Change log for tomcat8 package in Ubuntu
| 1 → 50 of 69 results | First • Previous • Next • Last |
tomcat8 (8.0.32-1ubuntu1.13) xenial-security; urgency=medium
* SECURITY UPDATE: infinite loop via invalid payload length
- debian/patches/CVE-2020-13935.patch: add additional payload length
validation in java/org/apache/tomcat/websocket/WsFrameBase.java,
java/org/apache/tomcat/websocket/LocalStrings.properties.
- CVE-2020-13935
* SECURITY UPDATE: HTTP Request Smuggling via invalid request smuggling
- debian/patches/CVE-2020-1935.patch: use stricter header value
parsing in java/org/apache/coyote/http11/AbstractNioInputBuffer.java,
java/org/apache/coyote/http11/InternalAprInputBuffer.java,
java/org/apache/coyote/http11/InternalInputBuffer.java,
java/org/apache/tomcat/util/http/MimeHeaders.java,
java/org/apache/tomcat/util/http/parser/HttpParser.java,
test/org/apache/coyote/http11/TestInternalInputBuffer.java.
- CVE-2020-1935
* SECURITY UPDATE: remote code execution via deserialization of a file
under the attacker's control
- debian/patches/CVE-2020-9484.patch: improve validation of storage
location when using FileStore in
java/org/apache/catalina/session/FileStore.java,
java/org/apache/catalina/session/LocalStrings.properties.
- CVE-2020-9484
-- Marc Deslauriers <email address hidden> Mon, 03 Aug 2020 06:53:09 -0400
Available diffs
tomcat8 (8.0.32-1ubuntu1.11) xenial-security; urgency=medium
* SECURITY UPDATE: JMX interface authentication bypass
- debian/patches/CVE-2019-12418.patch: refactor JMX remote RMI registry
creation in JmxRemoteLifecycleListener.java.
- CVE-2019-12418
* SECURITY UPDATE: session fixation attack in FORM authentication
- debian/patches/CVE-2019-17563.patch: refactor so Principal is never
cached in session with cache==false in
java/org/apache/catalina/authenticator/AuthenticatorBase.java,
java/org/apache/catalina/authenticator/Constants.java,
java/org/apache/catalina/authenticator/FormAuthenticator.java.
- CVE-2019-17563
-- Marc Deslauriers <email address hidden> Fri, 24 Jan 2020 11:24:30 -0500
Available diffs
tomcat8 (8.5.39-1ubuntu1~18.04.3) bionic-security; urgency=medium
* SECURITY UPDATE: XSS attack on SSI printenv command
- debian/patches/CVE-2019-0221.patch: escape debug output to aid
readability
- CVE-2019-0221
* SECURITY UPDATE: DoS via thread exhaustion
- debian/patches/CVE-2019-10072-1.patch: expand HTTP/2 timeout
handling to connection window exhaustion on write.
- debian/patches/CVE-2019-10072-2.patch: Fix test failures. Handle
full allocation case.
- CVE-2019-10072
-- Emilia Torino <email address hidden> Mon, 09 Sep 2019 16:47:51 -0300
Available diffs
- diff from 8.5.39-1ubuntu1~18.04.2 (in ~openjdk-11-transition/ubuntu/fixes) to 8.5.39-1ubuntu1~18.04.3 (2.9 KiB)
- diff from 8.5.39-1ubuntu1~18.04.1 (in ~openjdk-11-transition/ubuntu/test-deletedppa) to 8.5.39-1ubuntu1~18.04.3 (3.2 KiB)
- diff from 8.5.30-1ubuntu1 (in Ubuntu) to 8.5.39-1ubuntu1~18.04.3 (554.4 KiB)
tomcat8 (8.0.32-1ubuntu1.10) xenial-security; urgency=medium
* SECURITY UPDATE: XSS attack on SSI printenv command
- debian/patches/CVE-2019-0221.patch: escape debug output to aid
readability
- CVE-2019-0221
-- Emilia Torino <email address hidden> Mon, 09 Sep 2019 09:49:23 -0300
tomcat8 (8.5.39-1ubuntu1~18.04.2) bionic; urgency=medium
* debian/tomcat8-instance-create: update regex to account for the fact that
the shutdown port is set to 8005 as default. LP: #1827090.
