Change log for tomcat9 package in Ubuntu
| 1 → 47 of 47 results | First • Previous • Next • Last |
tomcat9 (9.0.31-1ubuntu0.5) focal-security; urgency=medium
* SECURITY UPDATE: Incorrect handling of requests enables potential smuggling
attack
- debian/patches/CVE-2022-42252.patch: Requests with invalid content-
length should always be rejected
- CVE-2022-42252
-- Bruce Cable <email address hidden> Thu, 04 Jul 2024 09:44:24 +1000
Available diffs
| Published in oracular-release |
| Published in noble-release |
| Deleted in noble-proposed (Reason: Moved to noble) |
| Deleted in mantic-proposed (Reason: mantic->noble) |
tomcat9 (9.0.70-2) unstable; urgency=medium
* Team upload.
* Drop tomcat9 server packages because only one Tomcat version is supported
per release. Only retain libtomcat9-java because of compatibility reasons
for now. Users are strongly encouraged to switch to Tomcat 10 instead.
(Closes: #1034824)
-- Markus Koschany <email address hidden> Sat, 27 May 2023 17:51:32 +0200
Available diffs
| Superseded in noble-release |
| Published in mantic-release |
| Published in lunar-release |
| Deleted in lunar-proposed (Reason: Moved to lunar) |
tomcat9 (9.0.70-1ubuntu1) lunar; urgency=medium
* Merge with Debian unstable. Remaining changes:
- Fix logging for unprivileged rsyslogd (LP #1964881):
+ d/logrotate.template: use syslog:adm for log rotation so that
rsyslog can write to the file
+ d/rsyslog/tomcat9.conf: drop "fileOwner" as it cannot be set by an
unprivileged rsyslogd
+ d/tomcat9.postinst: adjust ownership of catalina.out so that
rsyslogd can write to it. Also change the rotated log files for
consistency.
-- Andreas Hasenack <email address hidden> Thu, 22 Dec 2022 15:00:21 -0300
Available diffs
- diff from 9.0.65-1ubuntu1 to 9.0.70-1ubuntu1 (229.3 KiB)
tomcat9 (9.0.31-1ubuntu0.4) focal; urgency=medium
* d/p/lp1903851-multipart-upload-over-https.patch: apply revert
from 9.0.32 to fix multi-part upload over HTTPS (LP: #1903851)
-- Tom Moyer <email address hidden> Fri, 18 Nov 2022 19:07:15 +0000
Available diffs
| Superseded in lunar-release |
| Obsolete in kinetic-release |
| Deleted in kinetic-proposed (Reason: Moved to kinetic) |
tomcat9 (9.0.65-1ubuntu1) kinetic; urgency=medium
* Merge with Debian unstable. Remaining changes:
- Fix logging for unprivileged rsyslogd (LP #1964881):
+ d/logrotate.template: use syslog:adm for log rotation so that
rsyslog can write to the file
+ d/rsyslog/tomcat9.conf: drop "fileOwner" as it cannot be set by an
unprivileged rsyslogd
+ d/tomcat9.postinst: adjust ownership of catalina.out so that
rsyslogd can write to it. Also change the rotated log files for
consistency.
