~ubuntu-branches/ubuntu/lucid/tomcat6/lucid-security

• Changes
• Files

~ubuntu-branches/ubuntu/lucid/tomcat6/lucid-security » Changes from revision 29

From Revision 29 to 10

expand all

collapse all

Rev		Summary	Authors	Tags	Date	Diff	Files
29		* SECURITY UPDATE: denial of service via malformed chunk siz... * SECURITY UPDATE: denial of service via malformed chunk size   - debian/patches/CVE-2014-0075.patch: fix overflow in     java/org/apache/coyote/http11/filters/ChunkedInputFilter.java.   - CVE-2014-0075 * SECURITY UPDATE: file disclosure via XXE issue   - debian/patches/CVE-2014-0096.patch: change globalXsltFile to be a     relative path in conf/web.xml,     java/org/apache/catalina/servlets/DefaultServlet.java,     java/org/apache/catalina/servlets/LocalStrings.properties,     webapps/docs/default-servlet.xml.   - CVE-2014-0096 * SECURITY UPDATE: HTTP request smuggling attack via crafted   Content-Length HTTP header   - debian/patches/CVE-2014-0099.patch: correctly handle long values in     java/org/apache/tomcat/util/buf/Ascii.java.   - CVE-2014-0099	Marc Deslauriers	6.0.24-2ubuntu1.16	9 years ago
28		* SECURITY UPDATE: request smuggling attack via content-leng... * SECURITY UPDATE: request smuggling attack via content-length headers   - debian/patches/CVE-2013-4286.patch: handle multiple content lengths     in java/org/apache/coyote/ajp/AbstractAjpProcessor.java,      java/org/apache/coyote/ajp/AjpProcessor.java, handle content length     and chunked encoding being both specified in     java/org/apache/coyote/http11/Http11AprProcessor.java,     java/org/apache/coyote/http11/Http11NioProcessor.java,     java/org/apache/coyote/http11/Http11Processor.java.   - CVE-2013-4286 * SECURITY UPDATE: denial of service via chunked transfer coding   - debian/patches/CVE-2013-4322.patch: limit length of extension data in     java/org/apache/coyote/Constants.java,     java/org/apache/coyote/http11/filters/ChunkedInputFilter.java,     webapps/docs/config/systemprops.xml.   - CVE-2013-4322	Marc Deslauriers	6.0.24-2ubuntu1.15	10 years ago
27		* SECURITY UPDATE: denial of service via chunked transfer en... * SECURITY UPDATE: denial of service via chunked transfer encoding   - debian/patches/CVE-2012-3544.patch: properly parse CRLF in requests     in java/org/apache/coyote/http11/filters/ChunkedInputFilter.java.   - CVE-2012-3544 * SECURITY UPDATE: FORM authentication request injection   - debian/patches/CVE-2013-2067.patch: properly change session ID     in java/org/apache/catalina/authenticator/FormAuthenticator.java.   - CVE-2013-2067	Marc Deslauriers	6.0.24-2ubuntu1.13	10 years ago
26		* SECURITY UPDATE: security-constraint bypass with FORM auth * SECURITY UPDATE: security-constraint bypass with FORM auth   - debian/patches/CVE-2012-3546.patch: remove unneeded code in     java/org/apache/catalina/realm/RealmBase.java.   - CVE-2012-3546 * SECURITY UPDATE: denial of service with NIO connector   - debian/patches/CVE-2012-4534.patch: properly handle connection breaks     in java/org/apache/tomcat/util/net/NioEndpoint.java.   - CVE-2012-4534	Marc Deslauriers	6.0.24-2ubuntu1.12	11 years ago
25		* SECURITY UPDATE: denial of service via large header data * SECURITY UPDATE: denial of service via large header data   - debian/patches/0012-CVE-2012-2733.patch: improve size logic in     java/org/apache/coyote/http11/InternalNioInputBuffer.java.   - CVE-2012-2733 * SECURITY UPDATE: multiple HTTP Digest Access Authentication flaws   - debian/patches/0013-CVE-2012-588x.patch: disable caching of an     authenticated user in the session by default, track server rather     than client nonces, better handling of stale nonce values in     java/org/apache/catalina/authenticator/DigestAuthenticator.java.   - CVE-2012-3439   - CVE-2012-5885   - CVE-2012-5886   - CVE-2012-5887	Marc Deslauriers	6.0.24-2ubuntu1.11	11 years ago
24		* SECURITY UPDATE: denial of service via hash collision and ... * SECURITY UPDATE: denial of service via hash collision and incorrect   handling of large numbers of parameters and parameter values   (LP: #909828)   - debian/patches/0019-CVE-2012-0022.patch: refactor parameter handling     code in conf/web.xml,     java/org/apache/catalina/connector/Connector.java,     java/org/apache/catalina/connector/mbeans-descriptors.xml,     java/org/apache/catalina/connector/Request.java,     java/org/apache/catalina/filters/FailedRequestFilter.java,     java/org/apache/catalina/Globals.java,     java/org/apache/coyote/Request.java,     java/org/apache/tomcat/util/buf/B2CConverter.java,     java/org/apache/tomcat/util/buf/ByteChunk.java,     java/org/apache/tomcat/util/buf/MessageBytes.java,     java/org/apache/tomcat/util/buf/StringCache.java,     java/org/apache/tomcat/util/http/LocalStrings.properties,     java/org/apache/tomcat/util/http/Parameters.java,     webapps/docs/config/ajp.xml,     webapps/docs/config/http.xml.   - CVE-2011-4858   - CVE-2012-0022	Marc Deslauriers	6.0.24-2ubuntu1.10	12 years ago