-- Tiago Stürmer Daitx <email address hidden> Thu, 09 May 2019 13:50:49 +0000
| Obsolete in cosmic-updates |
| Obsolete in cosmic-security |
| Deleted in cosmic-proposed (Reason: moved to -updates) |
| Superseded in bionic-updates |
| Superseded in bionic-security |
| Deleted in bionic-proposed (Reason: moved to -updates) |
tomcat8 (8.5.39-1ubuntu1~18.04.1) bionic; urgency=medium [ Matthias Klose ] * Backport for OpenJDK 11. LP: #1817567. /usr/share/doc/tomcat8/NEWS.gz. LP: #1819721. [ Tiago Stürmer Daitx ] * debian/tomcat8.service: removed, use the init.d script instead. LP: #1819721. * debian/tomcat8.init, debian/logging.properties: revert back to the conffiles from the previous version; this allows unattended-upgrades to update tomcat8 even when local changes are present. * debian/series: no longer apply 0023-disable-shutdown-by-socket.patch so server.xml conffile is unmodified from previous version.
Available diffs
- diff from 8.5.30-1ubuntu1.4 (in ~ubuntu-security-proposed/ubuntu/ppa) to 8.5.39-1ubuntu1~18.04.1 (589.0 KiB)
- diff from 8.5.39-1ubuntu1~18.04 (in ~openjdk-11-transition/ubuntu/tomcat3-deletedppa) to 8.5.39-1ubuntu1~18.04.1 (2.2 KiB)
- diff from 8.5.30-1ubuntu1 (in Ubuntu) to 8.5.39-1ubuntu1~18.04.1 (552.1 KiB)
| Deleted in disco-release (Reason: (From Debian) ROM; Replaced by tomcat9; Debian bug #925454) |
| Deleted in disco-proposed (Reason: moved to release) |
tomcat8 (8.5.39-1ubuntu1) disco; urgency=medium
* Merge with Debian; remaining changes:
- d/control: Break/replace tomcat8.0 binaries.
Available diffs
- diff from 8.5.38-2ubuntu1 to 8.5.39-1ubuntu1 (100.5 KiB)
| Superseded in bionic-proposed |
tomcat8 (8.5.38-2ubuntu1~18.04) bionic; urgency=medium * Backport for OpenJDK 11. LP: #1817567.
tomcat8 (8.5.38-2ubuntu1) disco; urgency=medium
* Merge with Debian; remaining changes:
- d/control: Break/replace tomcat8.0 binaries.
Available diffs
tomcat8 (8.5.38-1ubuntu1) disco; urgency=medium * Merge with Debian unstable (LP: #1815601). Remaining changes: - d/control: Break/replace tomcat8.0 binaries. (LP: 1717998) Dropped Changes: - support-jre8.diff.
Available diffs
- diff from 8.5.34-1ubuntu1 to 8.5.38-1ubuntu1 (165.8 KiB)
tomcat8 (8.0.32-1ubuntu1.9) xenial; urgency=medium
* d/p/fix-class-resource-name-filtering.patch: Fix class and resource name
filtering in WebappClassLoader (LP: #1606331).
-- Karl Stenerud <email address hidden> Mon, 10 Dec 2018 15:08:07 +0100
Available diffs
tomcat8 (8.0.32-1ubuntu1.8) xenial-security; urgency=medium
* SECURITY UPDATE: arbitrary redirect issue
- debian/patches/CVE-2018-11784.patch: avoid protocol relative
redirects in java/org/apache/catalina/servlets/DefaultServlet.java.
- CVE-2018-11784
-- Marc Deslauriers <email address hidden> Tue, 09 Oct 2018 11:28:36 -0400
Available diffs
- diff from 8.0.32-1ubuntu1.7 to 8.0.32-1ubuntu1.8 (860 bytes)
| Superseded in disco-release |
| Obsolete in cosmic-release |
| Deleted in cosmic-proposed (Reason: moved to release) |
tomcat8 (8.5.34-1ubuntu1) cosmic; urgency=medium
* Merge from Debian unstable. Remaining changes:
- control: Break/replace tomcat8.0 binaries. (LP: #1717998)
- support-jre8.diff.
Available diffs
- diff from 8.5.32-1ubuntu2 to 8.5.34-1ubuntu1 (200.8 KiB)
tomcat8 (8.5.30-1ubuntu1.4) bionic-security; urgency=medium * SECURITY UPDATE: - CVE-2018-1336: A bug in the UTF-8 decoder can lead to DoS - CVE-2018-8034: host name verification missing in WebSocket client - CVE-2018-8037: Information Disclosure -- Thomas Opfer <email address hidden> Mon, 13 Aug 2018 22:23:56 +0200
Available diffs
tomcat8 (8.0.32-1ubuntu1.7) xenial-security; urgency=medium
* SECURITY UPDATE: DoS via issue in UTF-8 decoder
- debian/patches/CVE-2018-1336.patch: fix logic in
java/org/apache/tomcat/util/buf/Utf8Decoder.java.
