-
tomcat7 (7.0.52-1ubuntu0.16) trusty-security; urgency=medium
* SECURITY UPDATE: arbitrary redirect issue
- debian/patches/CVE-2018-11784.patch: avoid protocol relative
redirects in java/org/apache/catalina/servlets/DefaultServlet.java.
- CVE-2018-11784
-- Marc Deslauriers <email address hidden> Tue, 09 Oct 2018 11:25:36 -0400
-
tomcat7 (7.0.52-1ubuntu0.15) trusty-security; urgency=medium
* SECURITY UPDATE: DoS via issue in UTF-8 decoder
- debian/patches/CVE-2018-1336.patch: fix logic in
java/org/apache/tomcat/util/buf/Utf8Decoder.java.
- CVE-2018-1336
* SECURITY UPDATE: missing hostname verification in WebSocket client
- debian/patches/CVE-2018-8034.patch: enable hostname verification by
default in webapps/docs/web-socket-howto.xml,
java/org/apache/tomcat/websocket/WsWebSocketContainer.java.
- CVE-2018-8034
-- Marc Deslauriers <email address hidden> Wed, 25 Jul 2018 08:27:25 -0400
-
tomcat7 (7.0.52-1ubuntu0.14) trusty-security; urgency=medium
* SECURITY UPDATE: missing checks when HTTP PUTs enabled (LP: #1721749)
- debian/patches/CVE-2017-1261x.patch: add checks to
java/org/apache/catalina/servlets/DefaultServlet.java
java/org/apache/naming/resources/FileDirContext.java,
java/org/apache/naming/resources/JrePlatform.java,
java/org/apache/naming/resources/LocalStrings.properties,
java/org/apache/naming/resources/VirtualDirContext.java,
test/org/apache/naming/resources/TestFileDirContext.java.
- CVE-2017-12616
- CVE-2017-12617
* SECURITY UPDATE: security constraints mapped to context root are ignored
- debian/patches/CVE-2018-1304.patch: add check to
java/org/apache/catalina/realm/RealmBase.java.
- CVE-2018-1304
* SECURITY UPDATE: security constraint annotations applied too late
- debian/patches/CVE-2018-1305.patch: change ordering in
java/org/apache/catalina/Wrapper.java,
java/org/apache/catalina/authenticator/AuthenticatorBase.java,
java/org/apache/catalina/core/ApplicationContext.java,
java/org/apache/catalina/core/ApplicationServletRegistration.java,
java/org/apache/catalina/core/StandardContext.java,
java/org/apache/catalina/core/StandardWrapper.java,
java/org/apache/catalina/startup/ContextConfig.java,
java/org/apache/catalina/startup/Tomcat.java,
java/org/apache/catalina/startup/WebAnnotationSet.java.
- CVE-2018-1305
* SECURITY UPDATE: CORS filter has insecure defaults
- debian/patches/CVE-2018-8014.patch: change defaults in
java/org/apache/catalina/filters/CorsFilter.java,
java/org/apache/catalina/filters/LocalStrings.properties,
test/org/apache/catalina/filters/TestCorsFilter.java,
test/org/apache/catalina/filters/TesterFilterConfigs.java.
- CVE-2018-8014
-- Marc Deslauriers <email address hidden> Tue, 29 May 2018 10:22:42 -0400
-
tomcat7 (7.0.52-1ubuntu0.13) trusty-security; urgency=medium
* SECURITY UPDATE: loss of pipeline requests
- debian/patches/CVE-2017-5647.patch: improve sendfile handling when
requests are pipelined in
java/org/apache/coyote/AbstractProtocol.java,
java/org/apache/coyote/http11/Http11AprProcessor.java,
java/org/apache/coyote/http11/Http11NioProcessor.java,
java/org/apache/tomcat/util/net/AprEndpoint.java,
java/org/apache/tomcat/util/net/NioEndpoint.java,
java/org/apache/tomcat/util/net/SendfileKeepAliveState.java,
java/org/apache/tomcat/util/net/SendfileState.java.
- CVE-2017-5647
* SECURITY UPDATE: incorrect facade object use
- debian/patches/CVE-2017-5648-pre.patch: fix keep-alive with
asynchronous servlet in
java/org/apache/catalina/core/AsyncContextImpl.java,
java/org/apache/coyote/AsyncContextCallback.java,
java/org/apache/coyote/AsyncStateMachine.java,
test/org/apache/catalina/core/TestAsyncContextImpl.java.
