-
tomcat6 (6.0.24-2ubuntu1.16) lucid-security; urgency=medium
* SECURITY UPDATE: denial of service via malformed chunk size
- debian/patches/CVE-2014-0075.patch: fix overflow in
java/org/apache/coyote/http11/filters/ChunkedInputFilter.java.
- CVE-2014-0075
* SECURITY UPDATE: file disclosure via XXE issue
- debian/patches/CVE-2014-0096.patch: change globalXsltFile to be a
relative path in conf/web.xml,
java/org/apache/catalina/servlets/DefaultServlet.java,
java/org/apache/catalina/servlets/LocalStrings.properties,
webapps/docs/default-servlet.xml.
- CVE-2014-0096
* SECURITY UPDATE: HTTP request smuggling attack via crafted
Content-Length HTTP header
- debian/patches/CVE-2014-0099.patch: correctly handle long values in
java/org/apache/tomcat/util/buf/Ascii.java.
- CVE-2014-0099
-- Marc Deslauriers <email address hidden> Thu, 24 Jul 2014 15:49:36 -0400
-
tomcat6 (6.0.24-2ubuntu1.15) lucid-security; urgency=medium
* SECURITY UPDATE: request smuggling attack via content-length headers
- debian/patches/CVE-2013-4286.patch: handle multiple content lengths
in java/org/apache/coyote/ajp/AbstractAjpProcessor.java,
java/org/apache/coyote/ajp/AjpProcessor.java, handle content length
and chunked encoding being both specified in
java/org/apache/coyote/http11/Http11AprProcessor.java,
java/org/apache/coyote/http11/Http11NioProcessor.java,
java/org/apache/coyote/http11/Http11Processor.java.
- CVE-2013-4286
* SECURITY UPDATE: denial of service via chunked transfer coding
- debian/patches/CVE-2013-4322.patch: limit length of extension data in
java/org/apache/coyote/Constants.java,
java/org/apache/coyote/http11/filters/ChunkedInputFilter.java,
webapps/docs/config/systemprops.xml.
- CVE-2013-4322
-- Marc Deslauriers <email address hidden> Wed, 05 Mar 2014 14:53:54 -0500
-
tomcat6 (6.0.24-2ubuntu1.13) lucid-security; urgency=low
* SECURITY UPDATE: denial of service via chunked transfer encoding
- debian/patches/CVE-2012-3544.patch: properly parse CRLF in requests
in java/org/apache/coyote/http11/filters/ChunkedInputFilter.java.
- CVE-2012-3544
* SECURITY UPDATE: FORM authentication request injection
- debian/patches/CVE-2013-2067.patch: properly change session ID
in java/org/apache/catalina/authenticator/FormAuthenticator.java.
- CVE-2013-2067
-- Marc Deslauriers <email address hidden> Tue, 21 May 2013 10:03:26 -0400
-
tomcat6 (6.0.24-2ubuntu1.12) lucid-security; urgency=low
* SECURITY UPDATE: security-constraint bypass with FORM auth
- debian/patches/CVE-2012-3546.patch: remove unneeded code in
java/org/apache/catalina/realm/RealmBase.java.
- CVE-2012-3546
* SECURITY UPDATE: denial of service with NIO connector
- debian/patches/CVE-2012-4534.patch: properly handle connection breaks
in java/org/apache/tomcat/util/net/NioEndpoint.java.
- CVE-2012-4534
-- Marc Deslauriers <email address hidden> Thu, 10 Jan 2013 10:03:38 -0500
-
tomcat6 (6.0.24-2ubuntu1.11) lucid-security; urgency=low
* SECURITY UPDATE: denial of service via large header data
- debian/patches/0012-CVE-2012-2733.patch: improve size logic in
java/org/apache/coyote/http11/InternalNioInputBuffer.java.
- CVE-2012-2733
* SECURITY UPDATE: multiple HTTP Digest Access Authentication flaws
- debian/patches/0013-CVE-2012-588x.patch: disable caching of an
authenticated user in the session by default, track server rather
than client nonces, better handling of stale nonce values in
java/org/apache/catalina/authenticator/DigestAuthenticator.java.