- CVE-2018-1336
* SECURITY UPDATE: missing hostname verification in WebSocket client
- debian/patches/CVE-2018-8034.patch: enable hostname verification by
default in webapps/docs/web-socket-howto.xml,
java/org/apache/tomcat/websocket/WsWebSocketContainer.java.
- CVE-2018-8034
-- Marc Deslauriers <email address hidden> Wed, 25 Jul 2018 08:17:36 -0400
Available diffs
tomcat8 (8.5.30-1ubuntu1.3) bionic; urgency=medium * Search for Java 10 and 11 runtimes (LP: #1780345) -- Stefano Rivera <email address hidden> Mon, 16 Jul 2018 20:41:29 -0700
Available diffs
tomcat8 (8.5.32-1ubuntu2) cosmic; urgency=medium * Re-introduce and refresh support-jre8.diff - it is still needed. -- Stefano Rivera <email address hidden> Mon, 16 Jul 2018 14:58:48 -0700
Available diffs
- diff from 8.5.30-1ubuntu3 to 8.5.32-1ubuntu2 (251.6 KiB)
- diff from 8.5.32-1ubuntu1 to 8.5.32-1ubuntu2 (31.4 KiB)
| Superseded in cosmic-proposed |
tomcat8 (8.5.32-1ubuntu1) cosmic; urgency=low
* Merge from Debian unstable. Remaining changes:
- control: Break/replace tomcat8.0 binaries. (LP: #1717998)
* Dropped changes:
- CVE-2018-8014.patch - superseded upstream.
- support-jre8.diff - superseded in Debian, by using ant/1.10.3-2.
Available diffs
- diff from 8.5.30-1ubuntu3 to 8.5.32-1ubuntu1 (260.0 KiB)
tomcat8 (8.5.30-1ubuntu3) cosmic; urgency=medium
* SECURITY UPDATE: CORS filter has insecure defaults
- debian/patches/CVE-2018-8014.patch: change defaults in
java/org/apache/catalina/filters/CorsFilter.java,
java/org/apache/catalina/filters/LocalStrings.properties,
test/org/apache/catalina/filters/TestCorsFilter.java,
test/org/apache/catalina/filters/TesterFilterConfigs.java.
- CVE-2018-8014
-- Marc Deslauriers <email address hidden> Thu, 31 May 2018 07:14:54 -0400
Available diffs
tomcat8 (8.5.30-1ubuntu1.2) bionic-security; urgency=medium
* SECURITY UPDATE: CORS filter has insecure defaults
- debian/patches/CVE-2018-8014.patch: change defaults in
java/org/apache/catalina/filters/CorsFilter.java,
java/org/apache/catalina/filters/LocalStrings.properties,
test/org/apache/catalina/filters/TestCorsFilter.java,
test/org/apache/catalina/filters/TesterFilterConfigs.java.
- CVE-2018-8014
-- Marc Deslauriers <email address hidden> Wed, 30 May 2018 09:37:13 -0400
Available diffs
tomcat8 (8.5.21-1ubuntu1.1) artful-security; urgency=medium * SECURITY UPDATE: missing checks when HTTP PUTs enabled (LP: #1721749) - debian/patches/CVE-2017-12617.patch: add checks to java/org/apache/catalina/servlets/DefaultServlet.java, java/org/apache/catalina/webresources/AbstractFileResourceSet.java, java/org/apache/catalina/webresources/DirResourceSet.java, java/org/apache/tomcat/util/compat/JrePlatform.java, test/org/apache/catalina/webresources/AbstractTestResourceSet.java, test/org/apache/catalina/webresources/TestAbstractFileResourceSetPerformance.java. - CVE-2017-12617 * SECURITY UPDATE: incorrectly documented CGI search algorithm - debian/patches/CVE-2017-15706.patch: adjust documentation in webapps/docs/cgi-howto.xml. - CVE-2017-15706 * SECURITY UPDATE: security constraints mapped to context root are ignored - debian/patches/CVE-2018-1304.patch: add check to java/org/apache/catalina/realm/RealmBase.java. - CVE-2018-1304 * SECURITY UPDATE: security constraint annotations applied too late - debian/patches/CVE-2018-1305.patch: change ordering in java/org/apache/catalina/Wrapper.java, java/org/apache/catalina/authenticator/AuthenticatorBase.java, java/org/apache/catalina/core/ApplicationContext.java, java/org/apache/catalina/core/ApplicationServletRegistration.java, java/org/apache/catalina/core/StandardContext.java, java/org/apache/catalina/core/StandardWrapper.java, java/org/apache/catalina/startup/ContextConfig.java, java/org/apache/catalina/startup/Tomcat.java, java/org/apache/catalina/startup/WebAnnotationSet.java. - CVE-2018-1305 * SECURITY UPDATE: CORS filter has insecure defaults - debian/patches/CVE-2018-8014.patch: change defaults in java/org/apache/catalina/filters/CorsFilter.java, java/org/apache/catalina/filters/LocalStrings.properties, test/org/apache/catalina/filters/TestCorsFilter.java, test/org/apache/catalina/filters/TesterFilterConfigs.java. - CVE-2018-8014 -- Marc Deslauriers <email address hidden> Mon, 28 May 2018 09:03:55 -0400
