in java/org/apache/catalina/servlets/DefaultServlet.java. - CVE-2018-11784 -- Marc Deslauriers <email address hidden> Tue, 09 Oct 2018 11:25:36 -0400
Available diffs
tomcat7 (7.0.52-1ubuntu0.15) trusty-security; urgency=medium * SECURITY UPDATE: DoS via issue in UTF-8 decoder - debian/patches/CVE-2018-1336.patch: fix logic in java/org/apache/tomcat/util/buf/Utf8Decoder.java. - CVE-2018-1336 * SECURITY UPDATE: missing hostname verification in WebSocket client - debian/patches/CVE-2018-8034.patch: enable hostname verification by default in webapps/docs/web-socket-howto.xml, java/org/apache/tomcat/websocket/WsWebSocketContainer.java. - CVE-2018-8034 -- Marc Deslauriers <email address hidden> Wed, 25 Jul 2018 08:27:25 -0400
Available diffs
tomcat7 (7.0.52-1ubuntu0.14) trusty-security; urgency=medium * SECURITY UPDATE: missing checks when HTTP PUTs enabled (LP: #1721749) - debian/patches/CVE-2017-1261x.patch: add checks to java/org/apache/catalina/servlets/DefaultServlet.java java/org/apache/naming/resources/FileDirContext.java, java/org/apache/naming/resources/JrePlatform.java, java/org/apache/naming/resources/LocalStrings.properties, java/org/apache/naming/resources/VirtualDirContext.java, test/org/apache/naming/resources/TestFileDirContext.java. - CVE-2017-12616 - CVE-2017-12617 * SECURITY UPDATE: security constraints mapped to context root are ignored - debian/patches/CVE-2018-1304.patch: add check to java/org/apache/catalina/realm/RealmBase.java. - CVE-2018-1304 * SECURITY UPDATE: security constraint annotations applied too late - debian/patches/CVE-2018-1305.patch: change ordering in java/org/apache/catalina/Wrapper.java, java/org/apache/catalina/authenticator/AuthenticatorBase.java, java/org/apache/catalina/core/ApplicationContext.java, java/org/apache/catalina/core/ApplicationServletRegistration.java, java/org/apache/catalina/core/StandardContext.java, java/org/apache/catalina/core/StandardWrapper.java, java/org/apache/catalina/startup/ContextConfig.java, java/org/apache/catalina/startup/Tomcat.java, java/org/apache/catalina/startup/WebAnnotationSet.java. - CVE-2018-1305 * SECURITY UPDATE: CORS filter has insecure defaults - debian/patches/CVE-2018-8014.patch: change defaults in java/org/apache/catalina/filters/CorsFilter.java, java/org/apache/catalina/filters/LocalStrings.properties, test/org/apache/catalina/filters/TestCorsFilter.java, test/org/apache/catalina/filters/TesterFilterConfigs.java. - CVE-2018-8014 -- Marc Deslauriers <email address hidden> Tue, 29 May 2018 10:22:42 -0400
Available diffs
tomcat7 (7.0.52-1ubuntu0.13) trusty-security; urgency=medium * SECURITY UPDATE: loss of pipeline requests - debian/patches/CVE-2017-5647.patch: improve sendfile handling when requests are pipelined in java/org/apache/coyote/AbstractProtocol.java, java/org/apache/coyote/http11/Http11AprProcessor.java, java/org/apache/coyote/http11/Http11NioProcessor.java, java/org/apache/tomcat/util/net/AprEndpoint.java, java/org/apache/tomcat/util/net/NioEndpoint.java, java/org/apache/tomcat/util/net/SendfileKeepAliveState.java, java/org/apache/tomcat/util/net/SendfileState.java. - CVE-2017-5647 * SECURITY UPDATE: incorrect facade object use - debian/patches/CVE-2017-5648-pre.patch: fix keep-alive with asynchronous servlet in java/org/apache/catalina/core/AsyncContextImpl.java, java/org/apache/coyote/AsyncContextCallback.java, java/org/apache/coyote/AsyncStateMachine.java, test/org/apache/catalina/core/TestAsyncContextImpl.java. - debian/patches/CVE-2017-5648.patch: ensure request and response facades are used when firing application listeners in java/org/apache/catalina/authenticator/FormAuthenticator.java, java/org/apache/catalina/core/StandardHostValve.java. - CVE-2017-5648 * SECURITY UPDATE: unexpected and undesirable results for static error pages - debian/patches/CVE-2017-5664.patch: use a more reliable mechanism in java/org/apache/catalina/servlets/DefaultServlet.java, java/org/apache/catalina/servlets/WebdavServlet.java. - CVE-2017-5664 * SECURITY UPDATE: client and server side cache poisoning in CORS filter - debian/patches/CVE-2017-7674.patch: set Vary header in response in java/org/apache/catalina/filters/CorsFilter.java. - CVE-2017-7674 -- Marc Deslauriers <email address hidden> Wed, 27 Sep 2017 16:28:58 -0400
Available diffs
Deleted in disco-release (Reason: (From Debian) ROM; No longer used; Debian bug #914497) |
Obsolete in cosmic-release |
Published in bionic-release |
Obsolete in artful-release |
Deleted in artful-proposed (Reason: moved to release) |
tomcat7 (7.0.78-1) unstable; urgency=medium * New upstream release - Refreshed the patches -- Emmanuel Bourg <email address hidden> Wed, 24 May 2017 18:03:19 +0200
Available diffs
- diff from 7.0.75-1 to 7.0.78-1 (77.0 KiB)
Obsolete in yakkety-proposed |
tomcat7 (7.0.72-1ubuntu0.1) yakkety; urgency=medium * Fix an upgrade error when JAVA_OPTS in /etc/default/tomcat7 contains the '%' character (LP: #1666570). * Fix javax.servlet.jsp POM to use servlet-api version 3.0 instead of 2.2 (LP: #1664179). -- Joshua Powers <email address hidden> Tue, 28 Mar 2017 16:04:14 -0700
Available diffs
Deleted in xenial-proposed (Reason: The package was removed due to its SRU bug(s) not being v...) |
tomcat7 (7.0.68-1ubuntu0.2) xenial; urgency=medium * Fix an upgrade error when JAVA_OPTS in /etc/default/tomcat7 contains the '%' character (LP: #1666570). * Fix javax.servlet.jsp POM to use servlet-api version 3.0 instead of 2.2 (LP: #1664179). -- Joshua Powers <email address hidden> Tue, 28 Mar 2017 16:15:05 -0700
Available diffs
tomcat7 (7.0.52-1ubuntu0.11) trusty; urgency=medium * Fix an upgrade error when JAVA_OPTS in /etc/default/tomcat7 contains the '%' character (LP: #1666570). * Fix javax.servlet.jsp POM to use servlet-api version 3.0 instead of 2.2 (LP: #1664179). -- Joshua Powers <email address hidden> Wed, 22 Mar 2017 13:42:56 -0600
Available diffs
tomcat7 (7.0.52-1ubuntu0.10) trusty-security; urgency=medium * SECURITY UPDATE: DoS via CPU consumption (LP: #1663318) - debian/patches/CVE-2017-6056.patch: fix infinite loop in java/org/apache/coyote/http11/AbstractInputBuffer.java. - CVE-2017-6056 -- Marc Deslauriers <email address hidden> Fri, 17 Feb 2017 08:51:12 -0500
Available diffs
tomcat7 (7.0.52-1ubuntu0.9) trusty-security; urgency=medium * SECURITY REGRESSION: security manager startup issue (LP: #1659589) - debian/patches/0009-Use-java.security.policy-file-in-catalina.sh.patch: update to new /var/lib/tomcat7/policy location. - debian/tomcat7.postrm.in: remove policy directory. -- Marc Deslauriers <email address hidden> Wed, 01 Feb 2017 10:40:22 -0500
