lp://staging/ubuntu/maverick-proposed/tomcat6

Branch merges

Propose for merging

No branches dependent on this one.

Related source package recipes

No recipes using this branch. (?)

Create packaging recipe

Related snap packages

Related bugs

Related blueprints

28. By Marc Deslauriers on 2012-01-25

* SECURITY UPDATE: denial of service via hash collision and incorrect
  handling of large numbers of parameters and parameter values
  (LP: #909828)
  - debian/patches/0019-CVE-2012-0022.patch: refactor parameter handling
    code in conf/web.xml,
    java/org/apache/catalina/connector/Connector.java,
    java/org/apache/catalina/connector/mbeans-descriptors.xml,
    java/org/apache/catalina/connector/Request.java,
    java/org/apache/catalina/filters/FailedRequestFilter.java,
    java/org/apache/catalina/Globals.java,
    java/org/apache/coyote/Request.java,
    java/org/apache/tomcat/util/buf/B2CConverter.java,
    java/org/apache/tomcat/util/buf/ByteChunk.java,
    java/org/apache/tomcat/util/buf/MessageBytes.java,
    java/org/apache/tomcat/util/buf/StringCache.java,
    java/org/apache/tomcat/util/http/LocalStrings.properties,
    java/org/apache/tomcat/util/http/Parameters.java,
    webapps/docs/config/ajp.xml,
    webapps/docs/config/http.xml.
  - CVE-2011-4858
  - CVE-2012-0022

27. By James Page on 2011-04-15

* Fix update failures when JAVA_OPTS contains / (LP: #654549)
  - debian/tomcat6.postinst: amended sed calls to use % instead of / when
    generating /etc/default/tomcat6.

26. By Marc Deslauriers on 2011-03-24

* SECURITY UPDATE: directory traversal via incorrect ServetContext
  attribute (LP: #717396)
  - debian/patches/0012-CVE-2010-3718.patch: mark as read only in
    java/org/apache/catalina/core/StandardContext.java.
  - CVE-2010-3718
* SECURITY UPDATE: cross-site scripting in HTML Manager interface
  - debian/patches/0013-CVE-2011-0013.patch: properly filter values in
    java/org/apache/catalina/manager/{HTMLManagerServlet.java,
    StatusTransformer.java}.
  - CVE-2011-0013
* SECURITY UPDATE: denial of service via NIOS HTTP connector
  (LP: #714239, LP: #717396)
  - debian/patches/0014-CVE-2011-0534.patch: enforce proper size in
    java/org/apache/coyote/http11/InternalNioInputBuffer.java.
  - CVE-2011-0534

25. By Marc Deslauriers on 2011-01-13

* SECURITY UPDATE: cross-site scripting in Manager application
  - debian/patches/0011-CVE-2010-4172.patch: add proper escaping to
    java/org/apache/catalina/manager/JspHelper.java,
    webapps/manager/WEB-INF/jsp/{sessionDetail,sessionsList}.jsp.
  - patch from Debian 6.0.28-9 package
  - CVE-2010-4172

24. By Thierry Carrez on 2010-08-25

Check for group existence to avoid postinst failure (LP: #611721)

23. By Thierry Carrez on 2010-07-20

* Add debconf questions for user, group and Java options.
* Use ucf to install /etc/default/tomcat6 from a template
* Drop CATALINA_BASE and CATALINA_HOME from /etc/default/tomcat6 since we
  shouldn't encourage users to change those anyway

22. By Torsten Werner on 2010-06-28

* Convert patches to dep3 format.
* Backport security fix from trunk to fix CVE-2010-1157. (Closes: #587447)
* Set urgency to medium due to the security fix.

21. By Marcus Better on 2010-05-31

[ Marcus Better ]
* Apply upstream fix for deadlock in WebappClassLoader. (Closes: #583896)

[ Thierry Carrez ]
* debian/tomcat6.{install,postinst}: Do not store the default root webapp
  in /usr/share/tomcat6/webapps as it increases confusion on what this
  directory contains (and its relation with /var/lib/tomcat6/webapps).
  Store it inside /usr/share/tomcat6-root instead (LP: #575303).

20. By Thierry Carrez on 2010-05-21

* debian/tomcat6.{postinst,prerm}: Respect TOMCAT6_USER and TOMCAT6_GROUP
  as defined in /etc/default/tomcat6 when setting directory permissions and
  authbind configuration (Closes: #581018, LP: #557300)
* debian/tomcat6.postinst: Use group "tomcat6" instead of "adm" for
  permissions in /var/lib/tomcat6, so that group "adm" doesn't get write
  permissions over /var/lib/tomcat6/webapps (LP: #569118)

19. By Thierry Carrez on 2010-03-31

[ Thierry Carrez ]
* Uploading what 6.0.24-5 should be (upload is blocked in Debian due to
  current infrastructure issues), in order to meet Beta2Freeze.

[ Niels Thykier ]
* Added optimised garbage collection options to tomcat6's default options.
  Thanks to Aaron J. Zirbes and Thierry Carrez for research and the patch.
  (Closes: LP: #541520)
* Updated the changelog to mention closed CVE's in the 6.0.24-1 release.
* Applied patch from Arto Jantunen fixing an issue with cleaning up the
  pid-file. (Closes: #574084)

[ Ludovic Claude ]
* debian/tomcat6.postrm: fix removal of Tomcat (Closes: #567548)
* Set UTF-8 as default character encoding - Patch by Thomas Koch
  (Closes: #573539)
* Set the major, minor and build versions when calling Ant
  (Closes: LP: #495505)
* Rebuild with a more recent version of maven-repo-helper which puts
  the javax jars at the correct location in the Maven repository.
  Fixes several FTBFS in other packages.