Available diffs
tomcat8 (8.0.32-1ubuntu1.6) xenial-security; urgency=medium * SECURITY UPDATE: missing checks when HTTP PUTs enabled (LP: #1721749) - debian/patches/CVE-2017-12617.patch: add checks to java/org/apache/catalina/servlets/DefaultServlet.java, java/org/apache/catalina/webresources/AbstractFileResourceSet.java, java/org/apache/catalina/webresources/DirResourceSet.java, java/org/apache/tomcat/util/compat/JrePlatform.java, test/org/apache/catalina/webresources/AbstractTestResourceSet.java, test/org/apache/catalina/webresources/TestAbstractFileResourceSetPerformance.java. - CVE-2017-12617 * SECURITY UPDATE: security constraints mapped to context root are ignored - debian/patches/CVE-2018-1304.patch: add check to java/org/apache/catalina/realm/RealmBase.java. - CVE-2018-1304 * SECURITY UPDATE: security constraint annotations applied too late - debian/patches/CVE-2018-1305.patch: change ordering in java/org/apache/catalina/Wrapper.java, java/org/apache/catalina/authenticator/AuthenticatorBase.java, java/org/apache/catalina/core/ApplicationContext.java, java/org/apache/catalina/core/ApplicationServletRegistration.java, java/org/apache/catalina/core/StandardContext.java, java/org/apache/catalina/core/StandardWrapper.java, java/org/apache/catalina/startup/ContextConfig.java, java/org/apache/catalina/startup/Tomcat.java, java/org/apache/catalina/startup/WebAnnotationSet.java. - CVE-2018-1305 * SECURITY UPDATE: CORS filter has insecure defaults - debian/patches/CVE-2018-8014.patch: change defaults in java/org/apache/catalina/filters/CorsFilter.java, java/org/apache/catalina/filters/LocalStrings.properties, test/org/apache/catalina/filters/TestCorsFilter.java, test/org/apache/catalina/filters/TesterFilterConfigs.java. - CVE-2018-8014 -- Marc Deslauriers <email address hidden> Mon, 28 May 2018 13:21:29 -0400
Available diffs
| Deleted in bionic-proposed (Reason: moved to -updates) |
tomcat8 (8.5.30-1ubuntu1.1) bionic; urgency=medium * support-jre8.diff: Fix running tomcat with JRE8. (LP: #1765616) -- Timo Aaltonen <email address hidden> Tue, 24 Apr 2018 23:47:45 +0300
Available diffs
tomcat8 (8.5.30-1ubuntu2) cosmic; urgency=medium * support-jre8.diff: Fix running tomcat with JRE8. (LP: #1765616) -- Timo Aaltonen <email address hidden> Tue, 24 Apr 2018 23:47:45 +0300
Available diffs
- diff from 8.5.30-1ubuntu1 to 8.5.30-1ubuntu2 (31.9 KiB)
| Superseded in cosmic-release |
| Published in bionic-release |
| Deleted in bionic-proposed (Reason: moved to release) |
tomcat8 (8.5.30-1ubuntu1) bionic; urgency=medium * control: Break/replace tomcat8.0 binaries. (LP: #1717998) -- Timo Aaltonen <email address hidden> Thu, 19 Apr 2018 14:53:19 +0300
Available diffs
tomcat8 (8.5.30-1) unstable; urgency=medium
* Team upload.
* New upstream release
- Refreshed the patches
* Standards-Version updated to 4.1.4
-- Emmanuel Bourg <email address hidden> Thu, 12 Apr 2018 09:49:28 +0200
Available diffs
- diff from 8.5.29-1 to 8.5.30-1 (32.8 KiB)
tomcat8 (8.5.29-1) unstable; urgency=medium
* Team upload.
* New upstream release
- Refreshed the patches
-- Emmanuel Bourg <email address hidden> Mon, 12 Mar 2018 16:43:57 +0100
Available diffs
| Superseded in bionic-release |
| Superseded in bionic-release |
| Obsolete in artful-release |
| Deleted in artful-proposed (Reason: moved to release) |
tomcat8 (8.5.21-1ubuntu1) artful; urgency=medium
* Demote libtcnative-1 from Recommends to Suggests as it is in
universe.