Available diffs
- diff from 7.0.52-1ubuntu0.8 to 7.0.52-1ubuntu0.9 (899 bytes)
Superseded in artful-release |
Obsolete in zesty-release |
Deleted in zesty-proposed (Reason: moved to release) |
tomcat7 (7.0.75-1) unstable; urgency=medium * New upstream release - Refreshed the patches -- Emmanuel Bourg <email address hidden> Tue, 24 Jan 2017 13:13:38 +0100
Available diffs
- diff from 7.0.73-1 to 7.0.75-1 (116.1 KiB)
tomcat7 (7.0.52-1ubuntu0.8) trusty-security; urgency=medium * SECURITY UPDATE: SecurityManager bypass via a utility method - debian/patches/CVE-2016-5018.patch: remove unnecessary code in java/org/apache/jasper/compiler/JspRuntimeContext.java, java/org/apache/jasper/runtime/JspRuntimeLibrary.java, java/org/apache/jasper/security/SecurityClassLoad.java. - CVE-2016-5018 * SECURITY UPDATE: mitigaton for httpoxy issue - debian/patches/CVE-2016-5388.patch: add envHttpHeaders initialization parameter to conf/web.xml, webapps/docs/cgi-howto.xml, java/org/apache/catalina/servlets/CGIServlet.java. - CVE-2016-5388 * SECURITY UPDATE: system properties read SecurityManager bypass - debian/patches/CVE-2016-6794.patch: extend SecurityManager protection to the system property replacement feature of the digester in java/org/apache/catalina/loader/WebappClassLoader.java, java/org/apache/tomcat/util/digester/Digester.java, java/org/apache/tomcat/util/security/PermissionCheck.java. - CVE-2016-6794 * SECURITY UPDATE: SecurityManager bypass via JSP Servlet configuration parameters - debian/patches/CVE-2016-6796.patch: ignore some JSP options when running under a SecurityManager in conf/web.xml, java/org/apache/jasper/EmbeddedServletOptions.java, java/org/apache/jasper/resources/LocalStrings.properties, java/org/apache/jasper/servlet/JspServlet.java, webapps/docs/jasper-howto.xml. - CVE-2016-6796 * SECURITY UPDATE: web application global JNDI resource access - debian/patches/CVE-2016-6797.patch: ensure that the global resource is only visible via the ResourceLinkFactory when it is meant to be in java/org/apache/catalina/core/NamingContextListener.java, java/org/apache/naming/factory/ResourceLinkFactory.java, test/org/apache/naming/TestNamingContext.java. - CVE-2016-6797 * SECURITY UPDATE: HTTP response injection via invalid characters - debian/patches/CVE-2016-6816.patch: add additional checks for valid characters in java/org/apache/coyote/http11/AbstractInputBuffer.java, java/org/apache/coyote/http11/AbstractNioInputBuffer.java, java/org/apache/coyote/http11/InternalAprInputBuffer.java, java/org/apache/coyote/http11/InternalInputBuffer.java, java/org/apache/coyote/http11/LocalStrings.properties, java/org/apache/tomcat/util/http/parser/HttpParser.java. - CVE-2016-6816 * SECURITY UPDATE: remote code execution via JmxRemoteLifecycleListener - debian/patches/CVE-2016-8735-pre.patch: remove the restriction that prevented the use of SSL when specifying a bind address in java/org/apache/catalina/mbeans/JmxRemoteLifecycleListener.java, java/org/apache/catalina/mbeans/LocalStrings.properties, webapps/docs/config/listeners.xml. - debian/patches/CVE-2016-8735.patch: explicitly configure allowed credential types in java/org/apache/catalina/mbeans/JmxRemoteLifecycleListener.java. - CVE-2016-8735 * SECURITY UPDATE: information leakage between requests - debian/patches/CVE-2016-8745.patch: properly handle cache when unable to complete sendfile request in java/org/apache/tomcat/util/net/NioEndpoint.java. - CVE-2016-8745 * SECURITY UPDATE: privilege escalation during package upgrade - debian/rules, debian/tomcat7.postinst: properly set permissions on /etc/tomcat7/Catalina/localhost. - CVE-2016-9774 * SECURITY UPDATE: privilege escalation during package removal - debian/tomcat7.postrm.in: don't reset permissions before removing user. - CVE-2016-9775 * debian/tomcat7.init: further hardening. -- Marc Deslauriers <email address hidden> Thu, 19 Jan 2017 12:38:29 -0500
Available diffs
tomcat7 (7.0.73-1) unstable; urgency=medium * New upstream release -- Emmanuel Bourg <email address hidden> Wed, 16 Nov 2016 10:53:00 +0100
Available diffs
- diff from 7.0.72-4 to 7.0.73-1 (29.4 KiB)
tomcat7 (7.0.72-4) unstable; urgency=medium * Depend on libcglib-nodep-java instead of libcglib3-java -- Emmanuel Bourg <email address hidden> Mon, 07 Nov 2016 16:55:48 +0100
Available diffs
- diff from 7.0.72-2 to 7.0.72-4 (3.1 KiB)
- diff from 7.0.72-3 to 7.0.72-4 (610 bytes)
tomcat7 (7.0.72-3) unstable; urgency=medium * Build only the Servlet API (Closes: #819259, #834680) -- Emmanuel Bourg <email address hidden> Sat, 05 Nov 2016 22:57:29 +0100
Available diffs
- diff from 7.0.72-2 to 7.0.72-3 (2.8 KiB)
tomcat7 (7.0.72-2) unstable; urgency=high * Team upload. * CVE-2016-1240 follow-up: - The previous init.d fix was vulnerable to a race condition that could be exploited to make any existing file writable by the tomcat user. Thanks to Paul Szabo for the report and the fix. - The catalina.policy file generated on startup was affected by a similar vulnerability that could be exploited to overwrite any file on the system. Thanks to Paul Szabo for the report. * Hardened the init.d script, thanks to Paul Szabo * Switch to debhelper level 10 -- Emmanuel Bourg <email address hidden> Fri, 28 Oct 2016 01:34:22 +0200
Available diffs
- diff from 7.0.72-1 to 7.0.72-2 (1.6 KiB)
Superseded in zesty-release |
Obsolete in yakkety-release |
Deleted in yakkety-proposed (Reason: moved to release) |
tomcat7 (7.0.72-1) unstable; urgency=medium * New upstream release -- Emmanuel Bourg <email address hidden> Tue, 20 Sep 2016 13:28:54 +0200
Available diffs
- diff from 7.0.70-3 to 7.0.72-1 (87.9 KiB)
tomcat7 (7.0.52-1ubuntu0.7) trusty-security; urgency=medium * SECURITY UPDATE: privilege escalation via insecure init script - debian/tomcat7.init: don't follow symlinks when handling the catalina.out file. - CVE-2016-1240 * SECURITY REGRESSION: change in behaviour after security update (LP: #1609819) - debian/patches/CVE-2015-5345-2.patch: fix using the new mapperContextRootRedirectEnabled option in java/org/apache/catalina/connector/MapperListener.java, change mapperContextRootRedirectEnabled default to true in java/org/apache/catalina/core/StandardContext.java, webapps/docs/config/context.xml. This reverts the change in behaviour following the CVE-2015-5345 security update and was also done upstream in later releases. -- Marc Deslauriers <email address hidden> Fri, 16 Sep 2016 09:19:37 -0400
