lp://staging/ubuntu/jaunty-security/tomcat6

Branch merges

Propose for merging

No branches dependent on this one.

Related source package recipes

No recipes using this branch. (?)

Create packaging recipe

Related snap packages

Related bugs

Related blueprints

12. By Marc Deslauriers on 2010-08-19

* SECURITY UPDATE: denial of service and possible information disclosure
  via crafted header
  - debian/patches/CVE-2010-2227.patch: fix filter logic in
    java/org/apache/coyote/http11/{Http11AprProcessor,Http11NioProcessor,
    Http11Processor,filters/BufferedInputFilter}.java.
  - CVE-2010-2227

11. By Marc Deslauriers on 2010-02-11

* SECURITY UPDATE: arbitrary file creation or overwrite from directory
  traversal via a .. entry in a WAR file.
  - CVE-2009-2693
* SECURITY UPDATE: authentication bypass via autodeployment process
  - CVE-2009-2901
* SECURITY UPDATE: work-directory file deletion via directory traversal
  sequences in a WAR filename.
  - CVE-2009-2902
  - debian/patches/security_CVE-2009-2693_2901_2902.patch: validate file
    names and paths in java/org/apache/catalina/loader/
    {LocalStrings.properties,WebappClassLoader.java},
    java/org/apache/catalina/startup/{ContextConfig.java,ExpandWar.java,
    HostConfig.java,LocalStrings.properties}

10. By Marc Deslauriers on 2009-06-10

* SECURITY UPDATE: security bypass via specially crafted request
  - debian/patches/security-CVE-2008-5515.patch: use only a single
    normalise implementation in:
    java/org/apache/catalina/connector/Request.java,
    java/org/apache/catalina/core/{ApplicationContext,ApplicationHttpRequest}.java,
    java/org/apache/catalina/servlets/WebdavServlet.java,
    java/org/apache/catalina/ssi/{SSIServletExternalResolver,SSIServletRequestUtil}.java,
    java/org/apache/catalina/util/RequestUtil.java,
    java/org/apache/naming/resources/FileDirContext.java
  - CVE-2008-5515
* SECURITY UPDATE: denial of service via request with invalid headers
  - debian/patches/security-CVE-2009-0033.patch: make sure we return
    400 to the browser in
    java/org/apache/jk/common/{ChannelNioSocket,ChannelSocket,HandlerRequest}.java
  - CVE-2009-0033
* SECURITY UPDATE: valid username enumeration via improper error checking
  - debian/patches/security-CVE-2009-0580.patch: make sure we have valid
    credentials in java/org/apache/catalina/realm/{DataSourceRealm,JDBCRealm,MemoryRealm}.java
  - CVE-2009-0580
* SECURITY UPDATE: cross-site scripting in calendar example application
  (LP: #341278)
  - debian/patches/security-CVE-2009-0781.patch: properly quote value in
    webapps/examples/jsp/cal/cal2.jsp
  - CVE-2009-0781
* SECURITY UPDATE: information disclosure via XML parser replacement
  - debian/patches/security-CVE-2009-0783.patch: create digesters and
    parsers earlier and don't use xml-parser from web-app in
    java/org/apache/catalina/core/StandardContext.java,
    java/org/apache/catalina/startup/{LocalStrings.properties,TldConfig.java}
  - CVE-2009-0783

9. By Thierry Carrez on 2009-02-23

* Added debian/patches/tcnative-ipv6-fix-43327.patch to fix incompatibility
  between libtcnative-1 and ipv6 (fixes LP: #287645)
* No longer create confusing /var/lib/tomcat6/lib or lib subdirectory in
  private instances, since they are ignored (LP: #324212)

8. By Mathias Gug on 2009-01-07

[ Thierry Carrez ]
* Removed tomcat6-[admin,docs,examples].post[inst,rm] and let Tomcat webapp
  autodeployment features handle application load/unload (LP: #302914)
* tomcat6-instance-create, tomcat6-instance-create.1, control:
  Allow to change the HTTP port, control port and shutdown word on the
  tomcat6-instance-create command line (LP: #300691).