-- Robie Basak <email address hidden> Fri, 13 Oct 2017 12:06:51 +0100
Available diffs
tomcat8 (8.0.38-2ubuntu2.2) zesty-security; urgency=medium
* SECURITY UPDATE: loss of pipeline requests
- debian/patches/CVE-2017-5647.patch: improve sendfile handling when
requests are pipelined in
java/org/apache/coyote/AbstractProtocol.java,
java/org/apache/coyote/http11/Http11AprProcessor.java,
java/org/apache/coyote/http11/Http11Nio2Processor.java,
java/org/apache/coyote/http11/Http11NioProcessor.java,
java/org/apache/tomcat/util/net/AprEndpoint.java,
java/org/apache/tomcat/util/net/Nio2Endpoint.java,
java/org/apache/tomcat/util/net/NioEndpoint.java,
java/org/apache/tomcat/util/net/SendfileKeepAliveState.java.
- CVE-2017-5647
* SECURITY UPDATE: incorrect facade object use
- debian/patches/CVE-2017-5648.patch: ensure request and response
facades are used when firing application listeners in
java/org/apache/catalina/authenticator/FormAuthenticator.java,
java/org/apache/catalina/core/StandardHostValve.java.
- CVE-2017-5648
* SECURITY UPDATE: unexpected and undesirable results for static error
pages
- debian/patches/CVE-2017-5664.patch: use a more reliable mechanism in
java/org/apache/catalina/servlets/DefaultServlet.java,
java/org/apache/catalina/servlets/WebdavServlet.java.
- CVE-2017-5664
* SECURITY UPDATE: client and server side cache poisoning in CORS filter
- debian/patches/CVE-2017-7674.patch: set Vary header in response in
java/org/apache/catalina/filters/CorsFilter.java.
- CVE-2017-7674
-- Marc Deslauriers <email address hidden> Wed, 27 Sep 2017 17:20:40 -0400
Available diffs
tomcat8 (8.0.32-1ubuntu1.5) xenial-security; urgency=medium
* SECURITY UPDATE: loss of pipeline requests
- debian/patches/CVE-2017-5647.patch: improve sendfile handling when
requests are pipelined in
java/org/apache/coyote/AbstractProtocol.java,
java/org/apache/coyote/http11/Http11AprProcessor.java,
java/org/apache/coyote/http11/Http11Nio2Processor.java,
java/org/apache/coyote/http11/Http11NioProcessor.java,
java/org/apache/tomcat/util/net/AprEndpoint.java,
java/org/apache/tomcat/util/net/Nio2Endpoint.java,
java/org/apache/tomcat/util/net/NioEndpoint.java,
java/org/apache/tomcat/util/net/SendfileKeepAliveState.java.
- CVE-2017-5647
* SECURITY UPDATE: incorrect facade object use
- debian/patches/CVE-2017-5648.patch: ensure request and response
facades are used when firing application listeners in
java/org/apache/catalina/authenticator/FormAuthenticator.java,
java/org/apache/catalina/core/StandardHostValve.java.
- CVE-2017-5648
* SECURITY UPDATE: unexpected and undesirable results for static error
pages
- debian/patches/CVE-2017-5664.patch: use a more reliable mechanism in
java/org/apache/catalina/servlets/DefaultServlet.java,
java/org/apache/catalina/servlets/WebdavServlet.java.
- CVE-2017-5664
* SECURITY UPDATE: client and server side cache poisoning in CORS filter
- debian/patches/CVE-2017-7674.patch: set Vary header in response in
java/org/apache/catalina/filters/CorsFilter.java.
- CVE-2017-7674
-- Marc Deslauriers <email address hidden> Wed, 27 Sep 2017 17:23:18 -0400
Available diffs
tomcat8 (8.5.21-1) unstable; urgency=medium
* Team upload.
[ Emmanuel Bourg ]
* New upstream release
- Refreshed the patches
- Disabled Checkstyle
* Changed the Class-Path manifest entry of tomcat8-jasper.jar to use
the specification jars from libtomcat8-java instead of libservlet3.1-java
(Closes: #867247)
[ Miguel Landaeta ]
* Remove myself from uploaders. (Closes: #871892)
* Update copyright info.
-- Emmanuel Bourg <email address hidden> Wed, 20 Sep 2017 10:06:56 +0200
Available diffs
- diff from 8.5.16-1 to 8.5.21-1 (92.6 KiB)
tomcat8 (8.5.16-1) unstable; urgency=medium
* Team upload.