- CVE-2012-3439
- CVE-2012-5885
- CVE-2012-5886
- CVE-2012-5887
-- Marc Deslauriers <email address hidden> Wed, 21 Nov 2012 10:44:41 -0500
-
tomcat6 (6.0.24-2ubuntu1.10) lucid-security; urgency=low
* SECURITY UPDATE: denial of service via hash collision and incorrect
handling of large numbers of parameters and parameter values
(LP: #909828)
- debian/patches/0019-CVE-2012-0022.patch: refactor parameter handling
code in conf/web.xml,
java/org/apache/catalina/connector/Connector.java,
java/org/apache/catalina/connector/mbeans-descriptors.xml,
java/org/apache/catalina/connector/Request.java,
java/org/apache/catalina/filters/FailedRequestFilter.java,
java/org/apache/catalina/Globals.java,
java/org/apache/coyote/Request.java,
java/org/apache/tomcat/util/buf/B2CConverter.java,
java/org/apache/tomcat/util/buf/ByteChunk.java,
java/org/apache/tomcat/util/buf/MessageBytes.java,
java/org/apache/tomcat/util/buf/StringCache.java,
java/org/apache/tomcat/util/http/LocalStrings.properties,
java/org/apache/tomcat/util/http/Parameters.java,
webapps/docs/config/ajp.xml,
webapps/docs/config/http.xml.
- CVE-2011-4858
- CVE-2012-0022
-- Marc Deslauriers <email address hidden> Wed, 25 Jan 2012 14:35:46 -0500
-
tomcat6 (6.0.24-2ubuntu1.9) lucid-security; urgency=low
* SECURITY UPDATE: information disclosure via log file
- debian/patches/0015-CVE-2011-2204.patch: fix logging in
java/org/apache/catalina/mbeans/MemoryUserDatabaseMBean.java,
java/org/apache/catalina/users/MemoryUserDatabase.java,
java/org/apache/catalina/users/MemoryUser.java.
- CVE-2011-2204
* SECURITY UPDATE: file restriction bypass or denial of service via
untrusted web application.
- debian/patches/0016-CVE-2011-2526.patch: check canonical name in
java/org/apache/catalina/connector/LocalStrings.properties,
java/org/apache/catalina/connector/Request.java,
java/org/apache/catalina/servlets/DefaultServlet.java,
java/org/apache/coyote/http11/Http11AprProcessor.java,
java/org/apache/coyote/http11/LocalStrings.properties,
java/org/apache/tomcat/util/net/AprEndpoint.java,
java/org/apache/tomcat/util/net/NioEndpoint.java.
- CVE-2011-2526
* SECURITY UPDATE: AJP request spoofing and authentication bypass
(LP: #843701)
- debian/patches/0017-CVE-2011-3190.patch: Properly handle request
bodies in java/org/apache/coyote/ajp/AjpAprProcessor.java,
java/org/apache/coyote/ajp/AjpProcessor.java.
- CVE-2011-3190
* SECURITY UPDATE: HTTP DIGEST authentication weaknesses
- debian/patches/0018-CVE-2011-1184.patch: add new nonce options in
java/org/apache/catalina/authenticator/DigestAuthenticator.java,
java/org/apache/catalina/authenticator/LocalStrings.properties,
java/org/apache/catalina/authenticator/mbeans-descriptors.xml,
java/org/apache/catalina/realm/RealmBase.java,
webapps/docs/config/valve.xml.
- CVE-2011-1184
-- Marc Deslauriers <email address hidden> Mon, 26 Sep 2011 11:53:28 -0400
-
tomcat6 (6.0.24-2ubuntu1.7) lucid-security; urgency=low
* SECURITY UPDATE: directory traversal via incorrect ServetContext
attribute (LP: #717396)
- debian/patches/0012-CVE-2010-3718.patch: mark as read only in
java/org/apache/catalina/core/StandardContext.java.
- CVE-2010-3718
* SECURITY UPDATE: cross-site scripting in HTML Manager interface
- debian/patches/0013-CVE-2011-0013.patch: properly filter values in
java/org/apache/catalina/manager/{HTMLManagerServlet.java,
StatusTransformer.java}.