- debian/patches/CVE-2017-5648.patch: ensure request and response
facades are used when firing application listeners in
java/org/apache/catalina/authenticator/FormAuthenticator.java,
java/org/apache/catalina/core/StandardHostValve.java.
- CVE-2017-5648
* SECURITY UPDATE: unexpected and undesirable results for static error
pages
- debian/patches/CVE-2017-5664.patch: use a more reliable mechanism in
java/org/apache/catalina/servlets/DefaultServlet.java,
java/org/apache/catalina/servlets/WebdavServlet.java.
- CVE-2017-5664
* SECURITY UPDATE: client and server side cache poisoning in CORS filter
- debian/patches/CVE-2017-7674.patch: set Vary header in response in
java/org/apache/catalina/filters/CorsFilter.java.
- CVE-2017-7674
-- Marc Deslauriers <email address hidden> Wed, 27 Sep 2017 16:28:58 -0400
-
tomcat7 (7.0.52-1ubuntu0.11) trusty; urgency=medium
* Fix an upgrade error when JAVA_OPTS in /etc/default/tomcat7 contains
the '%' character (LP: #1666570).
* Fix javax.servlet.jsp POM to use servlet-api version 3.0 instead of
2.2 (LP: #1664179).
-- Joshua Powers <email address hidden> Wed, 22 Mar 2017 13:42:56 -0600
-
tomcat7 (7.0.52-1ubuntu0.10) trusty-security; urgency=medium
* SECURITY UPDATE: DoS via CPU consumption (LP: #1663318)
- debian/patches/CVE-2017-6056.patch: fix infinite loop in
java/org/apache/coyote/http11/AbstractInputBuffer.java.
- CVE-2017-6056
-- Marc Deslauriers <email address hidden> Fri, 17 Feb 2017 08:51:12 -0500
-
tomcat7 (7.0.52-1ubuntu0.9) trusty-security; urgency=medium
* SECURITY REGRESSION: security manager startup issue (LP: #1659589)
- debian/patches/0009-Use-java.security.policy-file-in-catalina.sh.patch:
update to new /var/lib/tomcat7/policy location.
- debian/tomcat7.postrm.in: remove policy directory.
-- Marc Deslauriers <email address hidden> Wed, 01 Feb 2017 10:40:22 -0500
-
tomcat7 (7.0.52-1ubuntu0.8) trusty-security; urgency=medium
* SECURITY UPDATE: SecurityManager bypass via a utility method
- debian/patches/CVE-2016-5018.patch: remove unnecessary code in
java/org/apache/jasper/compiler/JspRuntimeContext.java,
java/org/apache/jasper/runtime/JspRuntimeLibrary.java,
java/org/apache/jasper/security/SecurityClassLoad.java.
- CVE-2016-5018
* SECURITY UPDATE: mitigaton for httpoxy issue
- debian/patches/CVE-2016-5388.patch: add envHttpHeaders initialization
parameter to conf/web.xml, webapps/docs/cgi-howto.xml,
java/org/apache/catalina/servlets/CGIServlet.java.
- CVE-2016-5388
* SECURITY UPDATE: system properties read SecurityManager bypass
- debian/patches/CVE-2016-6794.patch: extend SecurityManager protection
to the system property replacement feature of the digester in
java/org/apache/catalina/loader/WebappClassLoader.java,
java/org/apache/tomcat/util/digester/Digester.java,
java/org/apache/tomcat/util/security/PermissionCheck.java.
- CVE-2016-6794
* SECURITY UPDATE: SecurityManager bypass via JSP Servlet configuration
parameters
- debian/patches/CVE-2016-6796.patch: ignore some JSP options when
running under a SecurityManager in conf/web.xml,
java/org/apache/jasper/EmbeddedServletOptions.java,
java/org/apache/jasper/resources/LocalStrings.properties,
java/org/apache/jasper/servlet/JspServlet.java,
webapps/docs/jasper-howto.xml.
- CVE-2016-6796
* SECURITY UPDATE: web application global JNDI resource access
- debian/patches/CVE-2016-6797.patch: ensure that the global resource
is only visible via the ResourceLinkFactory when it is meant to be in
java/org/apache/catalina/core/NamingContextListener.java,
java/org/apache/naming/factory/ResourceLinkFactory.java,
test/org/apache/naming/TestNamingContext.java.
