tomcat7 (7.0.56-3+deb8u10) jessie-security; urgency=high * Team upload. * Fix the following security vulnerabilities: - CVE-2017-5647: A bug in the handling of the pipelined requests when send file was used resulted in the pipelined request being lost when send file processing of the previous request completed. This could result in responses appearing to be sent for the wrong request. For example, a user agent that sent requests A, B and C could see the correct response for request A, the response for request C for request B and no response for request C. - CVE-2017-5648: It was noticed that some calls to application listeners did not use the appropriate facade object. When running an untrusted application under a SecurityManager, it was therefore possible for that untrusted application to retain a reference to the request or response object and thereby access and/or modify information associated with another web application. -- Markus Koschany Sun, 30 Apr 2017 21:21:29 +0200 tomcat7 (7.0.56-3+deb8u9) jessie-security; urgency=high * Team upload. * Add BZ57544-infinite-loop-part2.patch. Fix regression due to an incomplete fix for CVE-2017-6056. See #854551 for further information. -- Markus Koschany Sat, 18 Feb 2017 19:16:13 +0100 tomcat7 (7.0.56-3+deb8u8) jessie-security; urgency=high * Team upload. * Add BZ57544-infinite-loop.patch: It was found that https GET requests could trigger an infinite loop and thus cause a denial-of-service. (Closes: #854551) -- Markus Koschany Mon, 13 Feb 2017 10:16:57 +0100 tomcat7 (7.0.56-3+deb8u7) jessie-security; urgency=high * Fixed CVE-2016-8745: A bug in the error handling of the send file code for the NIO HTTP connector resulted in the current Processor object being added to the Processor cache multiple times. This in turn meant that the same Processor could be used for concurrent requests. Sharing a Processor can result in information leakage between requests including, not not limited to, session ID and the response body. -- Emmanuel Bourg Thu, 05 Jan 2017 18:15:56 +0100 tomcat7 (7.0.56-3+deb8u6) jessie-security; urgency=high * Fixed CVE-2016-9774: Potential privilege escalation when the tomcat7 package is upgraded. Thanks to Paul Szabo for the report (see #845393) * Fixed CVE-2016-9775: Potential privilege escalation when the tomcat7 package is purged. Thanks to Paul Szabo for the report (see #845385) * Fixed CVE-2016-6816: The code that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack and/or obtain sensitive information from requests other then their own. * Fixed CVE-2016-8735: The JmxRemoteLifecycleListener was not updated to take account of Oracle's fix for CVE-2016-3427. Therefore, Tomcat installations using this listener remained vulnerable to a similar remote code execution vulnerability. This issue has been rated as important rather than critical due to the small number of installations using this listener and that it would be highly unusual for the JMX ports to be accessible to an attacker even when the listener is used. * Backported the fix for upstream bug 57377: Remove the restriction that prevented the use of SSL when specifying a bind address for the JMX/RMI server. Enable SSL to be configured for the registry as well as the server. * CVE-2016-5018 follow-up: Applied a missing modification fixing a ClassNotFoundException when the security manager is enabled (Closes: #846298) * CVE-2016-6797 follow-up: Fixed a regression preventing some applications from accessing the global resources (Closes: #845425) * CVE-2015-5345 follow-up: Added a missing modification enabling the use of the mapperContextRootRedirectEnabled and mapperDirectoryRedirectEnabled attributes on a context. * Backported a fix for a test failure in Test*NonLoginAndBasicAuthenticator with recent JREs * Refreshed the expired SSL certificates used by the tests * Set the locale when running the tests to prevent locale sensitive tests from failing * Fixed a test failure in the new TestNamingContext test added with the fix for CVE-2016-6797 * Fixed a test failure in TestResourceBundleELResolver * Reduced the verbosity of the tests -- Emmanuel Bourg Fri, 09 Dec 2016 17:54:59 +0100 tomcat7 (7.0.56-3+deb8u5) jessie-security; urgency=high * Fixed CVE-2016-0762: The Realm implementations did not process the supplied password if the supplied user name did not exist. This made a timing attack possible to determine valid user names. (Closes: #842662) * Fixed CVE-2016-5018: A malicious web application was able to bypass a configured SecurityManager via a Tomcat utility method that was accessible to web applications. (Closes: #842663) * Fixed CVE-2016-6794: When a SecurityManager is configured, a web application's ability to read system properties should be controlled by the SecurityManager. Tomcat's system property replacement feature for configuration files could be used by a malicious web application to bypass the SecurityManager and read system properties that should not be visible. (Closes: #842664) * Fixed CVE-2016-6796: A malicious web application was able to bypass a configured SecurityManager via manipulation of the configuration parameters for the JSP Servlet. (Closes: #842665) * Fixed CVE-2016-6797: The ResourceLinkFactory did not limit web application access to global JNDI resources to those resources explicitly linked to the web application. Therefore, it was possible for a web application to access any global JNDI resource whether an explicit ResourceLink had been configured or not. (Closes: #842666) * CVE-2016-1240 