- CVE-2011-0013
* SECURITY UPDATE: denial of service via NIOS HTTP connector
(LP: #714239, LP: #717396)
- debian/patches/0014-CVE-2011-0534.patch: enforce proper size in
java/org/apache/coyote/http11/InternalNioInputBuffer.java.
- CVE-2011-0534
-- Marc Deslauriers <email address hidden> Thu, 24 Mar 2011 11:08:39 -0400
-
tomcat6 (6.0.24-2ubuntu1.6) lucid-security; urgency=low
* SECURITY UPDATE: cross-site scripting in Manager application
- debian/patches/0011-CVE-2010-4172.patch: add proper escaping to
java/org/apache/catalina/manager/JspHelper.java,
webapps/manager/{sessionDetail,sessionsList}.jsp.
- patch backported from Debian 6.0.28-9 package
- CVE-2010-4172
-- Marc Deslauriers <email address hidden> Thu, 13 Jan 2011 15:32:24 -0600
-
tomcat6 (6.0.24-2ubuntu1.5) lucid-proposed; urgency=low
* debian/tomcat6.init: Add missing -p option in start-stop-daemon when
starting tomcat6 to avoid failing to start due to /bin/bash running
(LP: #632554)
-- Michael Jeanson <email address hidden> Wed, 08 Dec 2010 11:51:33 -0500
-
tomcat6 (6.0.24-2ubuntu1.4) lucid-proposed; urgency=low
* Check for group existence to avoid postinst failure (LP: #611721)
-- Thierry Carrez (ttx) <email address hidden> Thu, 07 Oct 2010 14:06:00 +0100
-
tomcat6 (6.0.24-2ubuntu1.3) lucid-security; urgency=low
* SECURITY UPDATE: denial of service and possible information disclosure
via crafted header
- debian/patches/CVE-2010-2227.patch: fix filter logic in
java/org/apache/coyote/http11/{Http11AprProcessor,Http11NioProcessor,
Http11Processor,filters/BufferedInputFilter}.java.
- CVE-2010-2227
-- Marc Deslauriers <email address hidden> Thu, 19 Aug 2010 10:07:22 -0400
-
tomcat6 (6.0.24-2ubuntu1.2) lucid-proposed; urgency=low
* Fix issues preventing from running Tomcat6 with a security manager:
- debian/tomcat6.init: Remove duplicate securitymanager options.
- debian/patches/catalina-sh-security-manager.patch: Use the right
location for the security.policy file in catalina.sh.
- Closes LP: #591802. Thanks to Jeff Turner for the original
patches and to Adam Guthrie for the Lucid debdiff.
-- Thierry Carrez <email address hidden> Mon, 05 Jul 2010 14:54:47 +0200
-
tomcat6 (6.0.24-2ubuntu1.1) lucid-proposed; urgency=low
* debian/patches/fix-jsp-regression.patch: Fix regression in JSP compilation
that resulted in "Duplicate local variable" errors when using Struts 1.2
or bean:define (LP: #563642)
* debian/tomcat6.{postinst,prerm}: Respect TOMCAT6_USER and TOMCAT6_GROUP
as defined in /etc/default/tomcat6 when setting directory permissions and
authbind configuration (LP: #557300)
* debian/tomcat6.postinst: Use group "tomcat6" instead of "adm" for
permissions in /var/lib/tomcat6, so that group "adm" doesn't get write
permissions over /var/lib/tomcat6/webapps (LP: #569118)
-- Thierry Carrez <email address hidden> Fri, 21 May 2010 10:11:35 +0200
-
tomcat6 (6.0.24-2ubuntu1) lucid; urgency=low
[ Thierry Carrez ]
* Uploading what 6.0.24-5 should be (upload is blocked in Debian due to
current infrastructure issues), in order to meet Beta2Freeze.
[ Niels Thykier ]
* Added optimised garbage collection options to tomcat6's default options.
Thanks to Aaron J. Zirbes and Thierry Carrez for research and the patch.
(Closes: LP: #541520)
* Updated the changelog to mention closed CVE's in the 6.0.24-1 release.