Available diffs
tomcat7 (7.0.70-3) unstable; urgency=high * Team upload. * Fixed CVE-2016-1240: A flaw in the init.d startup script allows local attackers who have gained access to the server in the context of the tomcat user through a vulnerability in a web application to replace the catalina.out file with a symlink to an arbitrary file on the system, potentially leading to a root privilege escalation. Thanks to Dawid Golunski for the report. -- Emmanuel Bourg <email address hidden> Wed, 14 Sep 2016 10:56:45 +0200
Available diffs
- diff from 7.0.70-2 to 7.0.70-3 (903 bytes)
tomcat7 (7.0.70-2) unstable; urgency=medium * Team upload. * Do not unconditionally override files in /etc/tomcat7. (Closes: #821391) -- Markus Koschany <email address hidden> Tue, 02 Aug 2016 11:43:11 +0200
Available diffs
- diff from 7.0.70-1 to 7.0.70-2 (848 bytes)
tomcat7 (7.0.52-1ubuntu0.6) trusty-security; urgency=medium * SECURITY UPDATE: directory traversal vulnerability in RequestUtil.java - debian/patches/CVE-2015-5174.patch: fix normalization edge cases in java/org/apache/tomcat/util/http/RequestUtil.java, test/org/apache/tomcat/util/http/TestRequestUtil.java. - CVE-2015-5174 * SECURITY UPDATE: information disclosure via redirects by mapper - debian/patches/CVE-2015-5345.patch: fix redirect logic in java/org/apache/catalina/Context.java, java/org/apache/catalina/authenticator/FormAuthenticator.java, java/org/apache/catalina/core/StandardContext.java, java/org/apache/catalina/core/mbeans-descriptors.xml, java/org/apache/catalina/servlets/DefaultServlet.java, java/org/apache/catalina/servlets/WebdavServlet.java, java/org/apache/catalina/startup/FailedContext.java, java/org/apache/tomcat/util/http/mapper/Mapper.java, test/org/apache/catalina/startup/TomcatBaseTest.java, webapps/docs/config/context.xml, test/org/apache/catalina/core/TesterContext.java. - CVE-2015-5345 * SECURITY UPDATE: session fixation vulnerability - debian/patches/CVE-2015-5346.patch: handle different session settings in java/org/apache/catalina/connector/CoyoteAdapter.java, java/org/apache/catalina/connector/Request.java. - CVE-2015-5346 * SECURITY UPDATE: CSRF protection mechanism bypass - debian/patches/CVE-2015-5351.patch: don't create sessions unnecessarily in webapps/host-manager/WEB-INF/jsp/401.jsp, webapps/host-manager/WEB-INF/jsp/403.jsp, webapps/host-manager/WEB-INF/jsp/404.jsp, webapps/host-manager/index.jsp, webapps/manager/WEB-INF/web.xml, webapps/manager/index.jsp. - CVE-2015-5351 * SECURITY UPDATE: securityManager restrictions bypass via StatusManagerServlet - debian/patches/CVE-2016-0706.patch: place servlet in restricted list in java/org/apache/catalina/core/RestrictedServlets.properties. - CVE-2016-0706 * SECURITY UPDATE: securityManager restrictions bypass via session-persistence implementation - debian/patches/CVE-2016-0714.patch: extend the session attribute filtering options in java/org/apache/catalina/ha/session/ClusterManagerBase.java java/org/apache/catalina/ha/session/mbeans-descriptors.xml, java/org/apache/catalina/session/LocalStrings.properties, java/org/apache/catalina/session/ManagerBase.java, java/org/apache/catalina/session/StandardManager.java, java/org/apache/catalina/session/mbeans-descriptors.xml, java/org/apache/catalina/util/CustomObjectInputStream.java, java/org/apache/catalina/util/LocalStrings.properties, webapps/docs/config/cluster-manager.xml, webapps/docs/config/manager.xml. - CVE-2016-0714 * SECURITY UPDATE: securityManager restrictions bypass via crafted global context - debian/patches/CVE-2016-0763.patch: protect initialization in java/org/apache/naming/factory/ResourceLinkFactory.java. - CVE-2016-0763 * SECURITY UPDATE: denial of service in FileUpload - debian/patches/CVE-2016-3092.patch: properly handle size in java/org/apache/tomcat/util/http/fileupload/MultipartStream.java. - CVE-2016-3092 * debian/patches/fix_cookie_names_in_tests.patch: fix FTBFS by removing colons in cookie names which is illegal in newer java versions in test/org/apache/catalina/authenticator/*.java. -- Marc Deslauriers <email address hidden> Wed, 29 Jun 2016 12:50:02 -0400
Available diffs
tomcat7 (7.0.64-1ubuntu0.3) wily-security; urgency=medium * SECURITY UPDATE: directory traversal vulnerability in RequestUtil.java - debian/patches/CVE-2015-5174.patch: fix more normalization edge cases in java/org/apache/tomcat/util/http/RequestUtil.java, test/org/apache/tomcat/util/http/TestRequestUtil.java. - CVE-2015-5174 * SECURITY UPDATE: information disclosure via redirects by mapper - debian/patches/CVE-2015-5345.patch: fix redirect logic in java/org/apache/catalina/Context.java, java/org/apache/catalina/authenticator/FormAuthenticator.java, java/org/apache/catalina/core/StandardContext.java, java/org/apache/catalina/core/mbeans-descriptors.xml, java/org/apache/catalina/servlets/DefaultServlet.java, java/org/apache/catalina/servlets/WebdavServlet.java, java/org/apache/catalina/startup/FailedContext.java, java/org/apache/tomcat/util/http/mapper/Mapper.java, test/org/apache/catalina/startup/TomcatBaseTest.java, webapps/docs/config/context.xml, test/org/apache/catalina/core/TesterContext.java, test/org/apache/tomcat/util/http/mapper/TestMapperWebapps.java. - CVE-2015-5345 * SECURITY UPDATE: session fixation vulnerability - debian/patches/CVE-2015-5346.patch: handle different session settings in java/org/apache/catalina/connector/CoyoteAdapter.java, java/org/apache/catalina/connector/Request.java. - CVE-2015-5346 * SECURITY UPDATE: CSRF protection mechanism bypass - debian/patches/CVE-2015-5351.patch: don't create sessions unnecessarily in webapps/host-manager/WEB-INF/jsp/401.jsp, webapps/host-manager/WEB-INF/jsp/403.jsp, webapps/host-manager/WEB-INF/jsp/404.jsp, webapps/host-manager/index.jsp, webapps/manager/WEB-INF/web.xml, webapps/manager/index.jsp. - CVE-2015-5351 * SECURITY UPDATE: securityManager restrictions bypass via StatusManagerServlet - debian/patches/CVE-2016-0706.patch: place servlet in restricted list in java/org/apache/catalina/core/RestrictedServlets.properties. - CVE-2016-0706 * SECURITY UPDATE: securityManager restrictions bypass via session-persistence implementation - debian/patches/CVE-2016-0714.patch: extend the session attribute filtering options in java/org/apache/catalina/ha/session/ClusterManagerBase.java