follow-up: - The previous init.d fix was vulnerable to a race condition that could be exploited to make any existing file writable by the tomcat user. Thanks to Paul Szabo for the report and the fix. - The catalina.policy file generated on startup was affected by a similar vulnerability that could be exploited to overwrite any file on the system. Thanks to Paul Szabo for the report. * Hardened the init.d script, thanks to Paul Szabo -- Emmanuel Bourg Sat, 12 Nov 2016 00:06:36 +0100 tomcat7 (7.0.56-3+deb8u4) jessie-security; urgency=high * Team upload. * Fix CVE-2016-1240: tomcat7.init: Protect /var/log/tomcat7/catalina.out against symlink attacks and a possible root privilege escalation. * Do not unconditionally override files in /etc/tomcat7. Change file permissions to 640 for Debian files in /etc/tomcat7/* (Closes: #821391) -- Markus Koschany Mon, 15 Aug 2016 17:58:07 +0200 tomcat7 (7.0.56-3+deb8u3) jessie-security; urgency=high * Fixed CVE-2016-3092: Denial-of-Service vulnerability with file uploads -- Emmanuel Bourg Wed, 22 Jun 2016 11:48:45 +0200 tomcat7 (7.0.56-3+deb8u2) jessie-security; urgency=high * Team upload. * Fix CVE-2015-5174: Directory traversal vulnerability in RequestUtil.java allows remote authenticated users to bypass intended SecurityManager restrictions and list a parent directory via a /.. (slash dot dot) in a pathname used by a web application in a getResource, getResourceAsStream, or getResourcePaths call, as demonstrated by the $CATALINA_BASE/webapps directory. * Fix CVE-2015-5345: The Mapper component in Apache Tomcat processes redirects before considering security constraints and Filters, which allows remote attackers to determine the existence of a directory via a URL that lacks a trailing / (slash) character. * Fix CVE-2015-5346: Session fixation vulnerability in Apache Tomcat when different session settings are used for deployments of multiple versions of the same web application, might allow remote attackers to hijack web sessions by leveraging use of a requestedSessionSSL field for an unintended request, related to CoyoteAdapter.java and Request.java. * Fix CVE-2015-5351: The Manager and Host Manager applications in Apache Tomcat establish sessions and send CSRF tokens for arbitrary new requests, which allows remote attackers to bypass a CSRF protection mechanism by using a token. * Fix CVE-2016-0706: Apache Tomcat does not place org.apache.catalina.manager.StatusManagerServlet on the org/apache/catalina/core/RestrictedServlets.properties list, which allows remote authenticated users to bypass intended SecurityManager restrictions and read arbitrary HTTP requests, and consequently discover session ID values, via a crafted web application. * Fix CVE-2016-0714: The session-persistence implementation in Apache Tomcat mishandles session attributes, which allows remote authenticated users to bypass intended SecurityManager restrictions and execute arbitrary code in a privileged context via a web application that places a crafted object in a session. * Fix CVE-2016-0763: The setGlobalContext method in org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat does not consider whether ResourceLinkFactory.setGlobalContext callers are authorized, which allows remote authenticated users to bypass intended SecurityManager restrictions and read or write to arbitrary application data, or cause a denial of service (application disruption), via a web application that sets a crafted global context. -- Markus Koschany Sat, 16 Apr 2016 09:10:22 +0000 tomcat7 (7.0.56-3+deb8u1) jessie-security; urgency=medium * Fixed CVE-2014-7810: Malicious web applications could use expression language to bypass the protections of a Security Manager as expressions were evaluated within a privileged code section. -- Emmanuel Bourg Fri, 18 Dec 2015 12:42:53 +0100 tomcat7 (7.0.56-3) unstable; urgency=medium * Provide a fix for #780519 more clear/maintainable and with an approach similar to used one by Emmanuel to fix an issue similar in stable in the past. -- Miguel Landaeta Sat, 28 Mar 2015 13:14:04 -0300 tomcat7 (7.0.56-2) unstable; urgency=medium * Fix FTBFS error by making sure SSL unit tests use TLS protocols. - SSLv3 and previous protocols are not secure and deprecated in JDK7. - Additionally, some X509 certificates provided by upstream expired and were causing failures in unit tests as well, so they were regenerated. (Closes: #780519). * Fix FTBFS error by disabling some unit tests that depends on having network access. -- Miguel Landaeta Thu, 26 Mar 2015 00:15:03 -0300 tomcat7 (7.0.56-1) unstable; urgency=medium * New upstream release * Install the extra jar catalina-jmx-remote.jar (Closes: #719921) * Removed the note about the authbind IPv6 incompatibility in /etc/defaults/tomcat7 * Added the SimpleInstanceManager class from Tomcat 8 to help integrating the JSP compiler into Jetty 8 -- Emmanuel Bourg Mon, 06 Oct 2014 10:25:48 +0200 tomcat7 (7.0.55-1) unstable; urgency=medium * New upstream release * Refreshed the patches -- Emmanuel Bourg Tue, 29 Jul 2014 17:25:50 +0200 tomcat7 (7.0.54-2) unstable; urgency=medium [ Emmanuel Bourg ] * debian/defaults.template: Bumped the required version of Java mentioned in the comment on the JAVA_HOME variable * debian/tomcat7.init: Search for OpenJDK 8 and Oracle JDKs when starting the server (Closes: #714349) * Updated the version required for libtcnative-1 (>= 1.1.30) (Closes: #750454) -- tony mancill Sat, 14 Jun 2014 08:09:02 -0700 tomcat7 (7.0.54-1) unstable; urgency=medium * New upstream release * Refreshed the patches * Use XZ compression for the upstream tarball -- Emmanuel Bourg Thu, 22 May 2014 10:27:10 +0200 tomcat7 (7.0.53-1) unstable; urgency=low * New upstream release. * Refresh patches: - debian/patches/0011-fix-classpath-lintian-warnings.patch. - debian/patches/0015_disable_test_TestCometProcessor.patch. * Add new patch: - Disabled Java 8 support in JSPs (requires an Eclipse compiler update). * Update my email address in Uploaders list. -- Miguel Landaeta Thu, 01 May 2014 23:33:35 -0300 tomcat7 (7.0.52-1) unstable; urgency=low * Team upload. * New upstream release. - Addresses security issue: CVE-2014-0050 -- Gianfranco Costamagna Wed, 19 Feb 2014 14:09:48 +0100 tomcat7 (7.0.50-1) unstable; urgency=medium * New upstream release. -- James Page Tue, 14 Jan 2014 18:09:28 +0000 tomcat7 (7.0.47-1) unstable; urgency=low [ Gianfranco Costamagna ] * Team upload. * New upstream release, patch refresh. * Renamed patch fix-manager-webapp.path to fix-manager-webapp.patch (extension typo). * Refresh patches for upstream release. * Removed -Djava.net.preferIPv4Stack=true from init script (lp: #1088681), thanks Hendrik Haddorp. * Added webapp manager path patch (lp: #1128067) thanks TJ. [ tony mancill ] * Bump Standards-Version to 3.9.5. * Change copyright year in javadocs to 2013. * Add patch to include the distribution name in error pages. (Closes: #729840) -- tony mancill Tue, 24 Dec 2013 16:46:34 +0000 tomcat7 (7.0.42-1) unstable; urgency=low [ Gianfranco Costamagna ] * Team upload. * New upstream release. * Added libhamcrest-java >= 1.3 as build-dep, tweaked debian/rules. * Bumped compat level to 9. * Removed some version checks, newer releases already in oldstable. * Refresh patches. * debian/control: changed Vcs-Git and Vcs-Browser fields, now they are canonical. * Fixed error message in Tomcat init script, patch by Thijs Kinkhorst (Closes: #714348) -- Gianfranco Costamagna Tue, 16 Jul 2013 17:34:58 +0200 tomcat7 (7.0.41-1) unstable; urgency=low * New upstream release (Closes: #712978). * Refresh patches. * Added version check for libtcnative-1 (Closes: #712638, lp: #1092548) -- Gianfranco Costamagna Wed, 19 Jun 2013 18:06:49 +0200 tomcat7 (7.0.40-2) unstable; urgency=low * Fix deployment of POMs for libservlet-3.0-java JARs into javax coordinates. - JARs were deployed into maven-repo, but not POMs. * Fix servlet-api groupId in d/javaxpoms/jsp-api.pom. -- Jakub Adam Thu, 16 May 2013 17:35:52 +0200 tomcat7 (7.0.40-1) unstable; urgency=low * New upstream release. - Addresses security issue: CVE-2013-2071 * Refresh patches: - 0015_disable_test_TestCometProcessor.patch -- Miguel Landaeta Fri, 10 May 2013 19:10:36 -0300 tomcat7 (7.0.39-1) unstable; urgency=low * Upload to unstable for jessie release cycle. -- tony mancill Mon, 06 May 2013 17:41:19 -0700 tomcat7 (7.0.39-1~exp1) experimental; urgency=low * New upstream release. * Refresh patches: - 0009-Use-java.security.policy-file-in-catalina.sh.patch * Remove patches included in the upstream release: - 0016_upstream_bug_54440.patch * Bump Standards-Version to 3.9.4. No changes were required. * Remove obsolete DM-Upload-Allowed field. -- Miguel Landaeta Sun, 31 Mar 2013 21:15:42 -0300 tomcat7 (7.0.35-1~exp2) experimental; urgency=low * Switch from Commons DBCP to Tomcat JDBC Pool as default connection pool implementation (Closes: #701023). -- James Page Sun, 24 Feb 2013 22:08:22 +0000 tomcat7 (7.0.35-1~exp1) experimental; urgency=low * New upstream version 7.0.35 * Add patch to disable TestCometProcessor.testConnectionClose(). This test fails consistently (although the Comet processor appears to function correctly). * Add patch for upstream bug 54440 (JSP compilation) -- tony mancill Sun, 03 Feb 2013 14:57:15 -0800 tomcat7 (7.0.34-1~exp1) experimental; urgency=low * Upload to experimental (Vcs-Git branch is exp/master.) * New upstream version 7.0.34 * remove patches included in the upstream release - cve-2012-3439.patch - cve-2012-3439-tests.patch - 0016-CVE-2012-4431.patch - 0017-CVE-2012-3546.patch * refresh patches * add /usr/lib/jvm/java-7-oracle to JDK search path - Thanks to Nuno Afonso. (Closes: #679012) * add log compression to logrotate cronjob via defaults file - Thanks to Thijs Kinkhorst. (Closes: #696944) * add distinct javax poms to install JARs using both Tomcat and javax coordinates (Closes: #691773) * update catalina.properties to expand ${catalina.home} instead of referencing /var/lib/tomcat7 explicitly. - Thanks to H.-Dirk Schmidt (Closes: #691865) -- tony mancill Tue, 01 Jan 2013 19:01:12 -0800 tomcat7 (7.0.28-4) unstable; urgency=high * Acknowledge NMU: 7.0.28-3+nmu1 (Closes: #692440) - Thank you to Michael Gilbert. * Add patches for the following security issues: (Closes: #695251) - CVE-2012-4431, CVE-2012-3546 -- tony mancill Thu, 06 Dec 2012 22:25:07 -0800 tomcat7 (7.0.28-3+nmu1) unstable; urgency=high * Non-maintainer upload. * Fix cve-2012-3439: multiple replay attack issues in digest authentication. (closes: #692440) -- Michael Gilbert Sun, 18 Nov 2012 01:40:30 +0000 tomcat7 (7.0.28-3) unstable; urgency=low [ Miguel Landaeta ] * Fix small typo in README.Debian. [ tony mancill ] * Use ucf and a template for /etc/logrotate.d/tomcat6 file to avoid updating the shipped conffile. (Closes: #688936) -- tony mancill Thu, 27 Sep 2012 10:55:35 -0700 tomcat7 (7.0.28-2) unstable; urgency=low [ Jakub Adam ] * Ensure webapps/examples/WEB-INF/lib exists before files are copied there. * Fix FTBFS when user home dir doesn't exist (Closes: #680844). [ tony mancill ] * Fix build to generate postrm from postrm.in (Closes: #681160) -- tony mancill Tue, 10 Jul 2012 17:29:30 -0700 tomcat7 (7.0.28-1) unstable; urgency=low [ Miguel Landaeta ] * Add Slovak debconf translation (Closes: #677913). - Thanks to Ivan Masár. [ James Page ] * New upstream release. * Enable test suite during package build: - d/control: Add junit4, libjstl1.1-java and libjakarta-taglibs-standard-java to BDI's. - d/rules: + Add ant/junit4 jars files to build classpath. + Target java 1.6 to support test suite exection. + Specify location of junit jar file. + Install jstl jar files to example webapp during build. + Conditionally execute test target if required. + Purge jar files from example webapp during clean. * Fix JSTL examples in examples web application: - d/control: Add dependencies on libjstl1.1-java and libjakarta-taglibs-standard-java for tomcat7-examples. - d/tomcat7-examples.links: Add links to jstl and standard jar files for examples web application. - d/context/examples.xml: Allow linking to jar files in examples webapp. * Fix mapping to javax packages for API jar files: - d/maven.[rules,publishedRules]: Ensure all javax.[servlet|el] jar files are published to the correct locations in /usr/share/[maven-repo|java]. - d/libservlet3.0-java.manifest: Update jar file locations for javax remapping. - d/libservlet3.0-java.links: Provide backwards compatible links for deprecated tomcat-*.jar files in /usr/share/java. [ tony mancill ] * Set DMUA flag. -- tony mancill Fri, 22 Jun 2012 07:06:46 -0700 tomcat7 (7.0.27-1) unstable; urgency=low * New upstream release. -- tony mancill Thu, 07 Jun 2012 22:43:21 -0700 tomcat7 (7.0.26-4) unstable; urgency=low * Address regression leaving ROOT webapp files after purge. (Closes: #670440) * Update copyright year in javadoc to 2012. -- tony mancill Mon, 28 May 2012 18:45:07 -0700 tomcat7 (7.0.26-3) unstable; urgency=low * Team upload. * Apply patches provided by James Page (Closes: #671370) - d/patches/0012-java7-compat.patch: Added compatibility patch to support compilation with openjdk-7 as default-jdk (LP: #889002). - d/default_root/index.html: Fixup instructions for enabling manager web application access (LP: #910368). * Fix README.Debian symlink; file is not compressed. (Closes: #674119) -- tony mancill Wed, 23 May 2012 22:13:23 -0700 tomcat7 (7.0.26-2) unstable; urgency=low [ tony mancill ] * Add Turkish debconf translation. (Closes: #664683) - Thanks to Atila KOÇ * Add patch to tomcat7-instance-create to handle paths with spaces. - Thanks to James Page. (Closes: #668362) * Remove /etc/authbind/byuid, /etc/authbind in postrm. Update md5sum for default webapps root files. (Closes: #670440) [ Jakub Adam ] * Update OSGi metadata, use jh_manifest for modifying MANIFEST.MF. -- tony mancill Thu, 26 Apr 2012 20:59:52 -0700 tomcat7 (7.0.26-1) unstable; urgency=low [ Jakub Adam ] * New upstream release. * Add Jakub Adam to Uploaders. * Bump Standards-Version to 3.9.3. * Don't Depend libservlet3.0-java-doc on package it documents, relax to Suggests. [ tony mancill ] * Add Polish debconf translation. (Closes: #661644) - Thanks to Michał Kułach. -- tony mancill Thu, 01 Mar 2012 21:22:50 -0800 tomcat7 (7.0.23-2) unstable; urgency=low * Add nl.po debconf translation (Closes: #651162) - Thanks to Jeroen Schot * Add java6-runtime-headless | java6-runtime to tomcat7-common Depends (Closes: #660757) * Remove java-5-runtime from tomcat7-common Depends; tomcat7 requires Java 1.6 according to http://tomcat.apache.org/whichversion.html. Also remove Java 1.5 paths from JDK path search in init script. * Update init script to locate multiarch OpenJDKs (Closes: #651487) * Apply patch to report build versions as a.b.c.d (Closes: #651492) - Thanks to Jorge Barreiro González * Bump Standards-Version to 3.9.3. -- tony mancill Sun, 26 Feb 2012 22:55:33 -0800 tomcat7 (7.0.23-1) unstable; urgency=low * New upstream release. * Refresh patches. -- Miguel Landaeta Sun, 27 Nov 2011 19:44:37 -0430 tomcat7 (7.0.22-1) unstable; urgency=low [ Miguel Landaeta ] * New upstream release. * Fix lintian warning about format specification of copyright file. [ tony mancill ] * Add dependency on JRE to tomcat7-common (Closes: #644340) * Modify init script to look for JVM in /usr/lib/jvm/default-java -- tony mancill Sat, 08 Oct 2011 21:58:41 -0700 tomcat7 (7.0.21-1) unstable; urgency=low * New upstream release. - Includes fix for CVE-2011-3190. * Updated my email address. -- James Page Wed, 07 Sep 2011 09:45:29 +0100 tomcat7 (7.0.19-1) unstable; urgency=high (security) * Team upload. * New upstream release. - Includes fix for CVE-2011-2526 (Closes: #634992) * Remove patch for CVE-2011-2204 (included upstream). -- tony mancill Mon, 25 Jul 2011 22:58:33 -0700 tomcat7 (7.0.16-3) unstable; urgency=low * Team upload. * Correct Suggests: for libtcnative-1 (tomcat-native) * Add patch for CVE-2011-2204 (Closes: #632882) -- tony mancill Wed, 06 Jul 2011 21:55:39 -0700 tomcat7 (7.0.16-2) unstable; urgency=low * Restore tomcat-juli.jar link in /usr/share/tomcat7/bin. Thank you to Kristof Csillag for the bug report. (Closes: #631667) -- tony mancill Sun, 26 Jun 2011 08:13:33 -0700 tomcat7 (7.0.16-1) unstable; urgency=low [ Miguel Landaeta ] * New upstream release. * Add missing deps and symlinks for commons-pool ands commons-dbcp jars. [ tony mancill ] * Add logrotate file for catalina.out. * Add build-arch target to debian/rules. -- tony mancill Thu, 23 Jun 2011 20:26:29 -0700 tomcat7 (7.0.14-1) unstable; urgency=low * Team upload. * New upstream release. Thank you to Ernesto Hernández-Novich for providing the basis of this packaging. -- tony mancill Tue, 17 May 2011 21:10:22 -0700 tomcat6 (6.0.32-4) UNRELEASED; urgency=low * Team upload. * Add Italian debconf translation. Thanks to Dario Santamaria (Closes: #624376) -- tony mancill Thu, 28 Apr 2011 20:17:30 -0700 tomcat6 (6.0.32-3) unstable; urgency=low * Team upload. * Include upstream patch for ASF Bugzilla - Bug 50700 (Context parameters are being overridden with parameters from the web application deployment descriptor) (Closes: #623242) -- tony mancill Mon, 18 Apr 2011 20:38:29 -0700 tomcat6 (6.0.32-2) unstable; urgency=low * Team upload. [ tony mancill ] * Patch debian/tomcat6-instance-create (LP: #707405) tomcat6-instance-create should accept -1 as the value of -c option as per http://tomcat.apache.org/tomcat-6.0-doc/config/server.html Thanks to Dave Walker. (Closes: #617553) * Move tomcat6-instance-create manpage from section 2 to section 8. Thanks to brian m. carlson (Closes: #607682) * Add tomcat6-extras package. Currently includes only catalina-jmx-remote.jar (Closes: #614333) [ Thierry Carrez ] * debian/tomcat6-instance-create: Eclipse can now be configured to use a user instance of tomcat6 using tomcat6-instance-create without any additional work. Patch from Abhinav Upadhyay (Closes: #551091, LP: #297675) -- tony mancill Sun, 03 Apr 2011 21:16:08 -0700 tomcat6 (6.0.32-1) unstable; urgency=low * Team upload. * New upstream release * Remove following patches applied upstream: CVE-2010-4172, CVE-2011-0534, CVE-2010-3718, CVE-2011-0013, 0009-allow-empty-PID-file.patch * Adjust 0004-split-deploy-webapps-target-from-deploy-target.patch -- tony mancill Tue, 15 Feb 2011 22:41:42 -0800 tomcat6 (6.0.28-10) unstable; urgency=medium * Team upload. * Add Portuguese/Brazilian debconf translation. Thanks to José de Figueiredo (Closes: #608527) * Add patches for CVE-2011-0534, CVE-2010-3718, CVE-2011-0013 (Closes: #612257) -- tony mancill Wed, 09 Feb 2011 21:49:33 -0800 tomcat6 (6.0.28-9) unstable; urgency=medium * Team upload. * Update URL for manager application in README.Debian Thanks to Ernesto Ongaro (Closes: #606170) * Add patch for CVE-2010-4172. (Closes: #606388) -- tony mancill Thu, 09 Dec 2010 22:52:08 -0800 tomcat6 (6.0.28-8) unstable; urgency=low * Team upload. [ Thierry Carrez (ttx) ] * Do not fail to purge if /etc/tomcat6 was manually removed (LP: #648619) * Add missing -p option in start-stop-daemon when starting tomcat6 to avoid failing to start due to /bin/bash running (LP: #632554) * Fix build failure (missing TraXLiaison class) by adding ant-nodeps to the classpath. [ tony mancill ] * Use debconf to determine tomcat6 user and group to delete upon purge. Thanks to Misha Koshelev. (Closes: #599458) * Add tomcat-native to Suggests: for tomcat6 binary package. Thanks to Eddy Petrisor (Closes: #600590) * Add Danish debconf template translation. Thanks to Joe Dalton (Closes: #605070) * Actually add the Czech debconf template translation. Thanks this time to Christian PERRIER (Closes: #597863) -- tony mancill Sat, 04 Dec 2010 17:20:11 -0800 tomcat6 (6.0.28-7) unstable; urgency=low * Team upload. * Add Czech debconf template translation. Thanks to Michal Simunek. (Closes: #597863) * Add Spanish debconf template translation. Thanks to Javier Fernández-Sanguino (Closes: #599230) * Modify postinst to handle JAVA_OPTS strings containing the '/' character. This was causing upgrade failures for users. (Closes: #597814) -- tony mancill Wed, 06 Oct 2010 14:40:19 -0700 tomcat6 (6.0.28-6) unstable; urgency=low * Team upload. * Add Japanese debconf template translation. Thanks to Hideki Yamane. (Closes: #595460) * Add Russian debconf template translation. Thanks to Yuri Kozlov. (Closes: #592627) * Add Portuguese debconf template translation. Thanks to Américo Monteiro. (Closes: #592655) * Add Swedish debconf template translation. Thanks to Martin Bagge. (Closes: #593676) * Add German debconf template translation. Thanks to Holger Wansing. (Closes: #593200) -- tony mancill Fri, 17 Sep 2010 21:30:27 -0700 tomcat6 (6.0.28-5) unstable; urgency=low * Team upload. [Thierry Carrez (ttx)] * Check for group existence to avoid postinst failure (LP: #611721) [tony mancill] * Add French debconf template translation. Thanks to Steve Petruzzello. (Closes: #594313) -- tony mancill Thu, 02 Sep 2010 21:49:08 -0700 tomcat6 (6.0.28-4) unstable; urgency=medium * Ignore most errors during purge. (Closes: #591867) * Add po-debconf support. -- Torsten Werner Fri, 06 Aug 2010 04:08:40 +0200 tomcat6 (6.0.28-3) unstable; urgency=low * UNRELEASED * Fix filename of /etc/tomcat6/tomcat-users in README.Debian. Thanks to Olivier Berger. (Closes: #590085) -- Torsten Werner Fri, 23 Jul 2010 23:36:49 +0200 tomcat6 (6.0.28-2) unstable; urgency=low * Add debconf questions for user, group and Java options. * Use ucf to install /etc/default/tomcat6 from a template * Drop CATALINA_BASE and CATALINA_HOME from /etc/default/tomcat6 since we shouldn't encourage users to change those anyway -- Thierry Carrez Tue, 20 Jul 2010 14:36:48 +0200 tomcat6 (6.0.28-1) unstable; urgency=low [ Niels Thykier ] * Removed depends on JREs for the library packages. It is no longer required by the policy. [ Torsten Werner ] * New upstream release (Closes: #588813) - Fixes CVE-2010-2227: DoS and information disclosure * Remove 2 patches that were backports to 6.0.26. -- Torsten Werner Mon, 19 Jul 2010 18:22:52 +0200 tomcat6 (6.0.26-5) unstable; urgency=medium * Convert patches to dep3 format. * Backport security fix from trunk to fix CVE-2010-1157. (Closes: #587447) * Set urgency to medium due to the security fix. -- Torsten Werner Mon, 28 Jun 2010 21:41:31 +0200 tomcat6 (6.0.26-4) unstable; urgency=low [ Thierry Carrez ] * Fix issues preventing from running Tomcat6 with a security manager: - debian/tomcat6.init: Remove duplicate securitymanager options. - debian/patches/catalina-sh-security-manager.patch: Use the right location for the security.policy file in catalina.sh. - Closes: #585379, LP: #591802. Thanks to Jeff Turner for the original patches and to Adam Guthrie for the Lucid debdiff. * Allow binding to any interface when using authbind, rather than only allow binding to all (LP: #594989) * Force backgrounding of catalina.sh in start-stop-daemon, to allow the init script to be started through ssh -t (LP: #588481) [ Torsten Werner ] * Remove Paul from Uploaders list. -- Thierry Carrez Thu, 24 Jun 2010 15:55:10 +0200 tomcat6 (6.0.26-3) unstable; urgency=low [ Marcus Better ] * Apply upstream fix for deadlock in WebappClassLoader. (Closes: #583896) [ Thierry Carrez ] * debian/tomcat6.{install,postinst}: Do not store the default root webapp in /usr/share/tomcat6/webapps as it increases confusion on what this directory contains (and its relation with /var/lib/tomcat6/webapps). Store it inside /usr/share/tomcat6-root instead (LP: #575303). -- Marcus Better Mon, 31 May 2010 15:50:57 +0200 tomcat6 (6.0.26-2) unstable; urgency=low * debian/tomcat6.{postinst,prerm}: Respect TOMCAT6_USER and TOMCAT6_GROUP as defined in /etc/default/tomcat6 when setting directory permissions and authbind configuration (Closes: #581018, LP: #557300) * debian/tomcat6.postinst: Use group "tomcat6" instead of "adm" for permissions in /var/lib/tomcat6, so that group "adm" doesn't get write permissions over /var/lib/tomcat6/webapps (LP: #569118) -- Thierry Carrez Fri, 21 May 2010 13:51:15 +0200 tomcat6 (6.0.26-1) unstable; urgency=low * New upstream version * Apply patch from Mark Scott to fix tomcat6-instance-create which failed when multiple commandline options are provided, fix creation of FULLPATH (Closes: #575580) -- Ludovic Claude Wed, 21 Apr 2010 23:07:09 +0100 tomcat6 (6.0.24-5) unstable; urgency=low * Added optimised garbage collection options to tomcat6's default options. Thanks to Aaron J. Zirbes and Thierry Carrez for research and the patch. (Closes: LP: #541520) * Updated the changelog to mention closed CVE's in the 6.0.24-1 release. * Applied patch from Arto Jantunen fixing an issue with cleaning up the pid-file. (Closes: #574084) -- Niels Thykier Thu, 25 Mar 2010 23:45:32 +0100 tomcat6 (6.0.24-4) unstable; urgency=low * debian/tomcat6.postrm: fix removal of Tomcat (Closes: #567548) * Set UTF-8 as default character encoding - Patch by Thomas Koch (Closes: #573539) -- Ludovic Claude Thu, 11 Mar 2010 23:45:34 +0100 tomcat6 (6.0.24-3) unstable; urgency=medium * Set the major, minor and build versions when calling Ant (Closes: LP: #495505) * Rebuild with a more recent version of maven-repo-helper which puts the javax jars at the correct location in the Maven repository. Fixes several FTBFS in other packages. -- Ludovic Claude Wed, 03 Mar 2010 00:10:15 +0100 tomcat6 (6.0.24-2) unstable; urgency=low * Fix missing symlinks to tomcat-coyote.jar and catalina-tribes.jar causing NoClassDefFoundException at startup (last minute packaging change, sorry) (Closes: #570220) * tomcat6-admin, tomcat6-examples and tomcat6-docs now depend on tomcat6-common instead of tomcat6, this allow users to install those packages without requiring tomcat6 and its automatic startup scripts being present. tomcat-users can be installed instead and allow full control over when Tomcat is started or stopped. -- Ludovic Claude Wed, 17 Feb 2010 22:59:21 +0100 tomcat6 (6.0.24-1) unstable; urgency=low [ Ludovic Claude ] * New upstream version - Fixes Directory traversal vulnerability (CVE-2009-2693,CVE-2009-2902) - Fixes Autodeployment vulnerability (CVE-2009-2901) * Update the POM files for the new version of Tomcat * Bump up Standards-Version to 3.8.4 * Refresh patches deploy-webapps-build-xml.patch and var_loaders.patch * Remove patch fix_context_name.patch as it has been applied upstream * Fix the installation of servlet-api-2.5.jar: the jar goes to /usr/share/java as in older versions (6.0.20-2) and links to the jar are added to /usr/share/maven-repo * Moved NEWS.Debian into README.Debian * Add a link from /usr/share/doc/tomcat6-common/README.Debian to /usr/share/doc/tomcat6/README.Debian to include a minimum of documentation in the tomcat6 package and add some useful notes. (Closes: #563937, #563939) * Remove poms from the Debian packaging, use upstream pom files [ Jason Brittain ] * Fixed a bug in the init script: When a start fails, the PID file was being left in place. Now the init script makes sure it is deleted. * Fixed a packaging bug that results in the ROOT webapp not being properly installed after an uninstall, then a reinstall. * control: Corrected a couple of comments (no functional change). -- Ludovic Claude Tue, 09 Feb 2010 23:06:51 +0100 tomcat6 (6.0.20-dfsg1-2) unstable; urgency=low * JSVC is no longer used by the package. Instead, the init script invokes the stock catalina.sh script. * Authbind is now the standard method for binding Tomcat to ports lower than 1024 (when using IPv4). * The security manager now defaults to the disabled state, and is commented that way in /etc/default/tomcat6. * Reliable