[ Mathias Gug]
* debian/tomcat6-instance-create: move directoryname from an option to
  an argument.
* debian/tomcat6-instance-create.1: some updates to the man page.
* debian/control: update maintainer field to Ubuntu Core Developers now that
  tomcat6 is in main.

7. By Thierry Carrez on 2008-11-27

* tomcat6.init, tomcat6.postinst, tomcat6.dirs, tomcat6.default,
  README.debian: Use /tmp/tomcat6-temp instead of /var/lib/tomcat6/temp as
  the JVM temporary directory and clean it at each restart (LP: #287452)
* policy/04webapps.policy: add rules to allow usage of java.io.tmpdir
* tomcat6.init, rules: Do not use TearDown, as this results in
  LifecycleListener callbacks in webapps being bypassed (LP: #299436)
* rules: Compile at Java 1.5 level to allow usage of Java 5 JREs
  (LP: #286427)
* control, rules, libservlet2.5-java-doc.install,
  libservlet2.5-java-doc.links: New libservlet2.5-java-doc package ships
  missing Servlet/JSP API documentation (LP: #279645)
* patches/use-commons-dbcp.patch: Change default DBCP factory class
  to org.apache.commons.dbcp.BasicDataSourceFactory (LP: #283852)
* tomcat6.dirs, tomcat6.postinst, default_root/index.html: Create
  Catalina/localhost in /etc/tomcat6 and make it writeable by the tomcat6
  group, so that autodeploy and admin webapps work as expected (LP: #294277)
* patches/disable-apr-loading.patch: Disable APR library loading until we
  properly provide it.
* patches/disable-ajp-connector: Do not load AJP13 connector by default
  (LP: #300697)
* rules: minor fixes to prevent build being called twice.

6. By Thierry Carrez on 2008-10-23

* debian/tomcat6.postinst:
  - Make /var/lib/tomcat6/temp writeable by the tomcat6 user (LP: #287126)
  - Make /var/lib/tomcat6/webapps writeable by tomcat6 group (LP: #287447)
* debian/tomcat6.init: make status return nonzero if tomcat6 is not running
  (fixes LP: #288218)

5. By Thierry Carrez on 2008-10-06

debian/rules: call dh_installinit with --error-handler so that install
doesn't fail if Tomcat cannot be started during configure (LP: #274365)

4. By Thierry Carrez on 2008-08-22

* New upstream version (LP: #260016)
  - Fixes CVE-2008-2938: Directory traversal vulnerability (LP: #256802)
  - Fixes CVE-2008-2370: Information disclosure vulnerability (LP: #256922)
  - Fixes CVE-2008-1232: XSS through sendError vulnerability (LP: #256926)
* Dropped CVE-2008-1947.patch (fix is shipped in this upstream release)
* control: Improve short descriptions for the binary packages
* copyright: Added link to /usr/share/common-licenses/Apache-2.0
* control: To pull the right JRE, libtomcat6-java now depends on
  default-jre-headless | java6-runtime-headless

3. By Thierry Carrez on 2008-08-08

* Adding full Tomcat 6 server stack support (LP: #256052)
  - tomcat6 handles the system instance (/var/lib/tomcat6)
  - tomcat6-user allows users to create their own private instances
  - tomcat6-common installs common files in /usr/share/tomcat6
  - libtomcat6-java installs Tomcat 6 java libs in /usr/share/java
  - tomcat6-docs installs the documentation webapp
  - tomcat6-examples installs the examples webapp
  - tomcat6-admin installs the manager and host-manager webapps
* Other key differences with the tomcat5.5 packages:
  - default-jdk build support
  - OpenJDK-6 JRE runtime support
  - tomcat6 installs a minimal ROOT webapp
  - new webapp locations follow Debian webapp policy
  - webapps restart tomcat6 in postrm rather than in prerm
  - added a doc-base entry
  - use standard upstream server.xml
  - initscript: try to check if Tomcat is really running before returning OK
  - removed transitional configuration migration code
  - autogenerate policy in /var/cache/tomcat6 rather than /etc/tomcat6
  - logging.properties is customized to remove -webapps-related lines
  - initscript: implement TearDown spec
* CVE-2008-1947 fix (cross-site-scripting issue in host-manager webapp)