Change log for tomcat8 package in Ubuntu

155 of 55 results
Published in xenial-updates on 2018-10-10
Published in xenial-security on 2018-10-10
tomcat8 (8.0.32-1ubuntu1.8) xenial-security; urgency=medium

  * SECURITY UPDATE: arbitrary redirect issue
    - debian/patches/CVE-2018-11784.patch: avoid protocol relative
      redirects in java/org/apache/catalina/servlets/DefaultServlet.java.
    - CVE-2018-11784

 -- Marc Deslauriers <email address hidden>  Tue, 09 Oct 2018 11:28:36 -0400
Published in disco-release on 2018-10-30
Published in cosmic-release on 2018-09-20
Deleted in cosmic-proposed (Reason: moved to release)
tomcat8 (8.5.34-1ubuntu1) cosmic; urgency=medium

  * Merge from Debian unstable.  Remaining changes:
    - control: Break/replace tomcat8.0 binaries. (LP: #1717998)
    - support-jre8.diff.

Available diffs

Published in bionic-updates on 2018-08-27
Published in bionic-security on 2018-08-27
tomcat8 (8.5.30-1ubuntu1.4) bionic-security; urgency=medium

  * SECURITY UPDATE:
   - CVE-2018-1336: A bug in the UTF-8 decoder can lead to DoS
   - CVE-2018-8034: host name verification missing in WebSocket client
   - CVE-2018-8037: Information Disclosure

 -- Thomas Opfer <email address hidden>  Mon, 13 Aug 2018 22:23:56 +0200
Superseded in xenial-updates on 2018-10-10
Superseded in xenial-security on 2018-10-10
tomcat8 (8.0.32-1ubuntu1.7) xenial-security; urgency=medium

  * SECURITY UPDATE: DoS via issue in UTF-8 decoder
    - debian/patches/CVE-2018-1336.patch: fix logic in
      java/org/apache/tomcat/util/buf/Utf8Decoder.java.
    - CVE-2018-1336
  * SECURITY UPDATE: missing hostname verification in WebSocket client
    - debian/patches/CVE-2018-8034.patch: enable hostname verification by
      default in webapps/docs/web-socket-howto.xml,
      java/org/apache/tomcat/websocket/WsWebSocketContainer.java.
    - CVE-2018-8034

 -- Marc Deslauriers <email address hidden>  Wed, 25 Jul 2018 08:17:36 -0400
Superseded in bionic-updates on 2018-08-27
Deleted in bionic-proposed on 2018-08-28 (Reason: moved to -updates)
tomcat8 (8.5.30-1ubuntu1.3) bionic; urgency=medium

  * Search for Java 10 and 11 runtimes (LP: #1780345)

 -- Stefano Rivera <email address hidden>  Mon, 16 Jul 2018 20:41:29 -0700
Superseded in cosmic-release on 2018-09-20
Deleted in cosmic-proposed on 2018-09-21 (Reason: moved to release)
tomcat8 (8.5.32-1ubuntu2) cosmic; urgency=medium

  * Re-introduce and refresh support-jre8.diff - it is still needed.

 -- Stefano Rivera <email address hidden>  Mon, 16 Jul 2018 14:58:48 -0700
Superseded in cosmic-proposed on 2018-07-16
tomcat8 (8.5.32-1ubuntu1) cosmic; urgency=low

  * Merge from Debian unstable.  Remaining changes:
    - control: Break/replace tomcat8.0 binaries. (LP: #1717998)
  * Dropped changes:
    - CVE-2018-8014.patch - superseded upstream.
    - support-jre8.diff - superseded in Debian, by using ant/1.10.3-2.

Available diffs

Superseded in cosmic-release on 2018-07-17
Deleted in cosmic-proposed on 2018-07-18 (Reason: moved to release)
tomcat8 (8.5.30-1ubuntu3) cosmic; urgency=medium

  * SECURITY UPDATE: CORS filter has insecure defaults
    - debian/patches/CVE-2018-8014.patch: change defaults in
      java/org/apache/catalina/filters/CorsFilter.java,
      java/org/apache/catalina/filters/LocalStrings.properties,
      test/org/apache/catalina/filters/TestCorsFilter.java,
      test/org/apache/catalina/filters/TesterFilterConfigs.java.
    - CVE-2018-8014

 -- Marc Deslauriers <email address hidden>  Thu, 31 May 2018 07:14:54 -0400
Superseded in bionic-updates on 2018-08-09
Superseded in bionic-security on 2018-08-27
tomcat8 (8.5.30-1ubuntu1.2) bionic-security; urgency=medium

  * SECURITY UPDATE: CORS filter has insecure defaults
    - debian/patches/CVE-2018-8014.patch: change defaults in
      java/org/apache/catalina/filters/CorsFilter.java,
      java/org/apache/catalina/filters/LocalStrings.properties,
      test/org/apache/catalina/filters/TestCorsFilter.java,
      test/org/apache/catalina/filters/TesterFilterConfigs.java.
    - CVE-2018-8014

 -- Marc Deslauriers <email address hidden>  Wed, 30 May 2018 09:37:13 -0400
Published in artful-updates on 2018-05-30
Published in artful-security on 2018-05-30
tomcat8 (8.5.21-1ubuntu1.1) artful-security; urgency=medium