java/org/apache/catalina/ha/session/mbeans-descriptors.xml, java/org/apache/catalina/session/LocalStrings.properties, java/org/apache/catalina/session/ManagerBase.java, java/org/apache/catalina/session/StandardManager.java, java/org/apache/catalina/session/mbeans-descriptors.xml, java/org/apache/catalina/util/CustomObjectInputStream.java, java/org/apache/catalina/util/LocalStrings.properties, webapps/docs/config/cluster-manager.xml, webapps/docs/config/manager.xml. - CVE-2016-0714 * SECURITY UPDATE: securityManager restrictions bypass via crafted global context - debian/patches/CVE-2016-0763.patch: protect initialization in java/org/apache/naming/factory/ResourceLinkFactory.java. - CVE-2016-0763 * SECURITY UPDATE: denial of service in FileUpload - debian/patches/CVE-2016-3092.patch: properly handle size in java/org/apache/tomcat/util/http/fileupload/MultipartStream.java. - CVE-2016-3092 * debian/patches/fix_cookie_names_in_tests.patch: fix FTBFS by removing colons in cookie names which is illegal in newer java versions in test/org/apache/catalina/authenticator/*.java. -- Marc Deslauriers <email address hidden> Wed, 29 Jun 2016 08:48:32 -0400
Available diffs
tomcat7 (7.0.68-1ubuntu0.1) xenial-security; urgency=medium * SECURITY UPDATE: denial of service in FileUpload - debian/patches/CVE-2016-3092.patch: properly handle size in java/org/apache/tomcat/util/http/fileupload/MultipartStream.java. - CVE-2016-3092 -- Marc Deslauriers <email address hidden> Mon, 27 Jun 2016 14:13:17 -0400
Available diffs
tomcat7 (7.0.70-1) unstable; urgency=medium * New upstream release - Refreshed the patches -- Emmanuel Bourg <email address hidden> Mon, 20 Jun 2016 10:58:56 +0200
Available diffs
- diff from 7.0.69-1 to 7.0.70-1 (50.0 KiB)
tomcat7 (7.0.69-1) unstable; urgency=medium * New upstream release - Refreshed the patches * Standards-Version updated to 3.9.8 (no changes) -- Emmanuel Bourg <email address hidden> Sat, 23 Apr 2016 11:30:01 +0200
Available diffs
- diff from 7.0.68-1 to 7.0.69-1 (41.1 KiB)
Superseded in yakkety-release |
Published in xenial-release |
Deleted in xenial-proposed (Reason: moved to release) |
tomcat7 (7.0.68-1) unstable; urgency=medium * Team upload. * New upstream release (Closes: #814640) - Refreshed the patches - New build dependencies on easymock, cglib and objenesis - Added ASM to the test classpath (required by Easymock) * Use LC_ALL instead of LANG to format the date and make the documentation reproducible on the builders * Standards-Version updated to 3.9.7 (no changes) * Use secure Vcs-* URLs -- Emmanuel Bourg <email address hidden> Thu, 18 Feb 2016 22:26:43 +0100
Available diffs
- diff from 7.0.64-1 to 7.0.68-1 (286.4 KiB)
Superseded in xenial-release |
Superseded in xenial-release |
Obsolete in wily-release |
Deleted in wily-proposed (Reason: moved to release) |
tomcat7 (7.0.64-1) unstable; urgency=medium * Team upload. * New upstream release - Refreshed the patches * Install the missing WebSocket jars in /usr/share/tomcat7/lib/ (Closes: #787220, LP: #1326687) * Changed the authbind configuration to allow IPv6 connections (LP: #1443041) * Fixed an upgrade error when /etc/tomcat7/tomcat-users.xml is removed (LP: #1010791) * Fixed a minor HTML error in the default index.html file (LP: #1236132) -- Emmanuel Bourg <email address hidden> Fri, 28 Aug 2015 09:47:33 +0200
Available diffs
- diff from 7.0.63-1 to 7.0.64-1 (40.7 KiB)
tomcat7 (7.0.63-1) unstable; urgency=medium * New upstream release - Refreshed the patches * debian/rules: Use an english locale when generating the documentation to improve the reproducibility -- Emmanuel Bourg <email address hidden> Wed, 08 Jul 2015 12:18:47 +0200
Available diffs
- diff from 7.0.62-1 to 7.0.63-1 (81.3 KiB)
tomcat7 (7.0.52-1ubuntu0.3) trusty-security; urgency=medium * SECURITY UPDATE: arbitrary file disclosure via XML parser (LP: #1449975) - debian/patches/CVE-2014-0119.patch: add defensive coding and ensure TLD parser obtained from cache has correct value of blockExternal in java/org/apache/catalina/security/SecurityClassLoad.java, java/org/apache/catalina/servlets/DefaultServlet.java, java/org/apache/catalina/startup/TldConfig.java, java/org/apache/jasper/compiler/JspDocumentParser.java, java/org/apache/jasper/xmlparser/ParserUtils.java, java/org/apache/tomcat/util/security/PrivilegedGetTccl.java, java/org/apache/tomcat/util/security/PrivilegedSetTccl.java. - CVE-2014-0119 * SECURITY UPDATE: HTTP request smuggling or denial of service via streaming with malformed chunked transfer encoding (LP: #1449975) - debian/patches/CVE-2014-0227.patch: add error flag and improve i18n in java/org/apache/coyote/http11/filters/ChunkedInputFilter.java, java/org/apache/coyote/http11/filters/LocalStrings.properties. - CVE-2014-0227 * SECURITY UPDATE: denial of service via aborted upload attempts (LP: #1449975) - debian/patches/CVE-2014-0230.patch: limit amount of data in java/org/apache/coyote/http11/AbstractHttp11Processor.java, java/org/apache/coyote/http11/AbstractHttp11Protocol.java, java/org/apache/coyote/http11/Http11AprProcessor.java, java/org/apache/coyote/http11/Http11AprProtocol.java, java/org/apache/coyote/http11/Http11NioProcessor.java, java/org/apache/coyote/http11/Http11NioProtocol.java, java/org/apache/coyote/http11/Http11Processor.java, java/org/apache/coyote/http11/Http11Protocol.java, java/org/apache/coyote/http11/filters/ChunkedInputFilter.java, java/org/apache/coyote/http11/filters/IdentityInputFilter.java, java/org/apache/coyote/http11/filters/LocalStrings.properties, test/org/apache/catalina/core/TestSwallowAbortedUploads.java, webapps/docs/config/http.xml. - CVE-2014-0230 * SECURITY UPDATE: SecurityManager bypass via Expression Language - debian/patches/CVE-2014-7810.patch: handle classes that may not be accessible but have accessible interfaces in java/javax/el/BeanELResolver.java, remove unnecessary code in java/org/apache/jasper/runtime/PageContextImpl.java, java/org/apache/jasper/security/SecurityClassLoad.java. - CVE-2014-7810 * Replace expired ssl certs and use TLS to fix tests causing FTBFS: - debian/patches/0022-use-tls-in-ssl-unit-tests.patch - debian/patches/0023-replace-expired-ssl-certificates.patch - debian/source/include-binaries -- Marc Deslauriers <email address hidden> Fri, 19 Jun 2015 12:30:21 -0400
Available diffs