restarts are now implemented in the init script. (Closes: #561559) * Tomcat now sends STDOUT and STDERR to its usual, stock log file CATALINA_BASE/logs/catalina.out (/var/log/tomcat6/catalina.out in this package's case. -- Jason Brittain Wed, 27 Jan 2010 01:08:57 +0000 tomcat6 (6.0.20-dfsg1-1) unstable; urgency=low * Fix debian/orig-tar.sh to exclude binary only standard.jar and jstl.jar. (Closes: #528119) * Upload a cleaned tarball. * Add ${misc:Depends} in debian/control. -- Torsten Werner Sat, 23 Jan 2010 19:40:38 +0100 tomcat6 (6.0.20-9) unstable; urgency=low * Fix spelling issues. * Always set JSVC_CLASSPATH to a default value in init. -- Niels Thykier Sat, 19 Dec 2009 19:11:33 +0100 tomcat6 (6.0.20-8) unstable; urgency=low * Corrected some spelling mistakes in debian/control. (Closes: #557377, #557378) * Added patches to install the OSGi metadata in some of the jars. (Closes: #558176) * Updated 03catalina.policy to allow "setContextClassLoader". - Fixes a problem where Sun's JVM would fail to generate log-files. (Closes: LP: #410379) * Updated /etc/default/tomcat6: - Clarified that JAVA_OPTS are passed to jscv and not the JVM. - Updated the JSP_COMPILER to javac (jikes is not in Debian anymore). (Closes: LP: #440685) * Use default-jdk and default-jre-headless instead of openjdk in (Build-)Depends. * Added more alternatives for java implementations to the Depends of libservlet2.5-java. * Exposed JSVC_CLASSPATH to the configuration file. (Closes: LP: #475457) * Updated description so it no longer refers to non-existent package. (Closes: #559475) * Used "set -e" in postinst and postrm instead of passing "-e" to sh in the #!-line. * Changed to 3.0 (quilt) source format. -- Niels Thykier Mon, 07 Dec 2009 21:17:55 +0100 tomcat6 (6.0.20-7) unstable; urgency=low * New patch fix_context_name.patch: - Allow Service name != Engine name. Regression in fix for 42707. Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=47316 - This has been fixed in trunk and will be in 6.0.21 * Register libservlet2.5-java-doc API with doc-base * Fix short description of tomcat6-docs by using "documentation" suffix -- Damien Raude-Morvan Sat, 10 Oct 2009 21:41:55 +0200 tomcat6 (6.0.20-6) unstable; urgency=low [ Ludovic Claude ] * tomcat6.postinst: set the ownership of files in /etc/tomcat6/ to root:tomcat6, to prevent an attacker running inside a tomcat6 instance to change the tomcat configuration * debian/policy/02debian.policy: grant access to /usr/share/maven-repo/ as it is a valid source of Debian JARs. (Closes: #545674) * Bump up Standards-Version to 3.8.3 - add debian/README.source that describes the quilt patch system. * debian/control: Add Conflicts on libtomcat6-java with old versions of tomcat6-common (Closes: #542397) [ Michael Koch ] * Replace dh_clean -k by dh_prep. * Added Ludovic and myself to Uploaders. * Build-Depends on debhelper >= 7. -- Michael Koch Fri, 25 Sep 2009 07:14:07 +0200 tomcat6 (6.0.20-5) unstable; urgency=low * Fix jsp-api dependency in the Maven descriptors. * Put tomcat-juli.jar in /usr/share/java instead of juli.jar. This fixes a broken link which prevented tomcat to start when logging is turned on, and restores the file layout defined in 6.0.20-2. * Restore links to the jars in usr/share/tomcat6/lib * Change watch to download fresh sources from SVN. Should fix wrong encoding in tomcat-i18n-fr/es.jar in the next upstream version. (Closes: #522067) * Update ownership for files in /etc/tomcat6 and /var/lib/tomcat6/webapps. The new owner is tomcat6:adm (Closes: #532284) * Add additional directories for the common, server and shared classloader. Directories are also compatible with Alfresco's packaging done for Ubuntu. (Closes: #521318) * Update checksum in postrm script to reflect changes in the new upstream webapp * postrm removes the extra directories created in /var/lib/tomcat6 to hold shared and common classes or jars. * Added commented out default options for enabling debug mode. (Closes: LP: #375493) -- Ludovic Claude Wed, 05 Aug 2009 00:56:59 +0100 tomcat6 (6.0.20-4) experimental; urgency=low * Fix init script: - Change Provides: tomcat6. (Closes: #532286) - Check for /etc/default/rcS before sourcing it. * Update Standards-Version: 3.8.2 (no changes). -- Torsten Werner Thu, 16 Jul 2009 23:36:32 +0200 tomcat6 (6.0.20-3) experimental; urgency=low * Add the Maven POM to the package * Add a Build-Depends-Indep dependency on maven-repo-helper * Use mh_installpom and mh_installjar to install the POM and the jar to the Maven repository -- Ludovic Claude Tue, 14 Jul 2009 14:17:27 +0100 tomcat6 (6.0.20-2) unstable; urgency=low * Expose tomcat-juli.jar as a library in /usr/share/java as it is a dependency of jasper which is used also by jetty -- Ludovic Claude Mon, 15 Jun 2009 13:33:13 +0100 tomcat6 (6.0.20-1) unstable; urgency=low * new upstream release (Closes: #531873) * Remove patch tcnative-ipv6-fix-43327.patch that has been applied upstream. * Refresh other patches. -- Torsten Werner Fri, 05 Jun 2009 23:38:44 +0200 tomcat6 (6.0.18-dfsg1-1) unstable; urgency=low [ Torsten Werner ] * Remove jstl.jar and standard.jar from orig tarball because it comes without source code. (Closes: #528119) [ Marcus Better ] * Let the init script exit silently if the package is uninstalled. (Closes: #529301) -- Torsten Werner Tue, 19 May 2009 21:23:18 +0200 tomcat6 (6.0.18-4) unstable; urgency=low * Add patch tcnative-ipv6-fix-43327.patch provided by Thierry Carrez. (Closes: #527033) * Change Section: java (from web). * Bump