lp://staging/ubuntu/precise-security/tomcat6

Branch merges

Propose for merging

No branches dependent on this one.

Related source package recipes

No recipes using this branch. (?)

Create packaging recipe

Related snap packages

Related bugs

Related blueprints

51. By Marc Deslauriers on 2015-06-22

* SECURITY UPDATE: HTTP request smuggling or denial of service via
  streaming with malformed chunked transfer encoding (LP: #1449975)
  - debian/patches/CVE-2014-0227.patch: add error flag and improve i18n
    in java/org/apache/coyote/http11/filters/ChunkedInputFilter.java,
    java/org/apache/coyote/http11/filters/LocalStrings.properties.
  - CVE-2014-0227
* SECURITY UPDATE: denial of service via aborted upload attempts
  (LP: #1449975)
  - debian/patches/CVE-2014-0230.patch: limit amount of data in
    java/org/apache/coyote/Constants.java,
    java/org/apache/coyote/http11/filters/ChunkedInputFilter.java,
    java/org/apache/coyote/http11/filters/IdentityInputFilter.java,
    java/org/apache/coyote/http11/filters/LocalStrings.properties,
    webapps/docs/config/systemprops.xml.
  - CVE-2014-0230
* SECURITY UPDATE: SecurityManager bypass via Expression Language
  - debian/patches/CVE-2014-7810.patch: handle classes that may not be
    accessible but have accessible interfaces in
    java/javax/el/BeanELResolver.java, remove unnecessary code in
    java/org/apache/jasper/runtime/PageContextImpl.java,
    java/org/apache/jasper/security/SecurityClassLoad.java.
  - CVE-2014-7810

50. By Marc Deslauriers on 2014-07-24

* SECURITY UPDATE: denial of service via malformed chunk size
  - debian/patches/CVE-2014-0075.patch: fix overflow in
    java/org/apache/coyote/http11/filters/ChunkedInputFilter.java.
  - CVE-2014-0075
* SECURITY UPDATE: file disclosure via XXE issue
  - debian/patches/CVE-2014-0096.patch: change globalXsltFile to be a
    relative path in conf/web.xml,
    java/org/apache/catalina/servlets/DefaultServlet.java,
    java/org/apache/catalina/servlets/LocalStrings.properties,
    webapps/docs/default-servlet.xml.
  - CVE-2014-0096
* SECURITY UPDATE: HTTP request smuggling attack via crafted
  Content-Length HTTP header
  - debian/patches/CVE-2014-0099.patch: correctly handle long values in
    java/org/apache/tomcat/util/buf/Ascii.java.
  - CVE-2014-0099

49. By Marc Deslauriers on 2014-03-04

* SECURITY UPDATE: request smuggling attack via content-length headers
  - debian/patches/CVE-2013-4286.patch: handle multiple content lengths
    in java/org/apache/coyote/ajp/AbstractAjpProcessor.java,
    java/org/apache/coyote/ajp/AjpProcessor.java, handle content length
    and chunked encoding being both specified in
    java/org/apache/coyote/http11/Http11AprProcessor.java,
    java/org/apache/coyote/http11/Http11NioProcessor.java,
    java/org/apache/coyote/http11/Http11Processor.java.
  - CVE-2013-4286
* SECURITY UPDATE: denial of service via chunked transfer coding
  - debian/patches/CVE-2013-4322.patch: limit length of extension data in
    java/org/apache/coyote/Constants.java,
    java/org/apache/coyote/http11/filters/ChunkedInputFilter.java,
    webapps/docs/config/systemprops.xml.
  - CVE-2013-4322
* SECURITY UPDATE: session fixation attack via crafted URL
  - debian/patches/CVE-2014-0033.patch: properly handle
    disableURLRewriting in
    java/org/apache/catalina/connector/CoyoteAdapter.java.
  - CVE-2014-0033

48. By Marc Deslauriers on 2013-05-21

* SECURITY UPDATE: denial of service via chunked transfer encoding
  - debian/patches/CVE-2012-3544.patch: properly parse CRLF in requests
    in java/org/apache/coyote/http11/filters/ChunkedInputFilter.java.
  - CVE-2012-3544
* SECURITY UPDATE: FORM authentication request injection
  - debian/patches/CVE-2013-2067.patch: properly change session ID
    in java/org/apache/catalina/authenticator/FormAuthenticator.java.
  - CVE-2013-2067

47. By Marc Deslauriers on 2013-01-10

* SECURITY UPDATE: security-constraint bypass with FORM auth
  - debian/patches/CVE-2012-3546.patch: remove unneeded code in
    java/org/apache/catalina/realm/RealmBase.java.
  - CVE-2012-3546
* SECURITY UPDATE: CSRF bypass via request with no session identifier
  - debian/patches/CVE-2012-4431.patch: check for session identifier in
    java/org/apache/catalina/filters/CsrfPreventionFilter.java.
  - CVE-2012-4431
* SECURITY UPDATE: denial of service with NIO connector
  - debian/patches/CVE-2012-4534.patch: properly handle connection breaks
    in java/org/apache/tomcat/util/net/NioEndpoint.java.
  - CVE-2012-4534

46. By Marc Deslauriers on 2012-11-21

* SECURITY UPDATE: denial of service via large header data
  - debian/patches/0012-CVE-2012-2733.patch: improve size logic in
    java/org/apache/coyote/http11/InternalNioInputBuffer.java.
  - CVE-2012-2733
* SECURITY UPDATE: multiple HTTP Digest Access Authentication flaws
  - debian/patches/0013-CVE-2012-588x.patch: disable caching of an
    authenticated user in the session by default, track server rather
    than client nonces, better handling of stale nonce values in
    java/org/apache/catalina/authenticator/DigestAuthenticator.java.
  - CVE-2012-3439
  - CVE-2012-5885
  - CVE-2012-5886
  - CVE-2012-5887

45. By James Page on 2012-04-11

* Handle creation of user instances with pathnames containing spaces
  (LP: #977498):
  - d/tomcat6-instance-create: Quote access to files and directories
    so that spaces can be used when creating user instances.

44. By Timo Aaltonen on 2012-03-16

init: Make NAME dynamic, to allow starting multiple instances.

43. By Marc Deslauriers on 2012-02-13

debian/patches/0011-CVE-2012-0022-regression-fix.patch: fix regression
from the CVE-2012-0022 security fix that went into 6.0.35.

42. By Tony Mancill on 2011-12-12

[ Miguel Landaeta ]
* New upstream release.
* Add myself to Uploaders.
* Remove 0013-CVE-2011-3190.patch since it was included upstream.
* Add mh_clean call in clean target.
* Fix error in debian/rules that caused tomcat to report no version.
  Thanks to Jorge Barreiro for the patch. (Closes: #650656).

[ tony mancill ]
* Update Vcs-* fields in debian/control for switch to git.
* Update to run with openjdk-7 and openjdk-6 when not default-jdk is
  not present. (Closes: #651448)
* Allow java?-runtime-headless to satisfy Depends.
* Add myself to Uploaders.