tomcat7 (7.0.55-1ubuntu0.2) utopic-security; urgency=medium * SECURITY UPDATE: SecurityManager bypass via Expression Language - debian/patches/CVE-2014-7810.patch: handle classes that may not be accessible but have accessible interfaces in java/javax/el/BeanELResolver.java, remove unnecessary code in java/org/apache/jasper/runtime/PageContextImpl.java, java/org/apache/jasper/security/SecurityClassLoad.java. - CVE-2014-7810 * Replace expired ssl certs and use TLS to fix tests causing FTBFS: - debian/patches/0022-use-tls-in-ssl-unit-tests.patch - debian/patches/0023-replace-expired-ssl-certificates.patch - debian/source/include-binaries -- Marc Deslauriers <email address hidden> Fri, 19 Jun 2015 09:52:59 -0400
Available diffs
tomcat7 (7.0.56-2ubuntu0.1) vivid-security; urgency=medium * SECURITY UPDATE: SecurityManager bypass via Expression Language - debian/patches/CVE-2014-7810.patch: handle classes that may not be accessible but have accessible interfaces in java/javax/el/BeanELResolver.java, remove unnecessary code in java/org/apache/jasper/runtime/PageContextImpl.java, java/org/apache/jasper/security/SecurityClassLoad.java. - CVE-2014-7810 -- Marc Deslauriers <email address hidden> Fri, 19 Jun 2015 09:47:50 -0400
Available diffs
tomcat7 (7.0.62-1) unstable; urgency=medium * New upstream release - Refreshed the patches * Replaced the date in ServerInfo.properties and in the documentation with the latest date in debian/changelog to make the build reproducible * debian/rules: - Modified to use the dh sequencer - Simplified the ant invocation and moved some properties to debian/ant.properties - Do not set the version.* properties already defined in build.properties.default - Renamed T_VER to VERSION - Removed the RWFILES and RWLOC variables - Merged the ANT_ARGS and ANT_INVOKE variables - No longer remove the long gone .svn directories under /usr/share/tomcat8/webapps/default_root - Let dh_fixperms set the permissions instead of calling chmod +x - Use debian/tomcat7-user.manpages instead of calling dh_installman - Updated the copyright year in the Javadoc -- Emmanuel Bourg <email address hidden> Wed, 27 May 2015 11:43:31 +0200
Available diffs
- diff from 7.0.61-1 to 7.0.62-1 (57.1 KiB)
tomcat7 (7.0.61-1) unstable; urgency=medium * Upload to unstable * New upstream release - Refreshed the patches - Updated the test certificates - Added a patch renaming the taglibs-standard-*.jar files used in the tests * debian/rules: export JAVA_HOME to fix a build failure * debian/orig-tar.sh: Exclude the taglibs-standard-*.jar files from the upstream tarball * Removed the timestamp from the Javadoc of the Servlet API to make the build reproducible -- Emmanuel Bourg <email address hidden> Wed, 06 May 2015 17:12:36 +0200
Available diffs
- diff from 7.0.56-3 to 7.0.61-1 (226.9 KiB)
tomcat7 (7.0.56-3) unstable; urgency=medium * Provide a fix for #780519 more clear/maintainable and with an approach similar to used one by Emmanuel to fix an issue similar in stable in the past. -- Miguel Landaeta <email address hidden> Sat, 28 Mar 2015 13:14:04 -0300
Available diffs
- diff from 7.0.56-2 to 7.0.56-3 (15.6 KiB)
Superseded in wily-release |
Obsolete in vivid-release |
Deleted in vivid-proposed (Reason: moved to release) |
tomcat7 (7.0.56-2) unstable; urgency=medium * Fix FTBFS error by making sure SSL unit tests use TLS protocols. - SSLv3 and previous protocols are not secure and deprecated in JDK7. - Additionally, some X509 certificates provided by upstream expired and were causing failures in unit tests as well, so they were regenerated. (Closes: #780519). * Fix FTBFS error by disabling some unit tests that depends on having network access. -- Miguel Landaeta <email address hidden> Thu, 26 Mar 2015 00:15:03 -0300
Available diffs
- diff from 7.0.56-1 to 7.0.56-2 (18.8 KiB)
tomcat7 (7.0.56-1) unstable; urgency=medium * New upstream release * Install the extra jar catalina-jmx-remote.jar (Closes: #719921) * Removed the note about the authbind IPv6 incompatibility in /etc/defaults/tomcat7 * Added the SimpleInstanceManager class from Tomcat 8 to help integrating the JSP compiler into Jetty 8 -- Emmanuel Bourg <email address hidden> Mon, 06 Oct 2014 10:25:48 +0200
Available diffs
- diff from 7.0.55-1 to 7.0.56-1 (109.2 KiB)
Superseded in vivid-release |
Obsolete in utopic-release |
Deleted in utopic-proposed (Reason: moved to release) |
tomcat7 (7.0.55-1) unstable; urgency=medium * New upstream release * Refreshed the patches -- Emmanuel Bourg <email address hidden> Tue, 29 Jul 2014 17:25:50 +0200
Available diffs
- diff from 7.0.54-2 to 7.0.55-1 (83.6 KiB)
tomcat7 (7.0.52-1ubuntu0.1) trusty-security; urgency=medium * SECURITY UPDATE: denial of service via malformed chunk size - debian/patches/CVE-2014-0075.patch: fix overflow and added tests to java/org/apache/coyote/http11/filters/ChunkedInputFilter.java, test/org/apache/coyote/http11/filters/TestChunkedInputFilter.java. - CVE-2014-0075 * SECURITY UPDATE: file disclosure via XXE issue - debian/patches/CVE-2014-0096.patch: change globalXsltFile to be a relative path in conf/web.xml, java/org/apache/catalina/servlets/DefaultServlet.java, java/org/apache/catalina/servlets/LocalStrings.properties, webapps/docs/default-servlet.xml. - CVE-2014-0096 * SECURITY UPDATE: HTTP request smuggling attack via crafted Content-Length HTTP header - debian/patches/CVE-2014-0099.patch: correctly handle long values in java/org/apache/tomcat/util/buf/Ascii.java, added test to test/org/apache/tomcat/util/buf/TestAscii.java. - CVE-2014-0099 -- Marc Deslauriers <email address hidden> Thu, 24 Jul 2014 13:24:54 -0400
Available diffs
tomcat7 (7.0.54-2) unstable; urgency=medium [ Emmanuel Bourg ] * debian/defaults.template: Bumped the required version of Java mentioned in the comment on the JAVA_HOME variable * debian/tomcat7.init: Search for OpenJDK 8 and Oracle JDKs when starting the server (Closes: #714349) * Updated the version required for libtcnative-1 (>= 1.1.30) (Closes: #750454) -- tony mancill <email address hidden> Sat, 14 Jun 2014 08:09:02 -0700
Available diffs
- diff from 7.0.54-1 to 7.0.54-2 (1.4 KiB)
tomcat7 (7.0.54-1) unstable; urgency=medium * New upstream release * Refreshed the patches * Use XZ compression for the upstream tarball -- Emmanuel Bourg <email address hidden> Thu, 22 May 2014 10:27:10 +0200
Available diffs
- diff from 7.0.53-1 to 7.0.54-1 (138.1 KiB)
tomcat7 (7.0.53-1) unstable; urgency=low * New upstream release. * Refresh patches: - debian/patches/0011-fix-classpath-lintian-warnings.patch. - debian/patches/0015_disable_test_TestCometProcessor.patch. * Add new patch: - Disabled Java 8 support in JSPs (requires an Eclipse compiler update). * Update my email address in Uploaders list. -- Miguel Landaeta <email address hidden> Thu, 01 May 2014 23:33:35 -0300
