-
tomcat8 (8.0.37-1ubuntu0.2) yakkety; urgency=medium
* Fix an upgrade error when JAVA_OPTS in /etc/default/tomcat8
contains the '%' character (LP: #1666570).
-- Joshua Powers <email address hidden> Tue, 28 Mar 2017 16:46:16 -0700
-
tomcat8 (8.0.37-1ubuntu0.1) yakkety-security; urgency=medium
* SECURITY UPDATE: HTTP response injection via invalid characters
- debian/patches/CVE-2016-6816.patch: add additional checks for valid
characters in java/org/apache/coyote/http11/AbstractInputBuffer.java,
java/org/apache/coyote/http11/AbstractNioInputBuffer.java,
java/org/apache/coyote/http11/InternalAprInputBuffer.java,
java/org/apache/coyote/http11/InternalInputBuffer.java,
java/org/apache/coyote/http11/LocalStrings.properties,
java/org/apache/tomcat/util/http/parser/HttpParser.java.
- CVE-2016-6816
* SECURITY UPDATE: remote code execution via JmxRemoteLifecycleListener
- debian/patches/CVE-2016-8735.patch: explicitly configure allowed
credential types in
java/org/apache/catalina/mbeans/JmxRemoteLifecycleListener.java.
- CVE-2016-8735
* SECURITY UPDATE: information leakage between requests
- debian/patches/CVE-2016-8745.patch: properly handle cache when unable
to complete sendfile request in
java/org/apache/tomcat/util/net/NioEndpoint.java.
- CVE-2016-8745
* SECURITY UPDATE: privilege escalation during package upgrade
- debian/rules, debian/tomcat8.postinst: properly set permissions on
/etc/tomcat8/Catalina/localhost.
- CVE-2016-9774
* SECURITY UPDATE: privilege escalation during package removal
- debian/tomcat8.postrm.in: don't reset permissions before removing
user.
- CVE-2016-9775
* debian/tomcat8.init: further hardening.
-- Marc Deslauriers <email address hidden> Fri, 13 Jan 2017 10:48:08 -0500
-
tomcat8 (8.0.37-1) unstable; urgency=medium
* Team upload.
* New upstream release
* Removed 0001-set-UTF-8-as-default-character-encoding.patch (fixed upstream)
-- Emmanuel Bourg <email address hidden> Mon, 19 Sep 2016 09:37:33 +0200
-
tomcat8 (8.0.36-2ubuntu1) yakkety; urgency=medium
* SECURITY UPDATE: privilege escalation via insecure init script
- debian/tomcat8.init: don't follow symlinks when handling the
catalina.out file.
- CVE-2016-1240
-- Marc Deslauriers <email address hidden> Fri, 16 Sep 2016 09:08:41 -0400
-
tomcat8 (8.0.36-2) unstable; urgency=medium
* Team upload.
* Do not unconditionally overwrite files in /etc/tomcat8 anymore.
(Closes: #825786)
-- Markus Koschany <email address hidden> Tue, 02 Aug 2016 10:50:42 +0200
-
tomcat8 (8.0.36-1) unstable; urgency=medium
* Team upload.
* New upstream release
- Refreshed the patches
- Depend on libecj-java (>= 3.11.0)
* Standards-Version updated to 3.9.8 (no changes)
* Use a secure Vcs-Git URL
-- Emmanuel Bourg <email address hidden> Tue, 14 Jun 2016 14:34:46 +0200
-
tomcat8 (8.0.32-1ubuntu1) xenial; urgency=medium
* Prepare to promote tomcat8 to main (LP: #1539903).
- debian/control, 0021-ubuntu-mainize-build-xml.patch: Remove
build-dependencies on libobjenesis-java and libeasymock-java, and skip
tests that rely on the functionality they provide.
-- Nishanth Aravamudan <email address hidden> Fri, 05 Feb 2016 09:20:39 +0100
