Change logs for tomcat8 source package in Xenial

  • tomcat8 (8.0.32-1ubuntu1.9) xenial; urgency=medium
    
      * d/p/fix-class-resource-name-filtering.patch: Fix class and resource name
        filtering in WebappClassLoader (LP: #1606331).
    
     -- Karl Stenerud <email address hidden>  Mon, 10 Dec 2018 15:08:07 +0100
  • tomcat8 (8.0.32-1ubuntu1.8) xenial-security; urgency=medium
    
      * SECURITY UPDATE: arbitrary redirect issue
        - debian/patches/CVE-2018-11784.patch: avoid protocol relative
          redirects in java/org/apache/catalina/servlets/DefaultServlet.java.
        - CVE-2018-11784
    
     -- Marc Deslauriers <email address hidden>  Tue, 09 Oct 2018 11:28:36 -0400
  • tomcat8 (8.0.32-1ubuntu1.7) xenial-security; urgency=medium
    
      * SECURITY UPDATE: DoS via issue in UTF-8 decoder
        - debian/patches/CVE-2018-1336.patch: fix logic in
          java/org/apache/tomcat/util/buf/Utf8Decoder.java.
        - CVE-2018-1336
      * SECURITY UPDATE: missing hostname verification in WebSocket client
        - debian/patches/CVE-2018-8034.patch: enable hostname verification by
          default in webapps/docs/web-socket-howto.xml,
          java/org/apache/tomcat/websocket/WsWebSocketContainer.java.
        - CVE-2018-8034
    
     -- Marc Deslauriers <email address hidden>  Wed, 25 Jul 2018 08:17:36 -0400
  • tomcat8 (8.0.32-1ubuntu1.6) xenial-security; urgency=medium
    
      * SECURITY UPDATE: missing checks when HTTP PUTs enabled (LP: #1721749)
        - debian/patches/CVE-2017-12617.patch: add checks to
          java/org/apache/catalina/servlets/DefaultServlet.java,
          java/org/apache/catalina/webresources/AbstractFileResourceSet.java,
          java/org/apache/catalina/webresources/DirResourceSet.java,
          java/org/apache/tomcat/util/compat/JrePlatform.java,
          test/org/apache/catalina/webresources/AbstractTestResourceSet.java,
          test/org/apache/catalina/webresources/TestAbstractFileResourceSetPerformance.java.
        - CVE-2017-12617
      * SECURITY UPDATE: security constraints mapped to context root are ignored
        - debian/patches/CVE-2018-1304.patch: add check to
          java/org/apache/catalina/realm/RealmBase.java.
        - CVE-2018-1304
      * SECURITY UPDATE: security constraint annotations applied too late
        - debian/patches/CVE-2018-1305.patch: change ordering in
          java/org/apache/catalina/Wrapper.java,
          java/org/apache/catalina/authenticator/AuthenticatorBase.java,
          java/org/apache/catalina/core/ApplicationContext.java,
          java/org/apache/catalina/core/ApplicationServletRegistration.java,
          java/org/apache/catalina/core/StandardContext.java,
          java/org/apache/catalina/core/StandardWrapper.java,
          java/org/apache/catalina/startup/ContextConfig.java,
          java/org/apache/catalina/startup/Tomcat.java,
          java/org/apache/catalina/startup/WebAnnotationSet.java.
        - CVE-2018-1305
      * SECURITY UPDATE: CORS filter has insecure defaults
        - debian/patches/CVE-2018-8014.patch: change defaults in
          java/org/apache/catalina/filters/CorsFilter.java,
          java/org/apache/catalina/filters/LocalStrings.properties,
          test/org/apache/catalina/filters/TestCorsFilter.java,
          test/org/apache/catalina/filters/TesterFilterConfigs.java.
        - CVE-2018-8014
    
     -- Marc Deslauriers <email address hidden>  Mon, 28 May 2018 13:21:29 -0400
  • tomcat8 (8.0.32-1ubuntu1.5) xenial-security; urgency=medium
    
