-
tomcat8 (8.5.11-1) unstable; urgency=medium
* Team upload.
* New upstream release
- Refreshed the patches
* Recommend Java 8 in /etc/default/tomcat8
-- Emmanuel Bourg <email address hidden> Tue, 17 Jan 2017 15:09:30 +0100
-
tomcat8 (8.5.9-2) unstable; urgency=medium
* Team upload.
* Require Java 8 or higher (Closes: #848612)
-- Emmanuel Bourg <email address hidden> Mon, 19 Dec 2016 15:35:19 +0100
-
tomcat8 (8.5.9-1) unstable; urgency=medium
* Team upload.
* New upstream release
- Refreshed the patches
* Restored the classloading from the common, server and shared directories
under CATALINA_BASE (Closes: #847137)
* Fixed the installation error when JAVA_OPTS in /etc/default/tomcat8
contains the '%' character (Closes: #770911)
-- Emmanuel Bourg <email address hidden> Thu, 08 Dec 2016 22:26:36 +0100
-
tomcat8 (8.5.8-2) unstable; urgency=medium
* Team upload.
* Upload to unstable.
* No longer make /etc/tomcat8/Catalina/localhost writable by the tomcat8 user
in the postinst script (Closes: #845393)
* The tomcat8 user is no longer removed when the package is purged
(Closes: #845385)
* Compress and remove the access log files with a .txt extension
(Closes: #845661)
* Added the delaycompress option to the logrotate configuration
of catalina.out (Closes: #843135)
* Changed the home directory for the tomcat8 user from /usr/share/tomcat8
to /var/lib/tomcat8 (Closes: #833261)
* Aligned the logging configuration with the upstream one
* Set the proper permissions for /etc/tomcat8/jaspic-providers.xml
* Install the new library jaspic-api.jar
* Install the Maven artifacts for tomcat-storeconfig
* Simplified debian/rules
-- Emmanuel Bourg <email address hidden> Thu, 01 Dec 2016 18:41:14 +0100
-
tomcat8 (8.0.39-1) unstable; urgency=medium
* Team upload.
* New upstream release
- Refreshed the patches
-- Emmanuel Bourg <email address hidden> Tue, 15 Nov 2016 15:37:48 +0100
-
tomcat8 (8.0.38-2ubuntu2.2) zesty-security; urgency=medium
* SECURITY UPDATE: loss of pipeline requests
- debian/patches/CVE-2017-5647.patch: improve sendfile handling when
requests are pipelined in
java/org/apache/coyote/AbstractProtocol.java,
java/org/apache/coyote/http11/Http11AprProcessor.java,
java/org/apache/coyote/http11/Http11Nio2Processor.java,
java/org/apache/coyote/http11/Http11NioProcessor.java,
java/org/apache/tomcat/util/net/AprEndpoint.java,
java/org/apache/tomcat/util/net/Nio2Endpoint.java,
java/org/apache/tomcat/util/net/NioEndpoint.java,
java/org/apache/tomcat/util/net/SendfileKeepAliveState.java.
- CVE-2017-5647
* SECURITY UPDATE: incorrect facade object use
- debian/patches/CVE-2017-5648.patch: ensure request and response
facades are used when firing application listeners in
java/org/apache/catalina/authenticator/FormAuthenticator.java,
java/org/apache/catalina/core/StandardHostValve.java.
- CVE-2017-5648
* SECURITY UPDATE: unexpected and undesirable results for static error
pages
- debian/patches/CVE-2017-5664.patch: use a more reliable mechanism in
java/org/apache/catalina/servlets/DefaultServlet.java,
java/org/apache/catalina/servlets/WebdavServlet.java.
- CVE-2017-5664
* SECURITY UPDATE: client and server side cache poisoning in CORS filter
- debian/patches/CVE-2017-7674.patch: set Vary header in response in
java/org/apache/catalina/filters/CorsFilter.java.
- CVE-2017-7674
-- Marc Deslauriers <email address hidden> Wed, 27 Sep 2017 17:20:40 -0400
-
tomcat8 (8.0.38-2ubuntu2) zesty; urgency=medium
* Fix an upgrade error when JAVA_OPTS in /etc/default/tomcat8
contains the '%' character (LP: #1666570).
-- Joshua Powers <email address hidden> Tue, 28 Mar 2017 16:47:32 -0700
-
tomcat8 (8.0.38-2ubuntu1) zesty; urgency=medium
* SECURITY UPDATE: HTTP response injection via invalid characters
- debian/patches/CVE-2016-6816.patch: add additional checks for valid
characters in java/org/apache/coyote/http11/AbstractInputBuffer.java,
java/org/apache/coyote/http11/AbstractNioInputBuffer.java,
java/org/apache/coyote/http11/InternalAprInputBuffer.java,
java/org/apache/coyote/http11/InternalInputBuffer.java,
java/org/apache/coyote/http11/LocalStrings.properties,
java/org/apache/tomcat/util/http/parser/HttpParser.java.
- CVE-2016-6816
* SECURITY UPDATE: remote code execution via JmxRemoteLifecycleListener
- debian/patches/CVE-2016-8735.patch: explicitly configure allowed
credential types in
java/org/apache/catalina/mbeans/JmxRemoteLifecycleListener.java.
- CVE-2016-8735
* SECURITY UPDATE: information leakage between requests
- debian/patches/CVE-2016-8745.patch: properly handle cache when unable
to complete sendfile request in
java/org/apache/tomcat/util/net/NioEndpoint.java.
- CVE-2016-8745
* SECURITY UPDATE: privilege escalation during package upgrade
- debian/rules, debian/tomcat8.postinst: properly set permissions on
/etc/tomcat8/Catalina/localhost.
- CVE-2016-9774
* SECURITY UPDATE: privilege escalation during package removal
- debian/tomcat8.postrm.in: don't reset permissions before removing
user.
- CVE-2016-9775
-- Marc Deslauriers <email address hidden> Wed, 15 Feb 2017 08:38:11 -0500
-
tomcat8 (8.0.38-2) unstable; urgency=high
* Team upload.
* CVE-2016-1240 follow-up:
- The previous init.d fix was vulnerable to a race condition that could
be exploited to make any existing file writable by the tomcat user.
Thanks to Paul Szabo for the report and the fix.
- The catalina.policy file generated on startup was affected by a similar
vulnerability that could be exploited to overwrite any file on the system.
Thanks to Paul Szabo for the report.
* Install the extra jar catalina-jmx-remote.jar (Closes: #762916)
* Added the new libtomcat8-embed-java package containing the libraries
for embedding Tomcat into other applications.
* Switch to debhelper level 10
-- Emmanuel Bourg <email address hidden> Fri, 28 Oct 2016 01:17:23 +0200
-
tomcat8 (8.0.37-1) unstable; urgency=medium
* Team upload.
* New upstream release
* Removed 0001-set-UTF-8-as-default-character-encoding.patch (fixed upstream)
-- Emmanuel Bourg <email address hidden> Mon, 19 Sep 2016 09:37:33 +0200