- CVE-2016-6797
* SECURITY UPDATE: HTTP response injection via invalid characters
- debian/patches/CVE-2016-6816.patch: add additional checks for valid
characters in java/org/apache/coyote/http11/AbstractInputBuffer.java,
java/org/apache/coyote/http11/AbstractNioInputBuffer.java,
java/org/apache/coyote/http11/InternalAprInputBuffer.java,
java/org/apache/coyote/http11/InternalInputBuffer.java,
java/org/apache/coyote/http11/LocalStrings.properties,
java/org/apache/tomcat/util/http/parser/HttpParser.java.
- CVE-2016-6816
* SECURITY UPDATE: remote code execution via JmxRemoteLifecycleListener
- debian/patches/CVE-2016-8735-pre.patch: remove the restriction that
prevented the use of SSL when specifying a bind address in
java/org/apache/catalina/mbeans/JmxRemoteLifecycleListener.java,
java/org/apache/catalina/mbeans/LocalStrings.properties,
webapps/docs/config/listeners.xml.
- debian/patches/CVE-2016-8735.patch: explicitly configure allowed
credential types in
java/org/apache/catalina/mbeans/JmxRemoteLifecycleListener.java.
- CVE-2016-8735
* SECURITY UPDATE: information leakage between requests
- debian/patches/CVE-2016-8745.patch: properly handle cache when unable
to complete sendfile request in
java/org/apache/tomcat/util/net/NioEndpoint.java.
- CVE-2016-8745
* SECURITY UPDATE: privilege escalation during package upgrade
- debian/rules, debian/tomcat7.postinst: properly set permissions on
/etc/tomcat7/Catalina/localhost.
- CVE-2016-9774
* SECURITY UPDATE: privilege escalation during package removal
- debian/tomcat7.postrm.in: don't reset permissions before removing
user.
- CVE-2016-9775
* debian/tomcat7.init: further hardening.
-- Marc Deslauriers <email address hidden> Thu, 19 Jan 2017 12:38:29 -0500
-
tomcat7 (7.0.52-1ubuntu0.7) trusty-security; urgency=medium
* SECURITY UPDATE: privilege escalation via insecure init script
- debian/tomcat7.init: don't follow symlinks when handling the
catalina.out file.
- CVE-2016-1240
* SECURITY REGRESSION: change in behaviour after security update
(LP: #1609819)
- debian/patches/CVE-2015-5345-2.patch: fix using the new
mapperContextRootRedirectEnabled option in
java/org/apache/catalina/connector/MapperListener.java, change
mapperContextRootRedirectEnabled default to true in
java/org/apache/catalina/core/StandardContext.java,
webapps/docs/config/context.xml. This reverts the change in behaviour
following the CVE-2015-5345 security update and was also done
upstream in later releases.
-- Marc Deslauriers <email address hidden> Fri, 16 Sep 2016 09:19:37 -0400
-
tomcat7 (7.0.52-1ubuntu0.6) trusty-security; urgency=medium
* SECURITY UPDATE: directory traversal vulnerability in RequestUtil.java
- debian/patches/CVE-2015-5174.patch: fix normalization edge cases in
java/org/apache/tomcat/util/http/RequestUtil.java,
test/org/apache/tomcat/util/http/TestRequestUtil.java.
- CVE-2015-5174
* SECURITY UPDATE: information disclosure via redirects by mapper
- debian/patches/CVE-2015-5345.patch: fix redirect logic in
java/org/apache/catalina/Context.java,
java/org/apache/catalina/authenticator/FormAuthenticator.java,
java/org/apache/catalina/core/StandardContext.java,
java/org/apache/catalina/core/mbeans-descriptors.xml,
java/org/apache/catalina/servlets/DefaultServlet.java,
java/org/apache/catalina/servlets/WebdavServlet.java,
java/org/apache/catalina/startup/FailedContext.java,
java/org/apache/tomcat/util/http/mapper/Mapper.java,
test/org/apache/catalina/startup/TomcatBaseTest.java,
webapps/docs/config/context.xml,
test/org/apache/catalina/core/TesterContext.java.
- CVE-2015-5345
* SECURITY UPDATE: session fixation vulnerability
- debian/patches/CVE-2015-5346.patch: handle different session settings
in java/org/apache/catalina/connector/CoyoteAdapter.java,
java/org/apache/catalina/connector/Request.java.