      * SECURITY UPDATE: loss of pipeline requests
        - debian/patches/CVE-2017-5647.patch: improve sendfile handling when
          requests are pipelined in
          java/org/apache/coyote/AbstractProtocol.java,
          java/org/apache/coyote/http11/Http11AprProcessor.java,
          java/org/apache/coyote/http11/Http11Nio2Processor.java,
          java/org/apache/coyote/http11/Http11NioProcessor.java,
          java/org/apache/tomcat/util/net/AprEndpoint.java,
          java/org/apache/tomcat/util/net/Nio2Endpoint.java,
          java/org/apache/tomcat/util/net/NioEndpoint.java,
          java/org/apache/tomcat/util/net/SendfileKeepAliveState.java.
        - CVE-2017-5647
      * SECURITY UPDATE: incorrect facade object use
        - debian/patches/CVE-2017-5648.patch: ensure request and response
          facades are used when firing application listeners in
          java/org/apache/catalina/authenticator/FormAuthenticator.java,
          java/org/apache/catalina/core/StandardHostValve.java.
        - CVE-2017-5648
      * SECURITY UPDATE: unexpected and undesirable results for static error
        pages
        - debian/patches/CVE-2017-5664.patch: use a more reliable mechanism in
          java/org/apache/catalina/servlets/DefaultServlet.java,
          java/org/apache/catalina/servlets/WebdavServlet.java.
        - CVE-2017-5664
      * SECURITY UPDATE: client and server side cache poisoning in CORS filter
        - debian/patches/CVE-2017-7674.patch: set Vary header in response in
          java/org/apache/catalina/filters/CorsFilter.java.
        - CVE-2017-7674
    
     -- Marc Deslauriers <email address hidden>  Wed, 27 Sep 2017 17:23:18 -0400
  • tomcat8 (8.0.32-1ubuntu1.4) xenial; urgency=medium
    
      * Fix an upgrade error when JAVA_OPTS in /etc/default/tomcat8
        contains the '%' character (LP: #1666570).
    
     -- Joshua Powers <email address hidden>  Thu, 09 Mar 2017 14:38:04 -0700
  • tomcat8 (8.0.32-1ubuntu1.3) xenial-security; urgency=medium
    
      * SECURITY UPDATE: timing attack in realm implementations
        - debian/patches/CVE-2016-0762.patch: add time delays to
          java/org/apache/catalina/realm/DataSourceRealm.java,
          java/org/apache/catalina/realm/JDBCRealm.java,
          java/org/apache/catalina/realm/MemoryRealm.java,
          java/org/apache/catalina/realm/RealmBase.java.
        - CVE-2016-0762
      * SECURITY UPDATE: SecurityManager bypass via a Tomcat utility method
        - debian/patches/CVE-2016-5018.patch: remove unnecessary code in
          java/org/apache/jasper/runtime/JspRuntimeLibrary.java,
          java/org/apache/jasper/security/SecurityClassLoad.java,
          java/org/apache/jasper/servlet/JasperInitializer.java.
        - CVE-2016-5018
      * SECURITY UPDATE: mitigaton for httpoxy issue
        - debian/patches/CVE-2016-5388.patch: add envHttpHeaders initialization
          parameter to conf/web.xml, webapps/docs/cgi-howto.xml,
          java/org/apache/catalina/servlets/CGIServlet.java.
        - CVE-2016-5388
      * SECURITY UPDATE: system properties read SecurityManager bypass
        - debian/patches/CVE-2016-6794.patch: extend SecurityManager protection
          to the system property replacement feature of the digester in
          java/org/apache/catalina/loader/WebappClassLoaderBase.java,
          java/org/apache/tomcat/util/digester/Digester.java,
          java/org/apache/tomcat/util/security/PermissionCheck.java.
        - CVE-2016-6794
      * SECURITY UPDATE: SecurityManager bypass via JSP Servlet configuration
        parameters
        - debian/patches/CVE-2016-6796.patch: ignore some JSP options when
          running under a SecurityManager in conf/web.xml,
          java/org/apache/jasper/EmbeddedServletOptions.java,
          java/org/apache/jasper/resources/LocalStrings.properties,
          java/org/apache/jasper/servlet/JspServlet.java,
          webapps/docs/jasper-howto.xml.
        - CVE-2016-6796
      * SECURITY UPDATE: web application global JNDI resource access
        - debian/patches/CVE-2016-6797.patch: ensure that the global resource
          is only visible via the ResourceLinkFactory when it is meant to be in
          java/org/apache/catalina/core/NamingContextListener.java,
          java/org/apache/naming/factory/ResourceLinkFactory.java,
          test/org/apache/naming/TestNamingContext.java.
        - CVE-2016-6797
      * SECURITY UPDATE: HTTP response injection via invalid characters
        - debian/patches/CVE-2016-6816.patch: add additional checks for valid
          characters in java/org/apache/coyote/http11/AbstractInputBuffer.java,
          java/org/apache/coyote/http11/AbstractNioInputBuffer.java,
          java/org/apache/coyote/http11/InternalAprInputBuffer.java,
          java/org/apache/coyote/http11/InternalInputBuffer.java,
          java/org/apache/coyote/http11/LocalStrings.properties,
          java/org/apache/tomcat/util/http/parser/HttpParser.java.
        - CVE-2016-6816
      * SECURITY UPDATE: remote code execution via JmxRemoteLifecycleListener
        - debian/patches/CVE-2016-8735.patch: explicitly configure allowed
          credential types in
          java/org/apache/catalina/mbeans/JmxRemoteLifecycleListener.java.
        - CVE-2016-8735
      * SECURITY UPDATE: information leakage between requests
        - debian/patches/CVE-2016-8745.patch: properly handle cache when unable
          to complete sendfile request in
          java/org/apache/tomcat/util/net/NioEndpoint.java.
        - CVE-2016-8745
      * SECURITY UPDATE: privilege escalation during package upgrade
        - debian/rules, debian/tomcat8.postinst: properly set permissions on
          /etc/tomcat8/Catalina/localhost.
        - CVE-2016-9774
      * SECURITY UPDATE: privilege escalation during package removal
        - debian/tomcat8.postrm.in: don't reset permissions before removing
          user.
        - CVE-2016-9775
      * debian/tomcat8.init: further hardening.
    