  * SECURITY UPDATE: missing checks when HTTP PUTs enabled (LP: #1721749)
    - debian/patches/CVE-2017-12617.patch: add checks to
      java/org/apache/catalina/servlets/DefaultServlet.java,
      java/org/apache/catalina/webresources/AbstractFileResourceSet.java,
      java/org/apache/catalina/webresources/DirResourceSet.java,
      java/org/apache/tomcat/util/compat/JrePlatform.java,
      test/org/apache/catalina/webresources/AbstractTestResourceSet.java,
      test/org/apache/catalina/webresources/TestAbstractFileResourceSetPerformance.java.
    - CVE-2017-12617
  * SECURITY UPDATE: incorrectly documented CGI search algorithm
    - debian/patches/CVE-2017-15706.patch: adjust documentation in
      webapps/docs/cgi-howto.xml.
    - CVE-2017-15706
  * SECURITY UPDATE: security constraints mapped to context root are ignored
    - debian/patches/CVE-2018-1304.patch: add check to
      java/org/apache/catalina/realm/RealmBase.java.
    - CVE-2018-1304
  * SECURITY UPDATE: security constraint annotations applied too late
    - debian/patches/CVE-2018-1305.patch: change ordering in
      java/org/apache/catalina/Wrapper.java,
      java/org/apache/catalina/authenticator/AuthenticatorBase.java,
      java/org/apache/catalina/core/ApplicationContext.java,
      java/org/apache/catalina/core/ApplicationServletRegistration.java,
      java/org/apache/catalina/core/StandardContext.java,
      java/org/apache/catalina/core/StandardWrapper.java,
      java/org/apache/catalina/startup/ContextConfig.java,
      java/org/apache/catalina/startup/Tomcat.java,
      java/org/apache/catalina/startup/WebAnnotationSet.java.
    - CVE-2018-1305
  * SECURITY UPDATE: CORS filter has insecure defaults
    - debian/patches/CVE-2018-8014.patch: change defaults in
      java/org/apache/catalina/filters/CorsFilter.java,
      java/org/apache/catalina/filters/LocalStrings.properties,
      test/org/apache/catalina/filters/TestCorsFilter.java,
      test/org/apache/catalina/filters/TesterFilterConfigs.java.
    - CVE-2018-8014

 -- Marc Deslauriers <email address hidden>  Mon, 28 May 2018 09:03:55 -0400
Superseded in xenial-updates on 2018-07-25
Superseded in xenial-security on 2018-07-25
tomcat8 (8.0.32-1ubuntu1.6) xenial-security; urgency=medium

  * SECURITY UPDATE: missing checks when HTTP PUTs enabled (LP: #1721749)
    - debian/patches/CVE-2017-12617.patch: add checks to
      java/org/apache/catalina/servlets/DefaultServlet.java,
      java/org/apache/catalina/webresources/AbstractFileResourceSet.java,
      java/org/apache/catalina/webresources/DirResourceSet.java,
      java/org/apache/tomcat/util/compat/JrePlatform.java,
      test/org/apache/catalina/webresources/AbstractTestResourceSet.java,
      test/org/apache/catalina/webresources/TestAbstractFileResourceSetPerformance.java.
    - CVE-2017-12617
  * SECURITY UPDATE: security constraints mapped to context root are ignored
    - debian/patches/CVE-2018-1304.patch: add check to
      java/org/apache/catalina/realm/RealmBase.java.
    - CVE-2018-1304
  * SECURITY UPDATE: security constraint annotations applied too late
    - debian/patches/CVE-2018-1305.patch: change ordering in
      java/org/apache/catalina/Wrapper.java,
      java/org/apache/catalina/authenticator/AuthenticatorBase.java,
      java/org/apache/catalina/core/ApplicationContext.java,
      java/org/apache/catalina/core/ApplicationServletRegistration.java,
      java/org/apache/catalina/core/StandardContext.java,
      java/org/apache/catalina/core/StandardWrapper.java,
      java/org/apache/catalina/startup/ContextConfig.java,
      java/org/apache/catalina/startup/Tomcat.java,
      java/org/apache/catalina/startup/WebAnnotationSet.java.
    - CVE-2018-1305
  * SECURITY UPDATE: CORS filter has insecure defaults
    - debian/patches/CVE-2018-8014.patch: change defaults in
      java/org/apache/catalina/filters/CorsFilter.java,
      java/org/apache/catalina/filters/LocalStrings.properties,
      test/org/apache/catalina/filters/TestCorsFilter.java,
      test/org/apache/catalina/filters/TesterFilterConfigs.java.
    - CVE-2018-8014

 -- Marc Deslauriers <email address hidden>  Mon, 28 May 2018 13:21:29 -0400
Deleted in bionic-proposed on 2018-05-31 (Reason: moved to -updates)
tomcat8 (8.5.30-1ubuntu1.1) bionic; urgency=medium

  * support-jre8.diff: Fix running tomcat with JRE8. (LP: #1765616)

 -- Timo Aaltonen <email address hidden>  Tue, 24 Apr 2018 23:47:45 +0300
Superseded in cosmic-release on 2018-06-07
Deleted in cosmic-proposed on 2018-06-08 (Reason: moved to release)
tomcat8 (8.5.30-1ubuntu2) cosmic; urgency=medium

  * support-jre8.diff: Fix running tomcat with JRE8. (LP: #1765616)

 -- Timo Aaltonen <email address hidden>  Tue, 24 Apr 2018 23:47:45 +0300
Superseded in cosmic-release on 2018-05-07
Published in bionic-release on 2018-04-19
Deleted in bionic-proposed (Reason: moved to release)
tomcat8 (8.5.30-1ubuntu1) bionic; urgency=medium

  * control: Break/replace tomcat8.0 binaries. (LP: #1717998)