23		* SECURITY UPDATE: information disclosure via log file * SECURITY UPDATE: information disclosure via log file   - debian/patches/0015-CVE-2011-2204.patch: fix logging in     java/org/apache/catalina/mbeans/MemoryUserDatabaseMBean.java,     java/org/apache/catalina/users/MemoryUserDatabase.java,     java/org/apache/catalina/users/MemoryUser.java.   - CVE-2011-2204 * SECURITY UPDATE: file restriction bypass or denial of service via   untrusted web application.   - debian/patches/0016-CVE-2011-2526.patch: check canonical name in     java/org/apache/catalina/connector/LocalStrings.properties,     java/org/apache/catalina/connector/Request.java,     java/org/apache/catalina/servlets/DefaultServlet.java,     java/org/apache/coyote/http11/Http11AprProcessor.java,     java/org/apache/coyote/http11/LocalStrings.properties,     java/org/apache/tomcat/util/net/AprEndpoint.java,     java/org/apache/tomcat/util/net/NioEndpoint.java.   - CVE-2011-2526 * SECURITY UPDATE: AJP request spoofing and authentication bypass   (LP: #843701)   - debian/patches/0017-CVE-2011-3190.patch: Properly handle request     bodies in java/org/apache/coyote/ajp/AjpAprProcessor.java,     java/org/apache/coyote/ajp/AjpProcessor.java.   - CVE-2011-3190 * SECURITY UPDATE: HTTP DIGEST authentication weaknesses   - debian/patches/0018-CVE-2011-1184.patch: add new nonce options in     java/org/apache/catalina/authenticator/DigestAuthenticator.java,     java/org/apache/catalina/authenticator/LocalStrings.properties,     java/org/apache/catalina/authenticator/mbeans-descriptors.xml,     java/org/apache/catalina/realm/RealmBase.java,     webapps/docs/config/valve.xml.   - CVE-2011-1184	Marc Deslauriers	6.0.24-2ubuntu1.9	12 years ago
22		* SECURITY UPDATE: directory traversal via incorrect ServetC... * SECURITY UPDATE: directory traversal via incorrect ServetContext   attribute (LP: #717396)   - debian/patches/0012-CVE-2010-3718.patch: mark as read only in     java/org/apache/catalina/core/StandardContext.java.   - CVE-2010-3718 * SECURITY UPDATE: cross-site scripting in HTML Manager interface   - debian/patches/0013-CVE-2011-0013.patch: properly filter values in     java/org/apache/catalina/manager/{HTMLManagerServlet.java,     StatusTransformer.java}.   - CVE-2011-0013 * SECURITY UPDATE: denial of service via NIOS HTTP connector   (LP: #714239, LP: #717396)   - debian/patches/0014-CVE-2011-0534.patch: enforce proper size in     java/org/apache/coyote/http11/InternalNioInputBuffer.java.   - CVE-2011-0534	Marc Deslauriers	6.0.24-2ubuntu1.7	13 years ago
21		* SECURITY UPDATE: cross-site scripting in Manager applicati... * SECURITY UPDATE: cross-site scripting in Manager application   - debian/patches/0011-CVE-2010-4172.patch: add proper escaping to     java/org/apache/catalina/manager/JspHelper.java,     webapps/manager/{sessionDetail,sessionsList}.jsp.   - patch backported from Debian 6.0.28-9 package   - CVE-2010-4172	Marc Deslauriers	6.0.24-2ubuntu1.6	13 years ago
20		* SECURITY UPDATE: denial of service and possible informatio... * SECURITY UPDATE: denial of service and possible information disclosure   via crafted header   - debian/patches/CVE-2010-2227.patch: fix filter logic in     java/org/apache/coyote/http11/{Http11AprProcessor,Http11NioProcessor,     Http11Processor,filters/BufferedInputFilter}.java.    - CVE-2010-2227	Marc Deslauriers	6.0.24-2ubuntu1.3	13 years ago