up Standards-Version: 3.8.1 (no changes). * Remove redundant Depends: ant because we depend on ant-optional. -- Torsten Werner Sun, 10 May 2009 19:41:40 +0200 tomcat6 (6.0.18-3) unstable; urgency=low * Remove unneeded dirs and symlinks; thanks to Thierry Carrez. (Closes: #517857) * Improve the long description of all binary packages. (Closes: #518140) -- Torsten Werner Wed, 04 Mar 2009 21:58:41 +0100 tomcat6 (6.0.18-2) unstable; urgency=low * upload to unstable -- Torsten Werner Sat, 21 Feb 2009 11:31:20 +0100 tomcat6 (6.0.18-1) experimental; urgency=low * Merge changes from Ubuntu. Thanks to the Ubuntu developers we are shipping a full Tomcat 6.0 server stack now. (Closes: #494674) * Add myself to Uploaders. * Switch to openjdk-6 which is not the default in Debian. -- Torsten Werner Sat, 07 Feb 2009 17:02:57 +0100 tomcat6 (6.0.18-0ubuntu5) jaunty; urgency=low [ Thierry Carrez ] * Removed tomcat6-[admin,docs,examples].post[inst,rm] and let Tomcat webapp autodeployment features handle application load/unload (LP: #302914) * tomcat6-instance-create, tomcat6-instance-create.1, control: Allow to change the HTTP port, control port and shutdown word on the tomcat6-instance-create command line (LP: #300691). [ Mathias Gug] * debian/tomcat6-instance-create: move directoryname from an option to an argument. * debian/tomcat6-instance-create.1: some updates to the man page. * debian/control: update maintainer field to Ubuntu Core Developers now that tomcat6 is in main. -- Mathias Gug Wed, 07 Jan 2009 18:44:39 -0500 tomcat6 (6.0.18-0ubuntu4) jaunty; urgency=low * tomcat6.init, tomcat6.postinst, tomcat6.dirs, tomcat6.default, README.debian: Use /tmp/tomcat6-temp instead of /var/lib/tomcat6/temp as the JVM temporary directory and clean it at each restart (LP: #287452) * policy/04webapps.policy: add rules to allow usage of java.io.tmpdir * tomcat6.init, rules: Do not use TearDown, as this results in LifecycleListener callbacks in webapps being bypassed (LP: #299436) * rules: Compile at Java 1.5 level to allow usage of Java 5 JREs (LP: #286427) * control, rules, libservlet2.5-java-doc.install, libservlet2.5-java-doc.links: New libservlet2.5-java-doc package ships missing Servlet/JSP API documentation (LP: #279645) * patches/use-commons-dbcp.patch: Change default DBCP factory class to org.apache.commons.dbcp.BasicDataSourceFactory (LP: #283852) * tomcat6.dirs, tomcat6.postinst, default_root/index.html: Create Catalina/localhost in /etc/tomcat6 and make it writeable by the tomcat6 group, so that autodeploy and admin webapps work as expected (LP: #294277) * patches/disable-apr-loading.patch: Disable APR library loading until we properly provide it. * patches/disable-ajp-connector: Do not load AJP13 connector by default (LP: #300697) * rules: minor fixes to prevent build being called twice. -- Thierry Carrez Thu, 27 Nov 2008 12:47:42 +0000 tomcat6 (6.0.18-0ubuntu3) intrepid; urgency=low * debian/tomcat6.postinst: - Make /var/lib/tomcat6/temp writeable by the tomcat6 user (LP: #287126) - Make /var/lib/tomcat6/webapps writeable by tomcat6 group (LP: #287447) * debian/tomcat6.init: make status return nonzero if tomcat6 is not running (fixes LP: #288218) -- Thierry Carrez Thu, 23 Oct 2008 18:19:15 +0200 tomcat6 (6.0.18-0ubuntu2) intrepid; urgency=low * debian/rules: call dh_installinit with --error-handler so that install doesn't fail if Tomcat cannot be started during configure (LP: #274365) -- Thierry Carrez Mon, 06 Oct 2008 13:55:21 +0200 tomcat6 (6.0.18-0ubuntu1) intrepid; urgency=low * New upstream version (LP: #260016) - Fixes CVE-2008-2938: Directory traversal vulnerability (LP: #256802) - Fixes CVE-2008-2370: Information disclosure vulnerability (LP: #256922) - Fixes CVE-2008-1232: XSS through sendError vulnerability (LP: #256926) * Dropped CVE-2008-1947.patch (fix is shipped in this upstream release) * control: Improve short descriptions for the binary packages * copyright: Added link to /usr/share/common-licenses/Apache-2.0 * control: To pull the right JRE, libtomcat6-java now depends on default-jre-headless | java6-runtime-headless -- Thierry Carrez Fri, 22 Aug 2008 09:15:11 +0200 tomcat6 (6.0.16-1ubuntu1) intrepid; urgency=low * Adding full Tomcat 6 server stack support (LP: #256052) - tomcat6 handles the system instance (/var/lib/tomcat6) - tomcat6-user allows users to create their own private instances - tomcat6-common installs common files in /usr/share/tomcat6 - libtomcat6-java installs Tomcat 6 java libs in /usr/share/java - tomcat6-docs installs the documentation webapp - tomcat6-examples installs the examples webapp - tomcat6-admin installs the manager and host-manager webapps * Other key differences with the tomcat5.5 packages: - default-jdk build support - OpenJDK-6 JRE runtime support - tomcat6 installs a minimal ROOT webapp - new webapp locations follow Debian webapp policy - webapps restart tomcat6 in postrm rather than in prerm - added a doc-base entry - use standard upstream server.xml - initscript: try to check if Tomcat is really running before returning OK - removed transitional configuration migration code - autogenerate policy in /var/cache/tomcat6 rather than /etc/tomcat6 - logging.properties is customized to remove -webapps-related lines - initscript: implement TearDown spec * CVE-2008-1947 fix (cross-site-scripting issue in host-manager webapp) -- Thierry Carrez Fri, 08 Aug 2008 15:37:48 +0200 tomcat6 (6.0.16-1) unstable; urgency=low * Initial release. (Closes: #480964). -- Paul Cager Mon, 12 May 2008 23:04:49 +0000