 -- Timo Aaltonen <email address hidden>  Thu, 19 Apr 2018 14:53:19 +0300
Superseded in bionic-release on 2018-04-19
Deleted in bionic-proposed on 2018-04-21 (Reason: moved to release)
tomcat8 (8.5.30-1) unstable; urgency=medium

  * Team upload.
  * New upstream release
    - Refreshed the patches
  * Standards-Version updated to 4.1.4

 -- Emmanuel Bourg <email address hidden>  Thu, 12 Apr 2018 09:49:28 +0200

Available diffs

Superseded in bionic-release on 2018-04-19
Deleted in bionic-proposed on 2018-04-20 (Reason: moved to release)
tomcat8 (8.5.29-1) unstable; urgency=medium

  * Team upload.
  * New upstream release
    - Refreshed the patches

 -- Emmanuel Bourg <email address hidden>  Mon, 12 Mar 2018 16:43:57 +0100
Superseded in bionic-release on 2018-03-22
Superseded in bionic-release on 2018-03-22
Published in artful-release on 2017-10-13
Deleted in artful-proposed (Reason: moved to release)
tomcat8 (8.5.21-1ubuntu1) artful; urgency=medium

  * Demote libtcnative-1 from Recommends to Suggests as it is in
    universe.

 -- Robie Basak <email address hidden>  Fri, 13 Oct 2017 12:06:51 +0100
Obsolete in zesty-updates on 2018-06-22
Obsolete in zesty-security on 2018-06-22
tomcat8 (8.0.38-2ubuntu2.2) zesty-security; urgency=medium

  * SECURITY UPDATE: loss of pipeline requests
    - debian/patches/CVE-2017-5647.patch: improve sendfile handling when
      requests are pipelined in
      java/org/apache/coyote/AbstractProtocol.java,
      java/org/apache/coyote/http11/Http11AprProcessor.java,
      java/org/apache/coyote/http11/Http11Nio2Processor.java,
      java/org/apache/coyote/http11/Http11NioProcessor.java,
      java/org/apache/tomcat/util/net/AprEndpoint.java,
      java/org/apache/tomcat/util/net/Nio2Endpoint.java,
      java/org/apache/tomcat/util/net/NioEndpoint.java,
      java/org/apache/tomcat/util/net/SendfileKeepAliveState.java.
    - CVE-2017-5647
  * SECURITY UPDATE: incorrect facade object use
    - debian/patches/CVE-2017-5648.patch: ensure request and response
      facades are used when firing application listeners in
      java/org/apache/catalina/authenticator/FormAuthenticator.java,
      java/org/apache/catalina/core/StandardHostValve.java.
    - CVE-2017-5648
  * SECURITY UPDATE: unexpected and undesirable results for static error
    pages
    - debian/patches/CVE-2017-5664.patch: use a more reliable mechanism in
      java/org/apache/catalina/servlets/DefaultServlet.java,
      java/org/apache/catalina/servlets/WebdavServlet.java.
    - CVE-2017-5664
  * SECURITY UPDATE: client and server side cache poisoning in CORS filter
    - debian/patches/CVE-2017-7674.patch: set Vary header in response in
      java/org/apache/catalina/filters/CorsFilter.java.
    - CVE-2017-7674

 -- Marc Deslauriers <email address hidden>  Wed, 27 Sep 2017 17:20:40 -0400
Superseded in xenial-updates on 2018-05-30
Superseded in xenial-security on 2018-05-30
tomcat8 (8.0.32-1ubuntu1.5) xenial-security; urgency=medium

  * SECURITY UPDATE: loss of pipeline requests
    - debian/patches/CVE-2017-5647.patch: improve sendfile handling when
      requests are pipelined in
      java/org/apache/coyote/AbstractProtocol.java,
      java/org/apache/coyote/http11/Http11AprProcessor.java,
      java/org/apache/coyote/http11/Http11Nio2Processor.java,
      java/org/apache/coyote/http11/Http11NioProcessor.java,
      java/org/apache/tomcat/util/net/AprEndpoint.java,
      java/org/apache/tomcat/util/net/Nio2Endpoint.java,
      java/org/apache/tomcat/util/net/NioEndpoint.java,
      java/org/apache/tomcat/util/net/SendfileKeepAliveState.java.
    - CVE-2017-5647
  * SECURITY UPDATE: incorrect facade object use
    - debian/patches/CVE-2017-5648.patch: ensure request and response
      facades are used when firing application listeners in
      java/org/apache/catalina/authenticator/FormAuthenticator.java,
      java/org/apache/catalina/core/StandardHostValve.java.
    - CVE-2017-5648
  * SECURITY UPDATE: unexpected and undesirable results for static error
    pages
    - debian/patches/CVE-2017-5664.patch: use a more reliable mechanism in
      java/org/apache/catalina/servlets/DefaultServlet.java,
      java/org/apache/catalina/servlets/WebdavServlet.java.
    - CVE-2017-5664
  * SECURITY UPDATE: client and server side cache poisoning in CORS filter
    - debian/patches/CVE-2017-7674.patch: set Vary header in response in
      java/org/apache/catalina/filters/CorsFilter.java.
    - CVE-2017-7674

 -- Marc Deslauriers <email address hidden>  Wed, 27 Sep 2017 17:23:18 -0400
Superseded in artful-release on 2017-10-13
Deleted in artful-proposed on 2017-10-15 (Reason: moved to release)
tomcat8 (8.5.21-1) unstable; urgency=medium

  * Team upload.

  [ Emmanuel Bourg ]
  * New upstream release
    - Refreshed the patches
    - Disabled Checkstyle
  * Changed the Class-Path manifest entry of tomcat8-jasper.jar to use
    the specification jars from libtomcat8-java instead of libservlet3.1-java
    (Closes: #867247)

  [ Miguel Landaeta ]
  * Remove myself from uploaders. (Closes: #871892)
  * Update copyright info.