* New upstream release
- Refreshed the patches
* Standards-Version updated to 4.0.0
-- Emmanuel Bourg <email address hidden> Mon, 26 Jun 2017 16:03:53 +0200
Available diffs
tomcat8 (8.0.37-1ubuntu0.2) yakkety; urgency=medium
* Fix an upgrade error when JAVA_OPTS in /etc/default/tomcat8
contains the '%' character (LP: #1666570).
-- Joshua Powers <email address hidden> Tue, 28 Mar 2017 16:46:16 -0700
Available diffs
| Superseded in artful-release |
| Obsolete in zesty-release |
| Deleted in zesty-proposed (Reason: moved to release) |
tomcat8 (8.0.38-2ubuntu2) zesty; urgency=medium
* Fix an upgrade error when JAVA_OPTS in /etc/default/tomcat8
contains the '%' character (LP: #1666570).
-- Joshua Powers <email address hidden> Tue, 28 Mar 2017 16:47:32 -0700
Available diffs
tomcat8 (8.0.32-1ubuntu1.4) xenial; urgency=medium
* Fix an upgrade error when JAVA_OPTS in /etc/default/tomcat8
contains the '%' character (LP: #1666570).
-- Joshua Powers <email address hidden> Thu, 09 Mar 2017 14:38:04 -0700
Available diffs
tomcat8 (8.0.38-2ubuntu1) zesty; urgency=medium
* SECURITY UPDATE: HTTP response injection via invalid characters
- debian/patches/CVE-2016-6816.patch: add additional checks for valid
characters in java/org/apache/coyote/http11/AbstractInputBuffer.java,
java/org/apache/coyote/http11/AbstractNioInputBuffer.java,
java/org/apache/coyote/http11/InternalAprInputBuffer.java,
java/org/apache/coyote/http11/InternalInputBuffer.java,
java/org/apache/coyote/http11/LocalStrings.properties,
java/org/apache/tomcat/util/http/parser/HttpParser.java.
- CVE-2016-6816
* SECURITY UPDATE: remote code execution via JmxRemoteLifecycleListener
- debian/patches/CVE-2016-8735.patch: explicitly configure allowed
credential types in
java/org/apache/catalina/mbeans/JmxRemoteLifecycleListener.java.
- CVE-2016-8735
* SECURITY UPDATE: information leakage between requests
- debian/patches/CVE-2016-8745.patch: properly handle cache when unable
to complete sendfile request in
java/org/apache/tomcat/util/net/NioEndpoint.java.
- CVE-2016-8745
* SECURITY UPDATE: privilege escalation during package upgrade
- debian/rules, debian/tomcat8.postinst: properly set permissions on
/etc/tomcat8/Catalina/localhost.
- CVE-2016-9774
* SECURITY UPDATE: privilege escalation during package removal
- debian/tomcat8.postrm.in: don't reset permissions before removing
user.
- CVE-2016-9775
-- Marc Deslauriers <email address hidden> Wed, 15 Feb 2017 08:38:11 -0500
Available diffs
tomcat8 (8.0.32-1ubuntu1.3) xenial-security; urgency=medium
* SECURITY UPDATE: timing attack in realm implementations
- debian/patches/CVE-2016-0762.patch: add time delays to
java/org/apache/catalina/realm/DataSourceRealm.java,
java/org/apache/catalina/realm/JDBCRealm.java,
java/org/apache/catalina/realm/MemoryRealm.java,
java/org/apache/catalina/realm/RealmBase.java.
- CVE-2016-0762
* SECURITY UPDATE: SecurityManager bypass via a Tomcat utility method
- debian/patches/CVE-2016-5018.patch: remove unnecessary code in
java/org/apache/jasper/runtime/JspRuntimeLibrary.java,
java/org/apache/jasper/security/SecurityClassLoad.java,
java/org/apache/jasper/servlet/JasperInitializer.java.
- CVE-2016-5018
* SECURITY UPDATE: mitigaton for httpoxy issue
- debian/patches/CVE-2016-5388.patch: add envHttpHeaders initialization
parameter to conf/web.xml, webapps/docs/cgi-howto.xml,
java/org/apache/catalina/servlets/CGIServlet.java.
- CVE-2016-5388
* SECURITY UPDATE: system properties read SecurityManager bypass
- debian/patches/CVE-2016-6794.patch: extend SecurityManager protection
to the system property replacement feature of the digester in
java/org/apache/catalina/loader/WebappClassLoaderBase.java,
java/org/apache/tomcat/util/digester/Digester.java,
java/org/apache/tomcat/util/security/PermissionCheck.java.