* Applied patch from Arto Jantunen fixing an issue with cleaning up the
pid-file. (Closes: #574084)
[ Ludovic Claude ]
* debian/tomcat6.postrm: fix removal of Tomcat (Closes: #567548)
* Set UTF-8 as default character encoding - Patch by Thomas Koch
(Closes: #573539)
* Set the major, minor and build versions when calling Ant
(Closes: LP: #495505)
* Rebuild with a more recent version of maven-repo-helper which puts
the javax jars at the correct location in the Maven repository.
Fixes several FTBFS in other packages.
-- Thierry Carrez <email address hidden> Wed, 31 Mar 2010 10:47:51 +0200
-
tomcat6 (6.0.24-2) unstable; urgency=low
* Fix missing symlinks to tomcat-coyote.jar and
catalina-tribes.jar causing NoClassDefFoundException
at startup (last minute packaging change, sorry)
(Closes: #570220)
* tomcat6-admin, tomcat6-examples and tomcat6-docs now depend on
tomcat6-common instead of tomcat6, this allow users to install
those packages without requiring tomcat6 and its automatic startup scripts
being present. tomcat-users can be installed instead and allow full
control over when Tomcat is started or stopped.
-- Thierry Carrez <email address hidden> Mon, 22 Feb 2010 13:52:01 +0000
-
tomcat6 (6.0.24-1) unstable; urgency=low
[ Ludovic Claude ]
* New upstream version
* Update the POM files for the new version of Tomcat
* Bump up Standards-Version to 3.8.4
* Refresh patches deploy-webapps-build-xml.patch and var_loaders.patch
* Remove patch fix_context_name.patch as it has been applied upstream
* Fix the installation of servlet-api-2.5.jar: the jar
goes to /usr/share/java as in older versions (6.0.20-2)
and links to the jar are added to /usr/share/maven-repo
* Moved NEWS.Debian into README.Debian
* Add a link from /usr/share/doc/tomcat6-common/README.Debian to
/usr/share/doc/tomcat6/README.Debian to include a minimum of
documentation in the tomcat6 package and add some useful notes.
(Closes: #563937, #563939)
* Remove poms from the Debian packaging, use upstream pom files
[ Jason Brittain ]
* Fixed a bug in the init script: When a start fails, the PID file was
being left in place. Now the init script makes sure it is deleted.
* Fixed a packaging bug that results in the ROOT webapp not being properly
installed after an uninstall, then a reinstall.
* control: Corrected a couple of comments (no functional change).
tomcat6 (6.0.20-dfsg1-2) unstable; urgency=low
* JSVC is no longer used by the package. Instead, the init script invokes
the stock catalina.sh script.
* Authbind is now the standard method for binding Tomcat to ports lower
than 1024 (when using IPv4).
* The security manager now defaults to the disabled state, and is commented
that way in /etc/default/tomcat6.
* Reliable restarts are now implemented in the init script.
(Closes: #561559)
* Tomcat now sends STDOUT and STDERR to its usual, stock log file
CATALINA_BASE/logs/catalina.out (/var/log/tomcat6/catalina.out in this
package's case.
-- Thierry Carrez <email address hidden> Thu, 18 Feb 2010 06:47:56 +0000
-
tomcat6 (6.0.20-dfsg1-1) unstable; urgency=low
* Fix debian/orig-tar.sh to exclude binary only standard.jar and jstl.jar.
(Closes: #528119)
* Upload a cleaned tarball.
* Add ${misc:Depends} in debian/control.
-- Ubuntu Archive Auto-Sync <email address hidden> Tue, 02 Feb 2010 00:01:25 +0000
-
tomcat6 (6.0.20-9) unstable; urgency=low
* Fix spelling issues.
* Always set JSVC_CLASSPATH to a default value in init.
-- Benjamin Drung <email address hidden> Mon, 04 Jan 2010 19:03:51 +0000
-
tomcat6 (6.0.20-8ubuntu1) lucid; urgency=low
* Merge from Debian unstable. Remaining changes:
- debian/control, debian/rules: Do not use 3.0 (quilt) source format yet
* debian/tomcat6.default: Fix typos in "JSVC" and "remote", missing newline
* debian/tomcat6.default, debian/tomcat6.init: Handle JSVC_CLASSPATH
default value the same way as other defaults
tomcat6 (6.0.20-8) unstable; urgency=low
* Corrected some spelling mistakes in debian/control.