 -- Emmanuel Bourg <email address hidden>  Wed, 20 Sep 2017 10:06:56 +0200

Available diffs

Superseded in artful-release on 2017-09-21
Deleted in artful-proposed on 2017-09-22 (Reason: moved to release)
tomcat8 (8.5.16-1) unstable; urgency=medium

  * Team upload.
  * New upstream release
    - Refreshed the patches
  * Standards-Version updated to 4.0.0

 -- Emmanuel Bourg <email address hidden>  Mon, 26 Jun 2017 16:03:53 +0200
Obsolete in yakkety-updates on 2018-01-23
Deleted in yakkety-proposed on 2018-01-23 (Reason: moved to -updates)
tomcat8 (8.0.37-1ubuntu0.2) yakkety; urgency=medium

  * Fix an upgrade error when JAVA_OPTS in /etc/default/tomcat8
    contains the '%' character (LP: #1666570).

 -- Joshua Powers <email address hidden>  Tue, 28 Mar 2017 16:46:16 -0700
Superseded in artful-release on 2017-09-13
Obsolete in zesty-release on 2018-06-22
Deleted in zesty-proposed on 2018-06-22 (Reason: moved to release)
tomcat8 (8.0.38-2ubuntu2) zesty; urgency=medium

  * Fix an upgrade error when JAVA_OPTS in /etc/default/tomcat8
    contains the '%' character (LP: #1666570).

 -- Joshua Powers <email address hidden>  Tue, 28 Mar 2017 16:47:32 -0700
Superseded in xenial-updates on 2018-01-08
Deleted in xenial-proposed on 2018-01-09 (Reason: moved to -updates)
tomcat8 (8.0.32-1ubuntu1.4) xenial; urgency=medium

  * Fix an upgrade error when JAVA_OPTS in /etc/default/tomcat8
    contains the '%' character (LP: #1666570).

 -- Joshua Powers <email address hidden>  Thu, 09 Mar 2017 14:38:04 -0700
Superseded in zesty-release on 2017-04-11
Deleted in zesty-proposed on 2017-04-12 (Reason: moved to release)
tomcat8 (8.0.38-2ubuntu1) zesty; urgency=medium

  * SECURITY UPDATE: HTTP response injection via invalid characters
    - debian/patches/CVE-2016-6816.patch: add additional checks for valid
      characters in java/org/apache/coyote/http11/AbstractInputBuffer.java,
      java/org/apache/coyote/http11/AbstractNioInputBuffer.java,
      java/org/apache/coyote/http11/InternalAprInputBuffer.java,
      java/org/apache/coyote/http11/InternalInputBuffer.java,
      java/org/apache/coyote/http11/LocalStrings.properties,
      java/org/apache/tomcat/util/http/parser/HttpParser.java.
    - CVE-2016-6816
  * SECURITY UPDATE: remote code execution via JmxRemoteLifecycleListener
    - debian/patches/CVE-2016-8735.patch: explicitly configure allowed
      credential types in
      java/org/apache/catalina/mbeans/JmxRemoteLifecycleListener.java.
    - CVE-2016-8735
  * SECURITY UPDATE: information leakage between requests
    - debian/patches/CVE-2016-8745.patch: properly handle cache when unable
      to complete sendfile request in
      java/org/apache/tomcat/util/net/NioEndpoint.java.
    - CVE-2016-8745
  * SECURITY UPDATE: privilege escalation during package upgrade
    - debian/rules, debian/tomcat8.postinst: properly set permissions on
      /etc/tomcat8/Catalina/localhost.
    - CVE-2016-9774
  * SECURITY UPDATE: privilege escalation during package removal
    - debian/tomcat8.postrm.in: don't reset permissions before removing
      user.
    - CVE-2016-9775

 -- Marc Deslauriers <email address hidden>  Wed, 15 Feb 2017 08:38:11 -0500
Superseded in xenial-updates on 2017-05-25
Superseded in xenial-security on 2018-01-08
tomcat8 (8.0.32-1ubuntu1.3) xenial-security; urgency=medium