- CVE-2016-6794
* SECURITY UPDATE: SecurityManager bypass via JSP Servlet configuration
parameters
- debian/patches/CVE-2016-6796.patch: ignore some JSP options when
running under a SecurityManager in conf/web.xml,
java/org/apache/jasper/EmbeddedServletOptions.java,
java/org/apache/jasper/resources/LocalStrings.properties,
java/org/apache/jasper/servlet/JspServlet.java,
webapps/docs/jasper-howto.xml.
- CVE-2016-6796
* SECURITY UPDATE: web application global JNDI resource access
- debian/patches/CVE-2016-6797.patch: ensure that the global resource
is only visible via the ResourceLinkFactory when it is meant to be in
java/org/apache/catalina/core/NamingContextListener.java,
java/org/apache/naming/factory/ResourceLinkFactory.java,
test/org/apache/naming/TestNamingContext.java.
- CVE-2016-6797
* SECURITY UPDATE: HTTP response injection via invalid characters
- debian/patches/CVE-2016-6816.patch: add additional checks for valid
characters in java/org/apache/coyote/http11/AbstractInputBuffer.java,
java/org/apache/coyote/http11/AbstractNioInputBuffer.java,
java/org/apache/coyote/http11/InternalAprInputBuffer.java,
java/org/apache/coyote/http11/InternalInputBuffer.java,
java/org/apache/coyote/http11/LocalStrings.properties,
java/org/apache/tomcat/util/http/parser/HttpParser.java.
- CVE-2016-6816
* SECURITY UPDATE: remote code execution via JmxRemoteLifecycleListener
- debian/patches/CVE-2016-8735.patch: explicitly configure allowed
credential types in
java/org/apache/catalina/mbeans/JmxRemoteLifecycleListener.java.
- CVE-2016-8735
* SECURITY UPDATE: information leakage between requests
- debian/patches/CVE-2016-8745.patch: properly handle cache when unable
to complete sendfile request in
java/org/apache/tomcat/util/net/NioEndpoint.java.
- CVE-2016-8745
* SECURITY UPDATE: privilege escalation during package upgrade
- debian/rules, debian/tomcat8.postinst: properly set permissions on
/etc/tomcat8/Catalina/localhost.
- CVE-2016-9774
* SECURITY UPDATE: privilege escalation during package removal
- debian/tomcat8.postrm.in: don't reset permissions before removing
user.
- CVE-2016-9775
* debian/tomcat8.init: further hardening.
-- Marc Deslauriers <email address hidden> Mon, 16 Jan 2017 08:18:27 -0500
Available diffs
tomcat8 (8.0.37-1ubuntu0.1) yakkety-security; urgency=medium
* SECURITY UPDATE: HTTP response injection via invalid characters
- debian/patches/CVE-2016-6816.patch: add additional checks for valid
characters in java/org/apache/coyote/http11/AbstractInputBuffer.java,
java/org/apache/coyote/http11/AbstractNioInputBuffer.java,
java/org/apache/coyote/http11/InternalAprInputBuffer.java,
java/org/apache/coyote/http11/InternalInputBuffer.java,
java/org/apache/coyote/http11/LocalStrings.properties,
java/org/apache/tomcat/util/http/parser/HttpParser.java.
- CVE-2016-6816
* SECURITY UPDATE: remote code execution via JmxRemoteLifecycleListener
- debian/patches/CVE-2016-8735.patch: explicitly configure allowed
credential types in
java/org/apache/catalina/mbeans/JmxRemoteLifecycleListener.java.
- CVE-2016-8735
* SECURITY UPDATE: information leakage between requests
- debian/patches/CVE-2016-8745.patch: properly handle cache when unable
to complete sendfile request in
java/org/apache/tomcat/util/net/NioEndpoint.java.
- CVE-2016-8745
* SECURITY UPDATE: privilege escalation during package upgrade
- debian/rules, debian/tomcat8.postinst: properly set permissions on
/etc/tomcat8/Catalina/localhost.
- CVE-2016-9774
* SECURITY UPDATE: privilege escalation during package removal
- debian/tomcat8.postrm.in: don't reset permissions before removing
user.
- CVE-2016-9775
* debian/tomcat8.init: further hardening.
-- Marc Deslauriers <email address hidden> Fri, 13 Jan 2017 10:48:08 -0500
Available diffs
| Deleted in zesty-proposed (Reason: breaks other packages not yet ported to tomcat 8.5; will ...) |
tomcat8 (8.5.11-1) unstable; urgency=medium
* Team upload.