     -- Marc Deslauriers <email address hidden>  Mon, 16 Jan 2017 08:18:27 -0500
  • tomcat8 (8.0.32-1ubuntu1.2) xenial-security; urgency=medium
    
      * SECURITY UPDATE: privilege escalation via insecure init script
        - debian/tomcat8.init: don't follow symlinks when handling the
          catalina.out file.
        - CVE-2016-1240
    
     -- Marc Deslauriers <email address hidden>  Fri, 16 Sep 2016 09:11:41 -0400
  • tomcat8 (8.0.32-1ubuntu1.1) xenial-security; urgency=medium
    
      * SECURITY UPDATE: denial of service in FileUpload
        - debian/patches/CVE-2016-3092.patch: properly handle size in
          java/org/apache/tomcat/util/http/fileupload/MultipartStream.java.
        - CVE-2016-3092
    
     -- Marc Deslauriers <email address hidden>  Wed, 06 Jul 2016 07:49:29 -0400
  • tomcat8 (8.0.32-1ubuntu1) xenial; urgency=medium
    
      * Prepare to promote tomcat8 to main (LP: #1539903).
        - debian/control, 0021-ubuntu-mainize-build-xml.patch: Remove
          build-dependencies on libobjenesis-java and libeasymock-java, and skip
          tests that rely on the functionality they provide.
    
     -- Nishanth Aravamudan <email address hidden>  Fri, 05 Feb 2016 09:20:39 +0100
  • tomcat8 (8.0.32-1) unstable; urgency=medium
    
      * Team upload.
      * New upstream release
      * Fixed a warning in catalina.out caused by an incorrect path
        for the root context (Closes: #808378)
      * Standards-Version updated to 3.9.7 (no changes)
    
     -- Emmanuel Bourg <email address hidden>  Mon, 21 Dec 2015 11:20:10 +0100
  • tomcat8 (8.0.30-1) unstable; urgency=medium
    
      * Team upload.
      * New upstream release
        - Refreshed the patches
      * Use LC_ALL instead of LANG to format the date and make the documentation
        reproducible on the builders
    
     -- Emmanuel Bourg <email address hidden>  Fri, 18 Dec 2015 11:44:06 +0100
  • tomcat8 (8.0.28-1) unstable; urgency=medium
    
      * Team upload.
      * New upstream release
        - Refreshed the patches
      * Fixed a localized date in the documentation to improve the reproducibility
    
     -- Emmanuel Bourg <email address hidden>  Mon, 19 Oct 2015 11:12:07 +0200
  • tomcat8 (8.0.26-1) unstable; urgency=medium
    
      * Team upload.
      * New upstream release
        - Refreshed the patches
      * Changed the authbind configuration to allow IPv6 connections (LP: #1443041)
      * Fixed an upgrade error when /etc/tomcat8/tomcat-users.xml is removed
        (LP: #1010791)
      * Fixed a minor HTML error in the default index.html file (LP: #1236132)
    
     -- Emmanuel Bourg <email address hidden>  Mon, 24 Aug 2015 00:30:40 +0200