  * SECURITY UPDATE: timing attack in realm implementations
    - debian/patches/CVE-2016-0762.patch: add time delays to
      java/org/apache/catalina/realm/DataSourceRealm.java,
      java/org/apache/catalina/realm/JDBCRealm.java,
      java/org/apache/catalina/realm/MemoryRealm.java,
      java/org/apache/catalina/realm/RealmBase.java.
    - CVE-2016-0762
  * SECURITY UPDATE: SecurityManager bypass via a Tomcat utility method
    - debian/patches/CVE-2016-5018.patch: remove unnecessary code in
      java/org/apache/jasper/runtime/JspRuntimeLibrary.java,
      java/org/apache/jasper/security/SecurityClassLoad.java,
      java/org/apache/jasper/servlet/JasperInitializer.java.
    - CVE-2016-5018
  * SECURITY UPDATE: mitigaton for httpoxy issue
    - debian/patches/CVE-2016-5388.patch: add envHttpHeaders initialization
      parameter to conf/web.xml, webapps/docs/cgi-howto.xml,
      java/org/apache/catalina/servlets/CGIServlet.java.
    - CVE-2016-5388
  * SECURITY UPDATE: system properties read SecurityManager bypass
    - debian/patches/CVE-2016-6794.patch: extend SecurityManager protection
      to the system property replacement feature of the digester in
      java/org/apache/catalina/loader/WebappClassLoaderBase.java,
      java/org/apache/tomcat/util/digester/Digester.java,
      java/org/apache/tomcat/util/security/PermissionCheck.java.
    - CVE-2016-6794
  * SECURITY UPDATE: SecurityManager bypass via JSP Servlet configuration
    parameters
    - debian/patches/CVE-2016-6796.patch: ignore some JSP options when
      running under a SecurityManager in conf/web.xml,
      java/org/apache/jasper/EmbeddedServletOptions.java,
      java/org/apache/jasper/resources/LocalStrings.properties,
      java/org/apache/jasper/servlet/JspServlet.java,
      webapps/docs/jasper-howto.xml.
    - CVE-2016-6796
  * SECURITY UPDATE: web application global JNDI resource access
    - debian/patches/CVE-2016-6797.patch: ensure that the global resource
      is only visible via the ResourceLinkFactory when it is meant to be in
      java/org/apache/catalina/core/NamingContextListener.java,
      java/org/apache/naming/factory/ResourceLinkFactory.java,
      test/org/apache/naming/TestNamingContext.java.
    - CVE-2016-6797
  * SECURITY UPDATE: HTTP response injection via invalid characters
    - debian/patches/CVE-2016-6816.patch: add additional checks for valid
      characters in java/org/apache/coyote/http11/AbstractInputBuffer.java,
      java/org/apache/coyote/http11/AbstractNioInputBuffer.java,
      java/org/apache/coyote/http11/InternalAprInputBuffer.java,
      java/org/apache/coyote/http11/InternalInputBuffer.java,
      java/org/apache/coyote/http11/LocalStrings.properties,
      java/org/apache/tomcat/util/http/parser/HttpParser.java.
    - CVE-2016-6816
  * SECURITY UPDATE: remote code execution via JmxRemoteLifecycleListener
    - debian/patches/CVE-2016-8735.patch: explicitly configure allowed
      credential types in
      java/org/apache/catalina/mbeans/JmxRemoteLifecycleListener.java.
    - CVE-2016-8735
  * SECURITY UPDATE: information leakage between requests
    - debian/patches/CVE-2016-8745.patch: properly handle cache when unable
      to complete sendfile request in
      java/org/apache/tomcat/util/net/NioEndpoint.java.
    - CVE-2016-8745
  * SECURITY UPDATE: privilege escalation during package upgrade
    - debian/rules, debian/tomcat8.postinst: properly set permissions on
      /etc/tomcat8/Catalina/localhost.
    - CVE-2016-9774
  * SECURITY UPDATE: privilege escalation during package removal
    - debian/tomcat8.postrm.in: don't reset permissions before removing
      user.
    - CVE-2016-9775
  * debian/tomcat8.init: further hardening.

 -- Marc Deslauriers <email address hidden>  Mon, 16 Jan 2017 08:18:27 -0500
Superseded in yakkety-updates on 2017-06-19
Obsolete in yakkety-security on 2018-01-23
tomcat8 (8.0.37-1ubuntu0.1) yakkety-security; urgency=medium

  * SECURITY UPDATE: HTTP response injection via invalid characters
    - debian/patches/CVE-2016-6816.patch: add additional checks for valid
      characters in java/org/apache/coyote/http11/AbstractInputBuffer.java,
      java/org/apache/coyote/http11/AbstractNioInputBuffer.java,
      java/org/apache/coyote/http11/InternalAprInputBuffer.java,
      java/org/apache/coyote/http11/InternalInputBuffer.java,
      java/org/apache/coyote/http11/LocalStrings.properties,
      java/org/apache/tomcat/util/http/parser/HttpParser.java.
    - CVE-2016-6816
  * SECURITY UPDATE: remote code execution via JmxRemoteLifecycleListener
    - debian/patches/CVE-2016-8735.patch: explicitly configure allowed
      credential types in
      java/org/apache/catalina/mbeans/JmxRemoteLifecycleListener.java.
    - CVE-2016-8735
  * SECURITY UPDATE: information leakage between requests
    - debian/patches/CVE-2016-8745.patch: properly handle cache when unable
      to complete sendfile request in
      java/org/apache/tomcat/util/net/NioEndpoint.java.
    - CVE-2016-8745
  * SECURITY UPDATE: privilege escalation during package upgrade
    - debian/rules, debian/tomcat8.postinst: properly set permissions on
      /etc/tomcat8/Catalina/localhost.
    - CVE-2016-9774
  * SECURITY UPDATE: privilege escalation during package removal
    - debian/tomcat8.postrm.in: don't reset permissions before removing
      user.
    - CVE-2016-9775
  * debian/tomcat8.init: further hardening.

 -- Marc Deslauriers <email address hidden>  Fri, 13 Jan 2017 10:48:08 -0500
Deleted in zesty-proposed on 2017-02-15 (Reason: breaks other packages not yet ported to tomcat 8.5; will ...)
tomcat8 (8.5.11-1) unstable; urgency=medium

  * Team upload.
  * New upstream release
    - Refreshed the patches
  * Recommend Java 8 in /etc/default/tomcat8

 -- Emmanuel Bourg <email address hidden>  Tue, 17 Jan 2017 15:09:30 +0100

Available diffs

Superseded in zesty-proposed on 2017-01-17
tomcat8 (8.5.9-2) unstable; urgency=medium

  * Team upload.
  * Require Java 8 or higher (Closes: #848612)

 -- Emmanuel Bourg <email address hidden>  Mon, 19 Dec 2016 15:35:19 +0100

Available diffs

Superseded in zesty-proposed on 2016-12-19
tomcat8 (8.5.9-1) unstable; urgency=medium