19		[ Thierry Carrez ] [ Thierry Carrez ] * Uploading what 6.0.24-5 should be (upload is blocked in Debian due to   current infrastructure issues), in order to meet Beta2Freeze. [ Niels Thykier ] * Added optimised garbage collection options to tomcat6's default options.   Thanks to Aaron J. Zirbes and Thierry Carrez for research and the patch.   (Closes: LP: #541520) * Updated the changelog to mention closed CVE's in the 6.0.24-1 release. * Applied patch from Arto Jantunen fixing an issue with cleaning up the   pid-file. (Closes: #574084) [ Ludovic Claude ] * debian/tomcat6.postrm: fix removal of Tomcat (Closes: #567548) * Set UTF-8 as default character encoding - Patch by Thomas Koch   (Closes: #573539) * Set the major, minor and build versions when calling Ant   (Closes: LP: #495505) * Rebuild with a more recent version of maven-repo-helper which puts   the javax jars at the correct location in the Maven repository.   Fixes several FTBFS in other packages.	Thierry Carrez	6.0.24-2ubuntu1	14 years ago
18		* Fix missing symlinks to tomcat-coyote.jar and * Fix missing symlinks to tomcat-coyote.jar and   catalina-tribes.jar causing NoClassDefFoundException   at startup (last minute packaging change, sorry)   (Closes: #570220) * tomcat6-admin, tomcat6-examples and tomcat6-docs now depend on   tomcat6-common instead of tomcat6, this allow users to install   those packages without requiring tomcat6 and its automatic startup scripts   being present. tomcat-users can be installed instead and allow full   control over when Tomcat is started or stopped.	Ludovic Claude	6.0.24-2	14 years ago
17		[ Ludovic Claude ] [ Ludovic Claude ] * New upstream version * Update the POM files for the new version of Tomcat * Bump up Standards-Version to 3.8.4 * Refresh patches deploy-webapps-build-xml.patch and var_loaders.patch * Remove patch fix_context_name.patch as it has been applied upstream * Fix the installation of servlet-api-2.5.jar: the jar   goes to /usr/share/java as in older versions (6.0.20-2)   and links to the jar are added to /usr/share/maven-repo * Moved NEWS.Debian into README.Debian * Add a link from /usr/share/doc/tomcat6-common/README.Debian to   /usr/share/doc/tomcat6/README.Debian to include a minimum of   documentation in the tomcat6 package and add some useful notes.    (Closes: #563937, #563939) * Remove poms from the Debian packaging, use upstream pom files [ Jason Brittain ] * Fixed a bug in the init script: When a start fails, the PID file was   being left in place.  Now the init script makes sure it is deleted. * Fixed a packaging bug that results in the ROOT webapp not being properly   installed after an uninstall, then a reinstall. * control: Corrected a couple of comments (no functional change).	Ludovic Claude	6.0.24-1	14 years ago
16		* Fix debian/orig-tar.sh to exclude binary only standard.jar... * Fix debian/orig-tar.sh to exclude binary only standard.jar and jstl.jar.   (Closes: #528119) * Upload a cleaned tarball. * Add ${misc:Depends} in debian/control.	Torsten Werner	6.0.20-dfsg1-1	14 years ago
15		* Fix spelling issues. * Fix spelling issues. * Always set JSVC_CLASSPATH to a default value in init.	Niels Thykier	6.0.20-9	14 years ago
14		* Merge from Debian unstable. Remaining changes: * Merge from Debian unstable. Remaining changes:   - debian/control, debian/rules: Do not use 3.0 (quilt) source format yet * debian/tomcat6.default: Fix typos in "JSVC" and "remote", missing newline * debian/tomcat6.default, debian/tomcat6.init: Handle JSVC_CLASSPATH   default value the same way as other defaults	Thierry Carrez	6.0.20-8ubuntu1	14 years ago
13		* Add maven POM's for libservlet2.5-java. LP: #454822. * Add maven POM's for libservlet2.5-java. LP: #454822. * debian/policy/02debian.policy: grant access to   /usr/share/maven-repo/ as it is a valid source of Debian JARs.	Matthias Klose	6.0.20-2ubuntu2	14 years ago
12		* Merge from debian unstable (LP: #391018); remaining change... * Merge from debian unstable (LP: #391018); remaining changes:   - debian/control, debian/rules: Use default-jdk to build   - debian/control: Run using default-jre-headless by default	Iulian Udrea	6.0.20-2ubuntu1	14 years ago
11		[ Iulian Udrea ] [ Iulian Udrea ] * Merge from debian unstable (LP: #385262), remaining changes:   - debian/control, debian/rules: Use default-jdk to build   - debian/control: Run using default-jre-headless by default	Mathias Gug	6.0.20-1ubuntu1	14 years ago
10		* Merge from debian unstable (LP: #371728), remaining change... * Merge from debian unstable (LP: #371728), remaining changes:   - debian/control, debian/rules: Use default-jdk to build   - debian/control: Run using default-jre-headless by default   - debian/patches/tcnative-ipv6-fix-43327.patch to fix incompatibility     between libtcnative-1 and ipv6	Thierry Carrez	6.0.18-3ubuntu1	14 years ago

• Older »

Loggerhead is a web-based interface for Breezy
Version: 2.0.1