- CVE-2015-5346
* SECURITY UPDATE: CSRF protection mechanism bypass
- debian/patches/CVE-2015-5351.patch: don't create sessions
unnecessarily in webapps/host-manager/WEB-INF/jsp/401.jsp,
webapps/host-manager/WEB-INF/jsp/403.jsp,
webapps/host-manager/WEB-INF/jsp/404.jsp,
webapps/host-manager/index.jsp,
webapps/manager/WEB-INF/web.xml,
webapps/manager/index.jsp.
- CVE-2015-5351
* SECURITY UPDATE: securityManager restrictions bypass via
StatusManagerServlet
- debian/patches/CVE-2016-0706.patch: place servlet in restricted list
in java/org/apache/catalina/core/RestrictedServlets.properties.
- CVE-2016-0706
* SECURITY UPDATE: securityManager restrictions bypass via
session-persistence implementation
- debian/patches/CVE-2016-0714.patch: extend the session attribute
filtering options in
java/org/apache/catalina/ha/session/ClusterManagerBase.java
java/org/apache/catalina/ha/session/mbeans-descriptors.xml,
java/org/apache/catalina/session/LocalStrings.properties,
java/org/apache/catalina/session/ManagerBase.java,
java/org/apache/catalina/session/StandardManager.java,
java/org/apache/catalina/session/mbeans-descriptors.xml,
java/org/apache/catalina/util/CustomObjectInputStream.java,
java/org/apache/catalina/util/LocalStrings.properties,
webapps/docs/config/cluster-manager.xml,
webapps/docs/config/manager.xml.
- CVE-2016-0714
* SECURITY UPDATE: securityManager restrictions bypass via crafted global
context
- debian/patches/CVE-2016-0763.patch: protect initialization in
java/org/apache/naming/factory/ResourceLinkFactory.java.
- CVE-2016-0763
* SECURITY UPDATE: denial of service in FileUpload
- debian/patches/CVE-2016-3092.patch: properly handle size in
java/org/apache/tomcat/util/http/fileupload/MultipartStream.java.
- CVE-2016-3092
* debian/patches/fix_cookie_names_in_tests.patch: fix FTBFS by removing
colons in cookie names which is illegal in newer java versions in
test/org/apache/catalina/authenticator/*.java.
-- Marc Deslauriers <email address hidden> Wed, 29 Jun 2016 12:50:02 -0400
-
tomcat7 (7.0.52-1ubuntu0.3) trusty-security; urgency=medium
* SECURITY UPDATE: arbitrary file disclosure via XML parser
(LP: #1449975)
- debian/patches/CVE-2014-0119.patch: add defensive coding and ensure
TLD parser obtained from cache has correct value of blockExternal in
java/org/apache/catalina/security/SecurityClassLoad.java,
java/org/apache/catalina/servlets/DefaultServlet.java,
java/org/apache/catalina/startup/TldConfig.java,
java/org/apache/jasper/compiler/JspDocumentParser.java,
java/org/apache/jasper/xmlparser/ParserUtils.java,
java/org/apache/tomcat/util/security/PrivilegedGetTccl.java,
java/org/apache/tomcat/util/security/PrivilegedSetTccl.java.
- CVE-2014-0119
* SECURITY UPDATE: HTTP request smuggling or denial of service via
streaming with malformed chunked transfer encoding (LP: #1449975)
- debian/patches/CVE-2014-0227.patch: add error flag and improve i18n
in java/org/apache/coyote/http11/filters/ChunkedInputFilter.java,
java/org/apache/coyote/http11/filters/LocalStrings.properties.
- CVE-2014-0227
* SECURITY UPDATE: denial of service via aborted upload attempts
(LP: #1449975)
- debian/patches/CVE-2014-0230.patch: limit amount of data in
java/org/apache/coyote/http11/AbstractHttp11Processor.java,
java/org/apache/coyote/http11/AbstractHttp11Protocol.java,
java/org/apache/coyote/http11/Http11AprProcessor.java,
java/org/apache/coyote/http11/Http11AprProtocol.java,
java/org/apache/coyote/http11/Http11NioProcessor.java,
java/org/apache/coyote/http11/Http11NioProtocol.java,
java/org/apache/coyote/http11/Http11Processor.java,
java/org/apache/coyote/http11/Http11Protocol.java,
java/org/apache/coyote/http11/filters/ChunkedInputFilter.java,
java/org/apache/coyote/http11/filters/IdentityInputFilter.java,
java/org/apache/coyote/http11/filters/LocalStrings.properties,
test/org/apache/catalina/core/TestSwallowAbortedUploads.java,
webapps/docs/config/http.xml.