Available diffs
- diff from 7.0.52-1 to 7.0.53-1 (63.0 KiB)
tomcat7 (7.0.30-0ubuntu1.3) quantal-security; urgency=medium * SECURITY UPDATE: request smuggling attack via content-length headers - debian/patches/CVE-2013-4286.patch: use long as content length in java/org/apache/coyote/Request.java, handle multiple content lengths in java/org/apache/coyote/ajp/AbstractAjpProcessor.java, handle content length and chunked encoding being both specified in java/org/apache/coyote/http11/AbstractHttp11Processor.java. - CVE-2013-4286 * SECURITY UPDATE: denial of service via chunked transfer coding - debian/patches/CVE-2013-4322.patch: enforce maximum size in java/org/apache/coyote/http11/{AbstractHttp11Processor.java, AbstractHttp11Protocol.java, Http11AprProcessor.java, Http11AprProtocol.java, Http11NioProcessor.java, Http11NioProtocol.java, Http11Processor.java, Http11Protocol.java}, java/org/apache/coyote/http11/filters/ChunkedInputFilter.java, test/org/apache/coyote/http11/filters/TestChunkedInputFilter.java, webapps/docs/config/http.xml. - CVE-2013-4322 * SECURITY UPDATE: denial of service via malformed content-type header - debian/patches/CVE-2014-0050.patch: validate sizes in java/org/apache/tomcat/util/http/fileupload/FileUploadBase.java, java/org/apache/tomcat/util/http/fileupload/MultipartStream.java. - CVE-2014-0050 * d/p/0018-update-test-certificates.patch: remove binary parts to support newer quilt. -- Marc Deslauriers <email address hidden> Tue, 04 Mar 2014 10:45:20 -0500
Available diffs
tomcat7 (7.0.42-1ubuntu0.1) saucy-security; urgency=medium * SECURITY UPDATE: request smuggling attack via content-length headers - debian/patches/CVE-2013-4286.patch: use long as content length in java/org/apache/coyote/Request.java, handle multiple content lengths in java/org/apache/coyote/ajp/AbstractAjpProcessor.java, handle content length and chunked encoding being both specified in java/org/apache/coyote/http11/AbstractHttp11Processor.java. - CVE-2013-4286 * SECURITY UPDATE: denial of service via chunked transfer coding - debian/patches/CVE-2013-4322.patch: enforce maximum size in java/org/apache/coyote/http11/{AbstractHttp11Processor.java, AbstractHttp11Protocol.java, Http11AprProcessor.java, Http11AprProtocol.java, Http11NioProcessor.java, Http11NioProtocol.java, Http11Processor.java, Http11Protocol.java}, java/org/apache/coyote/http11/filters/ChunkedInputFilter.java, test/org/apache/coyote/http11/filters/TestChunkedInputFilter.java, webapps/docs/config/http.xml. - CVE-2013-4322 * SECURITY UPDATE: denial of service via malformed content-type header - debian/patches/CVE-2014-0050.patch: validate sizes in java/org/apache/tomcat/util/http/fileupload/FileUploadBase.java, java/org/apache/tomcat/util/http/fileupload/MultipartStream.java. - CVE-2014-0050 -- Marc Deslauriers <email address hidden> Tue, 04 Mar 2014 10:22:07 -0500
Available diffs
Superseded in utopic-release |
Published in trusty-release |
Deleted in trusty-proposed (Reason: moved to release) |
tomcat7 (7.0.52-1) unstable; urgency=low * Team upload. * New upstream release. - Addresses security issue: CVE-2014-0050 -- Gianfranco Costamagna <email address hidden> Wed, 19 Feb 2014 14:09:48 +0100
Available diffs
- diff from 7.0.50-1 to 7.0.52-1 (114.0 KiB)
tomcat7 (7.0.50-1) unstable; urgency=medium * New upstream release. -- James Page <email address hidden> Tue, 14 Jan 2014 18:09:28 +0000
Available diffs
- diff from 7.0.47-1 to 7.0.50-1 (121.4 KiB)
tomcat7 (7.0.47-1) unstable; urgency=low [ Gianfranco Costamagna ] * Team upload. * New upstream release, patch refresh. * Renamed patch fix-manager-webapp.path to fix-manager-webapp.patch (extension typo). * Refresh patches for upstream release. * Removed -Djava.net.preferIPv4Stack=true from init script (lp: #1088681), thanks Hendrik Haddorp. * Added webapp manager path patch (lp: #1128067) thanks TJ. [ tony mancill ] * Bump Standards-Version to 3.9.5. * Change copyright year in javadocs to 2013. * Add patch to include the distribution name in error pages. (Closes: #729840) -- tony mancill <email address hidden> Tue, 24 Dec 2013 16:46:34 +0000
Available diffs
- diff from 7.0.42-1 to 7.0.47-1 (252.9 KiB)
Superseded in trusty-release |
Superseded in trusty-release |
Superseded in trusty-release |
Obsolete in saucy-release |
Deleted in saucy-proposed (Reason: moved to release) |
tomcat7 (7.0.42-1) unstable; urgency=low [ Gianfranco Costamagna ] * Team upload. * New upstream release. * Added libhamcrest-java >= 1.3 as build-dep, tweaked debian/rules. * Bumped compat level to 9. * Removed some version checks, newer releases already in oldstable. * Refresh patches. * debian/control: changed Vcs-Git and Vcs-Browser fields, now they are canonical. * Fixed error message in Tomcat init script, patch by Thijs Kinkhorst (Closes: #714348) -- Gianfranco Costamagna <email address hidden> Tue, 16 Jul 2013 17:34:58 +0200
Available diffs
- diff from 7.0.40-2 to 7.0.42-1 (86.9 KiB)
tomcat7 (7.0.30-0ubuntu1.2) quantal-security; urgency=low * SECURITY UPDATE: FORM authentication request injection - debian/patches/CVE-2013-2067.patch: properly change session ID in java/org/apache/catalina/authenticator/FormAuthenticator.java. - CVE-2013-2067 * SECURITY UPDATE: information leak via AsyncListeners and RuntimeExceptions (LP: #1178645) - debian/patches/CVE-2013-2071.patch: catch RuntimeExceptions in java/org/apache/catalina/core/AsyncContextImpl.java, added tests to test/org/apache/catalina/core/TestAsyncContextImpl.java. - CVE-2013-2071 * Fix FTBFS due to expired test certificates: - d/keystores/*.jks: Newer keystores from upstream 7.0.39. - d/rules: Install newer keystores for testing, tidy up after use. - d/p/0018-update-test-certificates.patch: Cherry picked fixes from upstream VCS to update text based certificates. -- Marc Deslauriers <email address hidden> Thu, 23 May 2013 09:04:36 -0400
Available diffs
tomcat7 (7.0.35-1~exp2ubuntu1.1) raring-security; urgency=low * SECURITY UPDATE: information leak via AsyncListeners and RuntimeExceptions (LP: #1178645) - debian/patches/CVE-2013-2071.patch: catch RuntimeExceptions in java/org/apache/catalina/core/AsyncContextImpl.java, added tests to test/org/apache/catalina/core/TestAsyncContextImpl.java. - CVE-2013-2071 -- Marc Deslauriers <email address hidden> Tue, 21 May 2013 10:07:15 -0400
Available diffs