  * Team upload.
  * New upstream release
    - Refreshed the patches
  * Restored the classloading from the common, server and shared directories
    under CATALINA_BASE (Closes: #847137)
  * Fixed the installation error when JAVA_OPTS in /etc/default/tomcat8
    contains the '%' character (Closes: #770911)

 -- Emmanuel Bourg <email address hidden>  Thu, 08 Dec 2016 22:26:36 +0100

Available diffs

Superseded in zesty-proposed on 2016-12-09
tomcat8 (8.5.8-2) unstable; urgency=medium

  * Team upload.
  * Upload to unstable.
  * No longer make /etc/tomcat8/Catalina/localhost writable by the tomcat8 user
    in the postinst script (Closes: #845393)
  * The tomcat8 user is no longer removed when the package is purged
    (Closes: #845385)
  * Compress and remove the access log files with a .txt extension
    (Closes: #845661)
  * Added the delaycompress option to the logrotate configuration
    of catalina.out (Closes: #843135)
  * Changed the home directory for the tomcat8 user from /usr/share/tomcat8
    to /var/lib/tomcat8 (Closes: #833261)
  * Aligned the logging configuration with the upstream one
  * Set the proper permissions for /etc/tomcat8/jaspic-providers.xml
  * Install the new library jaspic-api.jar
  * Install the Maven artifacts for tomcat-storeconfig
  * Simplified debian/rules

 -- Emmanuel Bourg <email address hidden>  Thu, 01 Dec 2016 18:41:14 +0100

Available diffs

Superseded in zesty-proposed on 2016-12-01
tomcat8 (8.0.39-1) unstable; urgency=medium

  * Team upload.
  * New upstream release
    - Refreshed the patches

 -- Emmanuel Bourg <email address hidden>  Tue, 15 Nov 2016 15:37:48 +0100

Available diffs

Superseded in zesty-release on 2017-02-17
Deleted in zesty-proposed on 2017-02-18 (Reason: moved to release)
tomcat8 (8.0.38-2) unstable; urgency=high

  * Team upload.
  * CVE-2016-1240 follow-up:
    - The previous init.d fix was vulnerable to a race condition that could
      be exploited to make any existing file writable by the tomcat user.
      Thanks to Paul Szabo for the report and the fix.
    - The catalina.policy file generated on startup was affected by a similar
      vulnerability that could be exploited to overwrite any file on the system.
      Thanks to Paul Szabo for the report.
  * Install the extra jar catalina-jmx-remote.jar (Closes: #762916)
  * Added the new libtomcat8-embed-java package containing the libraries
    for embedding Tomcat into other applications.
  * Switch to debhelper level 10

 -- Emmanuel Bourg <email address hidden>  Fri, 28 Oct 2016 01:17:23 +0200

Available diffs

Superseded in zesty-release on 2016-11-03
Obsolete in yakkety-release on 2018-01-23
Deleted in yakkety-proposed on 2018-01-23 (Reason: moved to release)
tomcat8 (8.0.37-1) unstable; urgency=medium

  * Team upload.
  * New upstream release
  * Removed 0001-set-UTF-8-as-default-character-encoding.patch (fixed upstream)

 -- Emmanuel Bourg <email address hidden>  Mon, 19 Sep 2016 09:37:33 +0200
Superseded in yakkety-release on 2016-10-06
Deleted in yakkety-proposed on 2016-10-07 (Reason: moved to release)
tomcat8 (8.0.36-2ubuntu1) yakkety; urgency=medium

  * SECURITY UPDATE: privilege escalation via insecure init script
    - debian/tomcat8.init: don't follow symlinks when handling the
      catalina.out file.
    - CVE-2016-1240

 -- Marc Deslauriers <email address hidden>  Fri, 16 Sep 2016 09:08:41 -0400
Superseded in xenial-updates on 2017-01-23
Superseded in xenial-security on 2017-01-23
tomcat8 (8.0.32-1ubuntu1.2) xenial-security; urgency=medium

  * SECURITY UPDATE: privilege escalation via insecure init script
    - debian/tomcat8.init: don't follow symlinks when handling the
      catalina.out file.
    - CVE-2016-1240

 -- Marc Deslauriers <email address hidden>  Fri, 16 Sep 2016 09:11:41 -0400
Superseded in yakkety-release on 2016-09-16
Deleted in yakkety-proposed on 2016-09-18 (Reason: moved to release)
tomcat8 (8.0.36-2) unstable; urgency=medium

  * Team upload.
  * Do not unconditionally overwrite files in /etc/tomcat8 anymore.
    (Closes: #825786)

 -- Markus Koschany <email address hidden>  Tue, 02 Aug 2016 10:50:42 +0200

Available diffs

Superseded in xenial-updates on 2016-09-19
Superseded in xenial-security on 2016-09-19
tomcat8 (8.0.32-1ubuntu1.1) xenial-security; urgency=medium

  * SECURITY UPDATE: denial of service in FileUpload
    - debian/patches/CVE-2016-3092.patch: properly handle size in
      java/org/apache/tomcat/util/http/fileupload/MultipartStream.java.
    - CVE-2016-3092

 -- Marc Deslauriers <email address hidden>  Wed, 06 Jul 2016 07:49:29 -0400
Superseded in yakkety-release on 2016-08-03
Deleted in yakkety-proposed on 2016-08-04 (Reason: moved to release)
tomcat8 (8.0.36-1) unstable; urgency=medium

  * Team upload.
  * New upstream release
    - Refreshed the patches
    - Depend on libecj-java (>= 3.11.0)
  * Standards-Version updated to 3.9.8 (no changes)
  * Use a secure Vcs-Git URL

 -- Emmanuel Bourg <email address hidden>  Tue, 14 Jun 2016 14:34:46 +0200
Superseded in yakkety-release on 2016-06-21
Published in xenial-release on 2016-02-22
Superseded in xenial-release on 2016-02-22
Deleted in xenial-proposed (Reason: moved to release)
tomcat8 (8.0.32-1ubuntu1) xenial; urgency=medium

  * Prepare to promote tomcat8 to main (LP: #1539903).
    - debian/control, 0021-ubuntu-mainize-build-xml.patch: Remove
      build-dependencies on libobjenesis-java and libeasymock-java, and skip
      tests that rely on the functionality they provide.