- CVE-2014-0230
* SECURITY UPDATE: SecurityManager bypass via Expression Language
- debian/patches/CVE-2014-7810.patch: handle classes that may not be
accessible but have accessible interfaces in
java/javax/el/BeanELResolver.java, remove unnecessary code in
java/org/apache/jasper/runtime/PageContextImpl.java,
java/org/apache/jasper/security/SecurityClassLoad.java.
- CVE-2014-7810
* Replace expired ssl certs and use TLS to fix tests causing FTBFS:
- debian/patches/0022-use-tls-in-ssl-unit-tests.patch
- debian/patches/0023-replace-expired-ssl-certificates.patch
- debian/source/include-binaries
-- Marc Deslauriers <email address hidden> Fri, 19 Jun 2015 12:30:21 -0400
-
tomcat7 (7.0.52-1ubuntu0.1) trusty-security; urgency=medium
* SECURITY UPDATE: denial of service via malformed chunk size
- debian/patches/CVE-2014-0075.patch: fix overflow and added tests to
java/org/apache/coyote/http11/filters/ChunkedInputFilter.java,
test/org/apache/coyote/http11/filters/TestChunkedInputFilter.java.
- CVE-2014-0075
* SECURITY UPDATE: file disclosure via XXE issue
- debian/patches/CVE-2014-0096.patch: change globalXsltFile to be a
relative path in conf/web.xml,
java/org/apache/catalina/servlets/DefaultServlet.java,
java/org/apache/catalina/servlets/LocalStrings.properties,
webapps/docs/default-servlet.xml.
- CVE-2014-0096
* SECURITY UPDATE: HTTP request smuggling attack via crafted
Content-Length HTTP header
- debian/patches/CVE-2014-0099.patch: correctly handle long values in
java/org/apache/tomcat/util/buf/Ascii.java, added test to
test/org/apache/tomcat/util/buf/TestAscii.java.
- CVE-2014-0099
-- Marc Deslauriers <email address hidden> Thu, 24 Jul 2014 13:24:54 -0400
-
tomcat7 (7.0.52-1) unstable; urgency=low
* Team upload.
* New upstream release.
- Addresses security issue: CVE-2014-0050
-- Gianfranco Costamagna <email address hidden> Wed, 19 Feb 2014 14:09:48 +0100
-
tomcat7 (7.0.50-1) unstable; urgency=medium
* New upstream release.
-- James Page <email address hidden> Tue, 14 Jan 2014 18:09:28 +0000
-
tomcat7 (7.0.47-1) unstable; urgency=low
[ Gianfranco Costamagna ]
* Team upload.
* New upstream release, patch refresh.
* Renamed patch fix-manager-webapp.path
to fix-manager-webapp.patch (extension typo).
* Refresh patches for upstream release.
* Removed -Djava.net.preferIPv4Stack=true
from init script (lp: #1088681),
thanks Hendrik Haddorp.
* Added webapp manager path patch (lp: #1128067)
thanks TJ.
[ tony mancill ]
* Bump Standards-Version to 3.9.5.
* Change copyright year in javadocs to 2013.
* Add patch to include the distribution name in error pages.
(Closes: #729840)
-- tony mancill <email address hidden> Tue, 24 Dec 2013 16:46:34 +0000
-
tomcat7 (7.0.42-1) unstable; urgency=low
[ Gianfranco Costamagna ]
* Team upload.
* New upstream release.
* Added libhamcrest-java >= 1.3 as build-dep,
tweaked debian/rules.
* Bumped compat level to 9.
* Removed some version checks, newer releases already in oldstable.
* Refresh patches.
* debian/control: changed Vcs-Git and Vcs-Browser fields,
now they are canonical.
* Fixed error message in Tomcat init script,
patch by Thijs Kinkhorst (Closes: #714348)
-- Gianfranco Costamagna <email address hidden> Tue, 16 Jul 2013 17:34:58 +0200