tomcat7 (7.0.40-2) unstable; urgency=low * Fix deployment of POMs for libservlet-3.0-java JARs into javax coordinates. - JARs were deployed into maven-repo, but not POMs. * Fix servlet-api groupId in d/javaxpoms/jsp-api.pom. -- Jakub Adam <email address hidden> Thu, 16 May 2013 17:35:52 +0200
Available diffs
- diff from 7.0.40-1 to 7.0.40-2 (621 bytes)
tomcat7 (7.0.40-1) unstable; urgency=low * New upstream release. - Addresses security issue: CVE-2013-2071 * Refresh patches: - 0015_disable_test_TestCometProcessor.patch -- Miguel Landaeta <email address hidden> Fri, 10 May 2013 19:10:36 -0300
Available diffs
Superseded in saucy-release |
Obsolete in raring-release |
Deleted in raring-proposed (Reason: moved to release) |
tomcat7 (7.0.35-1~exp2ubuntu1) raring; urgency=low * Fix FTBFS due to expired test certificates (LP: #1166187): - d/keystores/*.jks: Newer keystores from upstream 7.0.39. - d/rules: Install newer keystores for testing, tidy up after use. - d/p/0018-update-test-certificates.patch: Cherry picked fixes from upstream VCS to update text based certificates. -- James Page <email address hidden> Mon, 08 Apr 2013 14:02:42 +0100
Available diffs
tomcat7 (7.0.26-1ubuntu1.2) precise-security; urgency=low [Christian Kuersteiner] * SECURITY UPDATE: Fix multiple vulnerabilities in Tomcat7 (LP: #1115053) - debian/patches/0013-CVE-2012-2733.patch: Fix for Apache Tomcat Denial of Service. Based on upstream patch. - CVE-2012-2733 - debian/patches/0014-CVE-2012-3546.patch: Fix for bypass of security constraints. Based on upstream patch. - CVE-2012-3546 - debian/patches/0015-CVE-2012-4431.patch: Fix for bypass of CSRF prevention filter. Based on upstream patch. - CVE-2012-4431 - debian/patches/0016-CVE-2012-4534.patch: Fix for CVE-2012-4534 Denial of Service Vulnerability. Based on upstream patch. - CVE-2012-4534 - debian/patches/CVE-2012-3439.patch: Fix for DIGEST authentication weaknesses. Based on upstream patch. - CVE-2012-3439, CVE-2012-5885, CVE-2012-5886, 2012-5887 [ Jamie Strandboge ] * allow for easily running the testsuite: - debian/control: add testsuite build-depends - debian/rules: + add 'testsuite' target + add ANT_TS_ARGS for use in the testsuite target + cleanup the testsuite - add debian/README.source for information on how to use the testsuite -- Christian Kuersteiner <email address hidden> Tue, 19 Mar 2013 14:48:19 +0100
Available diffs
tomcat7 (7.0.21-1ubuntu0.1) oneiric-security; urgency=low [Christian Kuersteiner] * SECURITY UPDATE: Fix multiple vulnerabilities in Tomcat7 (LP: #1115053) - debian/patches/CVE-2012-0022.patch: Fix for Denial of service. Based on upstream patch. - CVE-2012-0022, CVE-2011-4858 - debian/patches/CVE-2011-3375.patch: Fix for information disclosure. Based on upstream patch. - CVE-2011-3375 - debian/patches/CVE-2011-3376.patch: Fix for privilege escalation. Based on upstream patch. - CVE-2011-3376 - debian/patches/CVE-2012-2733.patch: Fix for Apache Tomcat Denial of Service. Based on upstream patch. - CVE-2012-2733 - debian/patches/CVE-2012-3546.patch: Fix for bypass of security constraints. Based on upstream patch. - CVE-2012-3546 - debian/patches/CVE-2012-4431.patch: Fix for bypass of CSRF prevention filter. Based on upstream patch. - CVE-2012-4431 - debian/patches/CVE-2012-4534.patch: Fix for CVE-2012-4534 Denial of Service Vulnerability. Based on upstream patch. - CVE-2012-4534 - debian/patches/CVE-2012-3439.patch: Fix for DIGEST authentication weaknesses. Based on upstream patch. - CVE-2012-3439, CVE-2012-5885, CVE-2012-5886, 2012-5887 [ Jamie Strandboge ] * allow for easily running the testsuite: - debian/control: add testsuite build-depends - debian/rules: + add 'testsuite' target + add ANT_TS_ARGS for use in the testsuite target + cleanup the testsuite - add debian/README.source for information on how to use the testsuite -- Christian Kuersteiner <email address hidden> Fri, 15 Mar 2013 15:40:27 -0700
Available diffs
tomcat7 (7.0.35-1~exp2) experimental; urgency=low * Switch from Commons DBCP to Tomcat JDBC Pool as default connection pool implementation (Closes: #701023). -- James Page <email address hidden> Sun, 24 Feb 2013 22:08:22 +0000
Available diffs
tomcat7 (7.0.35-1~exp1ubuntu1) raring; urgency=low * Merge from Debian experimental, remaining changes: + Enabled Tomcat jdbc-pool module, aligning more closely to upstream and providing improved multi-threaded performance over commons-dbcp: - d/rules,d/libtomcat7-java.poms: Install tomcat-dbcp.jar file. - d/patches/0005-change-default-DBCP-factory-class.patch: Drop patch which switches the default DBCP factory to commons-dbcp. - d/p/0015-use-jdbc-pool-default.patch: Make jdbc-pool module the default pool implementation for DataSources. - d/NEWS: let users know about this change. * Dropped changes, included in Debian: - d/p/0014-fix-override.patch: Fix FTBFS due to differing dependency versions compared to upstream. -- James Page <email address hidden> Wed, 20 Feb 2013 15:34:18 +0000
Available diffs
tomcat7 (7.0.30-0ubuntu1.1) quantal-security; urgency=low * SECURITY UPDATE: CSRF bypass via request with no session identifier - debian/patches/CVE-2012-4431.patch: check for session identifier in java/org/apache/catalina/filters/CsrfPreventionFilter.java. - CVE-2012-4431 -- Marc Deslauriers <email address hidden> Thu, 10 Jan 2013 09:35:41 -0500
Available diffs
tomcat7 (7.0.34-0ubuntu1) raring; urgency=low * New upstream release. - d/p/0014-fix-override.patch: Fix FTBFS due to differing dependency versions compared to upstream. * d/p/0015-use-jdbc-pool-default.patch: Make jdbc-pool module the default pool implementation for DataSources (LP: #1071817). -- James Page <email address hidden> Thu, 06 Dec 2012 13:47:08 +0000
Available diffs
- diff from 7.0.30-0ubuntu1 to 7.0.34-0ubuntu1 (130.9 KiB)
tomcat7 (7.0.30-0ubuntu1) quantal; urgency=low * New upstream point release including several fixes for Java 7 specific issues. * Refreshed patches. -- James Page <email address hidden> Mon, 17 Sep 2012 10:52:06 +0100
Available diffs
- diff from 7.0.29-0ubuntu1 to 7.0.30-0ubuntu1 (78.3 KiB)
Superseded in quantal-release |
tomcat7 (7.0.29-0ubuntu1) quantal; urgency=low * Re-sync with Debian unstable. * New upstream release: - Refreshed patches. * Enabled Tomcat jdbc-pool module, aligning more closely to upstream and providing improved multi-threaded performance over commons-dbcp: - d/rules,d/libtomcat7-java.poms: Install tomcat-dbcp.jar file. - d/patches/0005-change-default-DBCP-factory-class.patch: Drop patch which switches the default DBCP factory to commons-dbcp. - d/NEWS: let users know about this change.