 -- Nishanth Aravamudan <email address hidden>  Fri, 05 Feb 2016 09:20:39 +0100
Superseded in xenial-release on 2016-02-19
Deleted in xenial-proposed on 2016-02-20 (Reason: moved to release)
tomcat8 (8.0.32-1) unstable; urgency=medium

  * Team upload.
  * New upstream release
  * Fixed a warning in catalina.out caused by an incorrect path
    for the root context (Closes: #808378)
  * Standards-Version updated to 3.9.7 (no changes)

 -- Emmanuel Bourg <email address hidden>  Mon, 21 Dec 2015 11:20:10 +0100

Available diffs

Obsolete in vivid-updates on 2018-01-18
Obsolete in vivid-security on 2018-01-18
tomcat8 (8.0.14-1+deb8u1build0.15.04.1) vivid-security; urgency=medium

  * fake sync from Debian

Superseded in xenial-release on 2016-02-11
Deleted in xenial-proposed on 2016-02-12 (Reason: moved to release)
tomcat8 (8.0.30-1) unstable; urgency=medium

  * Team upload.
  * New upstream release
    - Refreshed the patches
  * Use LC_ALL instead of LANG to format the date and make the documentation
    reproducible on the builders

 -- Emmanuel Bourg <email address hidden>  Fri, 18 Dec 2015 11:44:06 +0100

Available diffs

Superseded in xenial-release on 2015-12-18
Deleted in xenial-proposed on 2015-12-20 (Reason: moved to release)
tomcat8 (8.0.28-1) unstable; urgency=medium

  * Team upload.
  * New upstream release
    - Refreshed the patches
  * Fixed a localized date in the documentation to improve the reproducibility

 -- Emmanuel Bourg <email address hidden>  Mon, 19 Oct 2015 11:12:07 +0200

Available diffs

Superseded in xenial-release on 2015-10-24
Obsolete in wily-release on 2018-01-22
Deleted in wily-proposed on 2018-01-22 (Reason: moved to release)
tomcat8 (8.0.26-1) unstable; urgency=medium

  * Team upload.
  * New upstream release
    - Refreshed the patches
  * Changed the authbind configuration to allow IPv6 connections (LP: #1443041)
  * Fixed an upgrade error when /etc/tomcat8/tomcat-users.xml is removed
    (LP: #1010791)
  * Fixed a minor HTML error in the default index.html file (LP: #1236132)

 -- Emmanuel Bourg <email address hidden>  Mon, 24 Aug 2015 00:30:40 +0200

Available diffs

Superseded in wily-release on 2015-08-30
Deleted in wily-proposed on 2015-09-01 (Reason: moved to release)
tomcat8 (8.0.24-1) unstable; urgency=medium

  * Team upload.
  * New upstream release
    - Refreshed the patches
  * debian/rules: Use an english locale when generating the documentation
    to improve the reproducibility

 -- Emmanuel Bourg <email address hidden>  Wed, 08 Jul 2015 17:42:14 +0200

Available diffs

Superseded in wily-release on 2015-07-09
Deleted in wily-proposed on 2015-07-10 (Reason: moved to release)
tomcat8 (8.0.23-1) unstable; urgency=medium

  * New upstream release
  * debian/rules: Set the 'year' and 'today-iso-8601' build variables
    to improve the reproducibility

 -- Emmanuel Bourg <email address hidden>  Tue, 26 May 2015 16:04:01 +0200

Available diffs

Superseded in wily-release on 2015-05-27
Deleted in wily-proposed on 2015-05-28 (Reason: moved to release)
tomcat8 (8.0.22-2) unstable; urgency=medium

  * Replaced the date in ServerInfo.properties with the latest date
    in debian/changelog to make the build reproducible
  * debian/rules:
    - Modified to use the dh sequencer
    - Simplified the ant invocation and moved some properties
      to debian/ant.properties
    - Do not set the version.* properties already defined
      in build.properties.default
    - Renamed T_VER to VERSION
    - Removed the RWFILES and RWLOC variables
    - Merged the ANT_ARGS and ANT_INVOKE variables
    - No longer remove the long gone .svn directories under
      /usr/share/tomcat8/webapps/default_root
    - Let dh_fixperms set the permissions instead of calling chmod +x
    - Use debian/tomcat8-user.manpages instead of calling dh_installman
    - Updated the copyright year in the Javadoc
    - Simplified the call to mh_install

 -- Emmanuel Bourg <email address hidden>  Thu, 07 May 2015 14:13:30 +0200

Available diffs

Superseded in wily-release on 2015-05-08
Deleted in wily-proposed on 2015-05-09 (Reason: moved to release)
tomcat8 (8.0.22-1) unstable; urgency=medium

  * New upstream release
    - Refreshed the patches
    - No longer install tomcat-spdy.jar (removed upstream)
  * Removed the timstamp from the Javadoc of the Servlet API
    to make the build reproducible

 -- Emmanuel Bourg <email address hidden>  Wed, 06 May 2015 09:30:38 +0200

Available diffs

Superseded in wily-proposed on 2015-05-06
tomcat8 (8.0.21-2) unstable; urgency=medium

  * Upload to unstable.