(Closes: #557377, #557378)
* Added patches to install the OSGi metadata in some of the jars.
(Closes: #558176)
* Updated 03catalina.policy to allow "setContextClassLoader".
- Fixes a problem where Sun's JVM would fail to generate log-files.
(Closes: LP: #410379)
* Updated /etc/default/tomcat6:
- Clarified that JAVA_OPTS are passed to jscv and not the JVM.
- Updated the JSP_COMPILER to javac (jikes is not in Debian anymore).
(Closes: LP: #440685)
* Use default-jdk and default-jre-headless instead of openjdk in
(Build-)Depends.
* Added more alternatives for java implementations to the Depends of
libservlet2.5-java.
* Exposed JSVC_CLASSPATH to the configuration file.
(Closes: LP: #475457)
* Updated description so it no longer refers to non-existent package.
(Closes: #559475)
* Used "set -e" in postinst and postrm instead of passing "-e" to sh
in the #!-line.
* Changed to 3.0 (quilt) source format.
tomcat6 (6.0.20-7) unstable; urgency=low
* New patch fix_context_name.patch:
- Allow Service name != Engine name. Regression in fix for 42707.
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=47316
- This has been fixed in trunk and will be in 6.0.21
* Register libservlet2.5-java-doc API with doc-base
* Fix short description of tomcat6-docs by using "documentation" suffix
tomcat6 (6.0.20-6) unstable; urgency=low
[ Ludovic Claude ]
* tomcat6.postinst: set the ownership of files in /etc/tomcat6/
to root:tomcat6, to prevent an attacker running inside a tomcat6
instance to change the tomcat configuration
* debian/policy/02debian.policy: grant access to
/usr/share/maven-repo/ as it is a valid source of Debian JARs.
(Closes: #545674)
* Bump up Standards-Version to 3.8.3
- add debian/README.source that describes the quilt patch system.
* debian/control: Add Conflicts on libtomcat6-java with old versions
of tomcat6-common (Closes: #542397)
[ Michael Koch ]
* Replace dh_clean -k by dh_prep.
* Added Ludovic and myself to Uploaders.
* Build-Depends on debhelper >= 7.
tomcat6 (6.0.20-5) unstable; urgency=low
* Fix jsp-api dependency in the Maven descriptors.
* Put tomcat-juli.jar in /usr/share/java instead of juli.jar.
This fixes a broken link which prevented tomcat to start
when logging is turned on, and restores the file layout
defined in 6.0.20-2.
* Restore links to the jars in usr/share/tomcat6/lib
* Change watch to download fresh sources from SVN.
Should fix wrong encoding in tomcat-i18n-fr/es.jar in the next upstream
version. (Closes: #522067)
* Update ownership for files in /etc/tomcat6 and /var/lib/tomcat6/webapps.
The new owner is tomcat6:adm (Closes: #532284)
* Add additional directories for the common, server and shared classloader.
Directories are also compatible with Alfresco's packaging done for
Ubuntu. (Closes: #521318)
* Update checksum in postrm script to reflect changes
in the new upstream webapp
* postrm removes the extra directories created in /var/lib/tomcat6
to hold shared and common classes or jars.
* Added commented out default options for enabling debug mode.
(Closes: LP: #375493)
tomcat6 (6.0.20-4) experimental; urgency=low
* Fix init script:
- Change Provides: tomcat6. (Closes: #532286)
- Check for /etc/default/rcS before sourcing it.
* Update Standards-Version: 3.8.2 (no changes).
tomcat6 (6.0.20-3) experimental; urgency=low
* Add the Maven POM to the package
* Add a Build-Depends-Indep dependency on maven-repo-helper
* Use mh_installpom and mh_installjar to install the POM and the jar to the
Maven repository
-- Thierry Carrez <email address hidden> Mon, 14 Dec 2009 13:55:18 +0100
-
tomcat6 (6.0.20-2ubuntu2) karmic; urgency=low
* Add maven POM's for libservlet2.5-java. LP: #454822.
* debian/policy/02debian.policy: grant access to
/usr/share/maven-repo/ as it is a valid source of Debian JARs.
-- Matthias Klose <email address hidden> Sun, 25 Oct 2009 17:00:31 +0100