Available diffs
tomcat7 (7.0.26-1ubuntu1.1) precise-proposed; urgency=low * Fix handling of JNDI lookups using javax.naming.Name (LP: #1012794): - d/patches/0012-lp-1012794-fix-jndi-lookup.patch: Cherry picked patch from upstream VCS which ensures that JNDI lookups that use Name rather than String don't fail. -- James Page <email address hidden> Thu, 12 Jul 2012 21:52:17 +0100
Available diffs
tomcat7 (7.0.28-1) unstable; urgency=low [ Miguel Landaeta ] * Add Slovak debconf translation (Closes: #677913). - Thanks to Ivan Masár. [ James Page ] * New upstream release. * Enable test suite during package build: - d/control: Add junit4, libjstl1.1-java and libjakarta-taglibs-standard-java to BDI's. - d/rules: + Add ant/junit4 jars files to build classpath. + Target java 1.6 to support test suite exection. + Specify location of junit jar file. + Install jstl jar files to example webapp during build. + Conditionally execute test target if required. + Purge jar files from example webapp during clean. * Fix JSTL examples in examples web application: - d/control: Add dependencies on libjstl1.1-java and libjakarta-taglibs-standard-java for tomcat7-examples. - d/tomcat7-examples.links: Add links to jstl and standard jar files for examples web application. - d/context/examples.xml: Allow linking to jar files in examples webapp. * Fix mapping to javax packages for API jar files: - d/maven.[rules,publishedRules]: Ensure all javax.[servlet|el] jar files are published to the correct locations in /usr/share/[maven-repo|java]. - d/libservlet3.0-java.manifest: Update jar file locations for javax remapping. - d/libservlet3.0-java.links: Provide backwards compatible links for deprecated tomcat-*.jar files in /usr/share/java. [ tony mancill ] * Set DMUA flag. -- tony mancill <email address hidden> Fri, 22 Jun 2012 07:06:46 -0700
Available diffs
Superseded in quantal-release |
tomcat7 (7.0.27-1ubuntu2) quantal; urgency=low * Enable test suite during package build: - d/control: Add junit4, libjstl1.1-java and libjakarta-taglibs-standard-java to BDI's. - d/rules: + Add ant/junit4 jars files to build classpath. + Target java 1.6 to support test suite exection. + Specify location of junit jar file. + Install jstl jar files to example webapp during build. + Conditionally execute test target if required. + Purge jar files from example webapp during clean. * Fix JSTL examples in examples web application: - d/control: Add dependencies on libjstl1.1-java and libjakarta-taglibs-standard-java for tomcat7-examples. - d/tomcat7-examples.links: Add links to jstl and standard jar files for examples web application. - d/context/examples.xml: Allow linking to jar files in examples webapp. -- James Page <email address hidden> Sun, 17 Jun 2012 20:07:56 +0100
Available diffs
Superseded in quantal-release |
tomcat7 (7.0.27-1ubuntu1) quantal; urgency=low * Fix mapping to javax packages for API jar files: - d/maven.[rules,publishedRules]: Ensure all javax.[servlet|el] jar files are published to the correct locations in /usr/share/[maven-repo|java]. - d/libservlet3.0-java.manifest: Update jar file locations for javax remapping. - d/libservlet3.0-java.links: Provide backwards compatible links for deprecated tomcat-*.jar files in /usr/share/java. -- James Page <email address hidden> Fri, 15 Jun 2012 15:51:19 +0100
Available diffs
tomcat7 (7.0.27-1) unstable; urgency=low * New upstream release. -- tony mancill <email address hidden> Thu, 07 Jun 2012 22:43:21 -0700
Available diffs
- diff from 7.0.26-4 to 7.0.27-1 (139.6 KiB)
tomcat7 (7.0.26-4) unstable; urgency=low * Address regression leaving ROOT webapp files after purge. (Closes: #670440) * Update copyright year in javadoc to 2012. -- tony mancill <email address hidden> Mon, 28 May 2012 18:45:07 -0700
Available diffs
- diff from 7.0.26-3 to 7.0.26-4 (1.2 KiB)
tomcat7 (7.0.26-3) unstable; urgency=low * Team upload. * Apply patches provided by James Page (Closes: #671370) - d/patches/0012-java7-compat.patch: Added compatibility patch to support compilation with openjdk-7 as default-jdk (LP: #889002). - d/default_root/index.html: Fixup instructions for enabling manager web application access (LP: #910368). * Fix README.Debian symlink; file is not compressed. (Closes: #674119) -- tony mancill <email address hidden> Wed, 23 May 2012 22:13:23 -0700
Available diffs
Superseded in quantal-release |
tomcat7 (7.0.26-2ubuntu1) quantal; urgency=low * Resync with Debian. * d/patches/0012-java7-compat.patch: Added compatibility patch to support compilation with openjdk-7 as default-jdk (LP: #889002). * d/default_root/index.html: Fixup instructions for enabling manager web application access (LP: #910368).
Available diffs
tomcat7 (7.0.26-1ubuntu1) precise; urgency=low * Handle creation of user instances with pathnames containing spaces (LP: #977498): - d/tomcat7-instance-create: Quote access to files and directories so that spaces can be used when creating user instances. -- James Page <email address hidden> Wed, 11 Apr 2012 10:49:51 +0100
Available diffs
tomcat7 (7.0.26-1) unstable; urgency=low [ Jakub Adam ] * New upstream release. * Add Jakub Adam to Uploaders. * Bump Standards-Version to 3.9.3. * Don't Depend libservlet3.0-java-doc on package it documents, relax to Suggests. [ tony mancill ] * Add Polish debconf translation. (Closes: #661644) - Thanks to Michał Kułach. -- tony mancill <email address hidden> Thu, 01 Mar 2012 21:22:50 -0800
Available diffs
- diff from 7.0.23-1 (in Ubuntu) to 7.0.26-1 (154.3 KiB)
tomcat7 (7.0.23-1) unstable; urgency=low * New upstream release. * Refresh patches. -- Ubuntu Archive Auto-Sync <email address hidden> Mon, 12 Dec 2011 12:02:13 +0000
Available diffs
- diff from 7.0.22-1 to 7.0.23-1 (525.5 KiB)
tomcat7 (7.0.22-1) unstable; urgency=low [ Miguel Landaeta ] * New upstream release. * Fix lintian warning about format specification of copyright file. [ tony mancill ] * Add dependency on JRE to tomcat7-common (Closes: #644340) * Modify init script to look for JVM in /usr/lib/jvm/default-java -- Ubuntu Archive Auto-Sync <email address hidden> Wed, 19 Oct 2011 09:20:55 +0000
Available diffs
- diff from 7.0.21-1 to 7.0.22-1 (61.6 KiB)
tomcat7 (7.0.21-1) unstable; urgency=low * New upstream release. - Includes fix for CVE-2011-3190. * Updated my email address. -- James Page <email address hidden> Thu, 08 Sep 2011 13:18:11 +0000
Available diffs
- diff from 7.0.19-1 (in Debian) to 7.0.21-1 (122.2 KiB)
1 → 75 of 80 results | First • Previous • Next • Last |