 -- Miguel Landaeta <email address hidden>  Fri, 01 May 2015 12:41:13 -0300
Superseded in wily-release on 2015-05-07
Obsolete in vivid-release on 2018-01-18
Deleted in vivid-proposed on 2018-01-19 (Reason: moved to release)
tomcat8 (8.0.14-1) unstable; urgency=medium


  * New upstream release
    - Refreshed the patches
  * Build depend on libcglib3-java instead of libcglib-java
  * Standards-Version updated to 3.9.6 (no changes)

 -- Emmanuel Bourg <email address hidden>  Mon, 29 Sep 2014 13:23:43 +0200

Available diffs

Superseded in vivid-release on 2014-10-26
Obsolete in utopic-release on 2016-11-03
Deleted in utopic-proposed on 2016-11-03 (Reason: moved to release)
tomcat8 (8.0.9-1) unstable; urgency=medium


  [ Emmanuel Bourg ]
  * New upstream release
    - Refreshed the patches
  * Search for OpenJDK 8 and Oracle JDKs when starting the server
  * Removed the dependency on the non existent java-7-runtime package
  * Fixed a link still pointing to the Tomcat 7 documentation in README.Debian
  * Updated the version required for libtcnative-1 (>= 1.1.30)

  [ tony mancill ]
  * Update README.Debian with information about migration guides.

 -- Emmanuel Bourg <email address hidden>  Tue, 24 Jun 2014 21:28:37 +0200

Available diffs

Superseded in utopic-release on 2014-06-25
Deleted in utopic-proposed on 2014-06-26 (Reason: moved to release)
tomcat8 (8.0.8-1) unstable; urgency=medium


  * New upstream release
    - Refreshed the patches

 -- Emmanuel Bourg <email address hidden>  Thu, 22 May 2014 13:01:55 +0200

Available diffs

Superseded in utopic-proposed on 2014-05-24
tomcat8 (8.0.5-1) unstable; urgency=medium


  * New upstream release
    - Refreshed the patches
    - Disabled Java 8 support in JSPs (requires an Eclipse compiler update)
  * Fixed the name of the doc-base file for libservlet3.1-java (Closes: #746338)
  * Update email addresses of maintainers.

 -- Emmanuel Bourg <email address hidden>  Tue, 29 Apr 2014 10:22:45 +0200

Available diffs

Superseded in utopic-proposed on 2014-05-02
tomcat8 (8.0.3-1) unstable; urgency=medium


  [ Emmanuel Bourg ]
  * Team upload.
  * New upstream release (Closes: #722675)
    - Updated the version of the Servlet, JSP and EL APIs
    - Switched to Java 7
    - Updated the watch file to match the Tomcat 8 releases
    - Refreshed the patches
    - Updated debian/copyright, documented the xsd files licensed under the CDDL
    - Installed the new jars (spdy, jni, websocket, websocket-api, storeconfig)
    - Updated the artifactId of the specification jars to include
      the new javax prefix
    - Added the javax.websocket-api artifact to libservlet3.1-java
    - New build dependency on cglib, easymock and objenesis
  * Added a patch to include the name of the distribution on the error pages
  * Use XZ compression for the upstream tarball
  * debian/control:
    - Replaced Sun Microsystems with Oracle in the packages descriptions
    - Mentioned 'Apache Tomcat' in the packages descriptions
    - Standards-Version updated to 3.9.5 (no changes)
  * Deploy the Tomcat artifacts in the Maven repository with the 8.x version
    instead of 'debian' to avoid conflicts with other versions of Tomcat.
  * Hard coded the versions in the poms in debian/javaxpoms to fix the version
    of the dependencies for jsp-api
  * Renamed the jars in /usr/share/java to tomcat8-xxx to avoid conflicts
    with other versions of Tomcat
  * Added the missing descriptions to the patches
  * Added a patch to ignore the failing tests
  * Moved the tomcat-{servlet|jsp|el}-api artifacts from libservlet3.1-java
    to libtomcat8-java and changed their versions to the Tomcat version instead
    of the specification version.
  * Removed libservlet3.1-java.links defining the tomcat-* links
    in /usr/share/java with the specifications versions
  * The symlinks to /usr/share/tomcat8/lib are no longer split between the two
    packages libtomcat8-java and tomcat8-common. tomcat8-common assembles all
    the jars required by Tomcat (tomcat jars + dbcp + pool). libtomcat8-java
    deploys only the jars in /usr/share/java and the Maven artifacts in
    /usr/share/maven-repo.
  * Added the EL and WebSocket APIs to libservlet3.1-java-doc
  * Added a Lintian override for the incompatible-java-bytecode-format warning
    since Tomcat requires Java 7
  * Added a Lintian override to clear the codeless-jar warnings
    on the tomcat-i18n jars instead of a patch turning them into zip files.
  * Removed 0011-fix-classpath-lintian-warnings.patch and specified
    the classpath of jasper.jar in libtomcat8-java.manifest instead.
  
  [ tony mancill ]
  * Include tomcat-util-scan.jar in the libtomcat8-java package.
  * Remove debian/NEWS (inapplicable to this release).
  * Prune debian/changelog to only contain tomcat8 entries.

 -- Emmanuel Bourg <email address hidden>  Sat, 15 Mar 2014 23:23:14 +0100
155 of 55 results