lp://staging/ubuntu/quantal-security/tomcat7
- Get this branch:
- bzr branch lp://staging/ubuntu/quantal-security/tomcat7
Branch merges
Branch information
Recent revisions
- 24. By Marc Deslauriers
-
* SECURITY UPDATE: request smuggling attack via content-length headers
- debian/patches/ CVE-2013- 4286.patch: use long as content length in
java/org/apache/ coyote/ Request. java, handle multiple content lengths
in java/org/apache/ coyote/ ajp/AbstractAjp Processor. java, handle
content length and chunked encoding being both specified in
java/org/apache/ coyote/ http11/ AbstractHttp11P rocessor. java.
- CVE-2013-4286
* SECURITY UPDATE: denial of service via chunked transfer coding
- debian/patches/ CVE-2013- 4322.patch: enforce maximum size in
java/org/apache/ coyote/ http11/ {AbstractHttp11 Processor. java,
AbstractHttp11Protocol. java, Http11AprProces sor.java,
Http11AprProtocol. java, Http11NioProces sor.java,
Http11NioProtocol. java, Http11Processor .java, Http11Protocol. java},
java/org/apache/ coyote/ http11/ filters/ ChunkedInputFil ter.java,
test/org/apache/ coyote/ http11/ filters/ TestChunkedInpu tFilter. java,
webapps/docs/config/ http.xml.
- CVE-2013-4322
* SECURITY UPDATE: denial of service via malformed content-type header
- debian/patches/ CVE-2014- 0050.patch: validate sizes in
java/org/apache/ tomcat/ util/http/ fileupload/ FileUploadBase. java,
java/org/apache/ tomcat/ util/http/ fileupload/ MultipartStream .java.
- CVE-2014-0050
* d/p/0018-update- test-certificat es.patch: remove binary parts to
support newer quilt. - 23. By Marc Deslauriers
-
* SECURITY UPDATE: FORM authentication request injection
- debian/patches/ CVE-2013- 2067.patch: properly change session ID
in java/org/apache/ catalina/ authenticator/ FormAuthenticat or.java.
- CVE-2013-2067
* SECURITY UPDATE: information leak via AsyncListeners and
RuntimeExceptions (LP: #1178645)
- debian/patches/ CVE-2013- 2071.patch: catch RuntimeExceptions in
java/org/apache/ catalina/ core/AsyncConte xtImpl. java, added tests to
test/org/apache/ catalina/ core/TestAsyncC ontextImpl. java.
- CVE-2013-2071
* Fix FTBFS due to expired test certificates:
- d/keystores/*.jks: Newer keystores from upstream 7.0.39.
- d/rules: Install newer keystores for testing, tidy up after use.
- d/p/0018-update- test-certificat es.patch: Cherry picked fixes from
upstream VCS to update text based certificates. - 22. By Marc Deslauriers
-
* SECURITY UPDATE: CSRF bypass via request with no session identifier
- debian/patches/ CVE-2012- 4431.patch: check for session identifier in
java/org/apache/ catalina/ filters/ CsrfPreventionF ilter.java.
- CVE-2012-4431 - 21. By James Page
-
* New upstream point release including several fixes for Java 7
specific issues.
* Refreshed patches. - 20. By James Page
-
* Re-sync with Debian unstable.
* New upstream release:
- Refreshed patches.
* Enabled Tomcat jdbc-pool module, aligning more closely to upstream and
providing improved multi-threaded performance over commons-dbcp:
- d/rules,d/libtomcat7- java.poms: Install tomcat-dbcp.jar file.
- d/patches/0005-change- default- DBCP-factory- class.patch: Drop patch
which switches the default DBCP factory to commons-dbcp.
- d/NEWS: let users know about this change. - 19. By Tony Mancill
-
[ Miguel Landaeta ]
* Add Slovak debconf translation (Closes: #677913).
- Thanks to Ivan Masár.[ James Page ]
* New upstream release.
* Enable test suite during package build:
- d/control: Add junit4, libjstl1.1-java and
libjakarta-taglibs- standard- java to BDI's.
- d/rules:
+ Add ant/junit4 jars files to build classpath.
+ Target java 1.6 to support test suite exection.
+ Specify location of junit jar file.
+ Install jstl jar files to example webapp during build.
+ Conditionally execute test target if required.
+ Purge jar files from example webapp during clean.
* Fix JSTL examples in examples web application:
- d/control: Add dependencies on libjstl1.1-java and
libjakarta-taglibs- standard- java for tomcat7-examples.
- d/tomcat7-examples. links: Add links to jstl and standard jar
files for examples web application.
- d/context/examples. xml: Allow linking to jar files in examples
webapp.
* Fix mapping to javax packages for API jar files:
- d/maven.[rules, publishedRules] : Ensure all javax.[servlet|el] jar files
are published to the correct locations in /usr/share/[maven- repo|java] .
- d/libservlet3.0-java. manifest: Update jar file locations for javax
remapping.
- d/libservlet3.0-java. links: Provide backwards compatible links for
deprecated tomcat-*.jar files in /usr/share/java.[ tony mancill ]
* Set DMUA flag. - 18. By James Page
-
* Enable test suite during package build:
- d/control: Add junit4, libjstl1.1-java and
libjakarta-taglibs- standard- java to BDI's.
- d/rules:
+ Add ant/junit4 jars files to build classpath.
+ Target java 1.6 to support test suite exection.
+ Specify location of junit jar file.
+ Install jstl jar files to example webapp during build.
+ Conditionally execute test target if required.
+ Purge jar files from example webapp during clean.
* Fix JSTL examples in examples web application:
- d/control: Add dependencies on libjstl1.1-java and
libjakarta-taglibs- standard- java for tomcat7-examples.
- d/tomcat7-examples. links: Add links to jstl and standard jar
files for examples web application.
- d/context/examples. xml: Allow linking to jar files in examples
webapp. - 17. By James Page
-
* Fix mapping to javax packages for API jar files:
- d/maven.[rules, publishedRules] : Ensure all javax.[servlet|el] jar files
are published to the correct locations in /usr/share/[maven- repo|java] .
- d/libservlet3.0-java. manifest: Update jar file locations for javax
remapping.
- d/libservlet3.0-java. links: Provide backwards compatible links for
deprecated tomcat-*.jar files in /usr/share/java. - 15. By Tony Mancill
-
* Address regression leaving ROOT webapp files after purge.
(Closes: #670440)
* Update copyright year in javadoc to 2012.
Branch metadata
- Branch format:
- Branch format 7
- Repository format:
- Bazaar repository format 2a (needs bzr 1.16 or later)
- Stacked on:
- lp://staging/ubuntu/raring/tomcat7