* New upstream release
- Refreshed the patches
* Recommend Java 8 in /etc/default/tomcat8
-- Emmanuel Bourg <email address hidden> Tue, 17 Jan 2017 15:09:30 +0100
Available diffs
- diff from 8.5.9-2 to 8.5.11-1 (115.9 KiB)
tomcat8 (8.5.9-2) unstable; urgency=medium * Team upload. * Require Java 8 or higher (Closes: #848612) -- Emmanuel Bourg <email address hidden> Mon, 19 Dec 2016 15:35:19 +0100
Available diffs
- diff from 8.5.9-1 to 8.5.9-2 (834 bytes)
tomcat8 (8.5.9-1) unstable; urgency=medium
* Team upload.
* New upstream release
- Refreshed the patches
* Restored the classloading from the common, server and shared directories
under CATALINA_BASE (Closes: #847137)
* Fixed the installation error when JAVA_OPTS in /etc/default/tomcat8
contains the '%' character (Closes: #770911)
-- Emmanuel Bourg <email address hidden> Thu, 08 Dec 2016 22:26:36 +0100
Available diffs
- diff from 8.5.8-2 to 8.5.9-1 (42.5 KiB)
tomcat8 (8.5.8-2) unstable; urgency=medium
* Team upload.
* Upload to unstable.
* No longer make /etc/tomcat8/Catalina/localhost writable by the tomcat8 user
in the postinst script (Closes: #845393)
* The tomcat8 user is no longer removed when the package is purged
(Closes: #845385)
* Compress and remove the access log files with a .txt extension
(Closes: #845661)
* Added the delaycompress option to the logrotate configuration
of catalina.out (Closes: #843135)
* Changed the home directory for the tomcat8 user from /usr/share/tomcat8
to /var/lib/tomcat8 (Closes: #833261)
* Aligned the logging configuration with the upstream one
* Set the proper permissions for /etc/tomcat8/jaspic-providers.xml
* Install the new library jaspic-api.jar
* Install the Maven artifacts for tomcat-storeconfig
* Simplified debian/rules
-- Emmanuel Bourg <email address hidden> Thu, 01 Dec 2016 18:41:14 +0100
Available diffs
- diff from 8.0.39-1 to 8.5.8-2 (1.2 MiB)
tomcat8 (8.0.39-1) unstable; urgency=medium
* Team upload.
* New upstream release
- Refreshed the patches
-- Emmanuel Bourg <email address hidden> Tue, 15 Nov 2016 15:37:48 +0100
Available diffs
- diff from 8.0.38-2 to 8.0.39-1 (23.1 KiB)
tomcat8 (8.0.38-2) unstable; urgency=high
* Team upload.
* CVE-2016-1240 follow-up:
- The previous init.d fix was vulnerable to a race condition that could
be exploited to make any existing file writable by the tomcat user.
Thanks to Paul Szabo for the report and the fix.
- The catalina.policy file generated on startup was affected by a similar
vulnerability that could be exploited to overwrite any file on the system.
Thanks to Paul Szabo for the report.
* Install the extra jar catalina-jmx-remote.jar (Closes: #762916)
* Added the new libtomcat8-embed-java package containing the libraries
for embedding Tomcat into other applications.
* Switch to debhelper level 10
-- Emmanuel Bourg <email address hidden> Fri, 28 Oct 2016 01:17:23 +0200
Available diffs
- diff from 8.0.37-1 to 8.0.38-2 (43.0 KiB)
| Superseded in zesty-release |
| Obsolete in yakkety-release |
| Deleted in yakkety-proposed (Reason: moved to release) |
tomcat8 (8.0.37-1) unstable; urgency=medium * Team upload. * New upstream release * Removed 0001-set-UTF-8-as-default-character-encoding.patch (fixed upstream) -- Emmanuel Bourg <email address hidden> Mon, 19 Sep 2016 09:37:33 +0200
Available diffs
tomcat8 (8.0.36-2ubuntu1) yakkety; urgency=medium
* SECURITY UPDATE: privilege escalation via insecure init script
- debian/tomcat8.init: don't follow symlinks when handling the
catalina.out file.
- CVE-2016-1240
-- Marc Deslauriers <email address hidden> Fri, 16 Sep 2016 09:08:41 -0400
Available diffs
tomcat8 (8.0.32-1ubuntu1.2) xenial-security; urgency=medium
* SECURITY UPDATE: privilege escalation via insecure init script
- debian/tomcat8.init: don't follow symlinks when handling the
catalina.out file.
- CVE-2016-1240
-- Marc Deslauriers <email address hidden> Fri, 16 Sep 2016 09:11:41 -0400
Available diffs
| 1 → 50 of 69 results | First • Previous • Next • Last |