-- Andreas Hasenack <email address hidden> Mon, 15 Aug 2022 09:06:28 -0300
Available diffs
- diff from 9.0.64-2ubuntu1 to 9.0.65-1ubuntu1 (34.4 KiB)
tomcat9 (9.0.31-1ubuntu0.3) focal; urgency=medium * Fix logging for unprivileged rsyslogd (LP: #1964881): - d/logrotate.template: use syslog:adm for log rotation so that rsyslog can write to the file - d/tomcat9.postinst: adjust ownership of catalina.out so that rsyslogd can write to it. Also change the rotated log files for consistency. - d/tomcat9.tmpfile: /var/log/tomcat9 should be 02770 now -- Andreas Hasenack <email address hidden> Wed, 20 Jul 2022 15:09:00 -0300
Available diffs
tomcat9 (9.0.58-1ubuntu0.1) jammy; urgency=medium * Fix logging for unprivileged rsyslogd (LP: #1964881): - d/logrotate.template: use syslog:adm for log rotation so that rsyslog can write to the file - d/rsyslog/tomcat9.conf: drop "fileOwner" as it cannot be set by an unprivileged rsyslogd - d/tomcat9.postinst: adjust ownership of catalina.out so that rsyslogd can write to it. Also change the rotated log files for consistency. -- Andreas Hasenack <email address hidden> Wed, 20 Jul 2022 16:05:45 -0300
Available diffs
tomcat9 (9.0.64-2ubuntu1) kinetic; urgency=medium * Fix logging for unprivileged rsyslogd (LP: #1964881): - d/logrotate.template: use syslog:adm for log rotation so that rsyslog can write to the file - d/rsyslog/tomcat9.conf: drop "fileOwner" as it cannot be set by an unprivileged rsyslogd - d/tomcat9.postinst: adjust ownership of catalina.out so that rsyslogd can write to it. Also change the rotated log files for consistency. -- Andreas Hasenack <email address hidden> Thu, 23 Jun 2022 18:02:52 -0300
Available diffs
tomcat9 (9.0.64-2) unstable; urgency=medium * Fallback to the default log formatter when systemd isn't used * Depend on systemd-sysusers and systemd-tmpfiles instead of systemd * Depend on libeclipse-jdt-core-java (>= 3.26.0) -- Emmanuel Bourg <email address hidden> Tue, 21 Jun 2022 14:59:03 +0200
Available diffs
- diff from 9.0.64-1 to 9.0.64-2 (1.4 KiB)
tomcat9 (9.0.64-1) unstable; urgency=medium
* New upstream release
- Refreshed the patches
* Standards-Version updated to 4.6.1
-- Emmanuel Bourg <email address hidden> Mon, 20 Jun 2022 15:17:59 +0200
Available diffs
- diff from 9.0.63-1 to 9.0.64-1 (38.4 KiB)
tomcat9 (9.0.63-1) unstable; urgency=medium
* Team upload.
* New upstream version 9.0.63.
- Fix CVE-2022-29885: Improve documentation for the EncryptInterceptor and
do not claim it protects against all risks associated with running over
any untrusted network.
-- Markus Koschany <email address hidden> Fri, 13 May 2022 14:04:35 +0200
Available diffs
- diff from 9.0.62-1 to 9.0.63-1 (60.1 KiB)
tomcat9 (9.0.62-1) unstable; urgency=medium
* Team upload.
* New upstream version 9.0.62.
* Drop 0027-java11-compilation.patch because it is apparently no longer
required.
* Refresh disable-jacoco.patch for new release.
* Depend on java11-runtime-headless because Java 8 is no longer supported.
Thanks to Per Lundberg for the report. (Closes: #1006647)
-- Markus Koschany <email address hidden> Fri, 29 Apr 2022 23:10:59 +0200
Available diffs
- diff from 9.0.58-1 to 9.0.62-1 (141.3 KiB)
tomcat9 (9.0.16-3ubuntu0.18.04.2) bionic-security; urgency=medium
* SECURITY UPDATE: TLS Denial of Service
- debian/patches/CVE-2021-41079.patch: Apache Tomcat did not properly
validate incoming TLS packets. When Tomcat was configured to use
NIO+OpenSSL or NIO2+OpenSSL for TLS, a specially crafted packet could be
used to trigger an infinite loop resulting in a denial of service.
- CVE-2021-41079
* SECURITY UPDATE: Authentication Vulnerability
- debian/patches/CVE-2021-30640.patch: A vulnerability in the JNDI Realm
of Apache Tomcat allows an attacker to authenticate using variations of
a validc user name and/or to bypass some of the protection provided by
the LockOut Realm.
- CVE-2021-30640
* SECURITY UPDATE: Request Smuggling
- debian/patches/CVE-2021-33037.patch: Apache Tomcat did not correctly
parse the HTTP transfer-encoding request header in some circumstances
leading to the possibility to request smuggling when used with a reverse
proxy. Specifically: - Tomcat incorrectly ignored the transfer encoding
header if the client declared it would only accept an HTTP/1.0 response;
- Tomcat honoured the identify encoding; and - Tomcat did not ensure
that, if present, the chunked encoding was the final encoding.
- CVE-2021-33037
* SECURITY UPDATE: remote code execution via session persistence
- debian/patches/CVE-2021-25329.patch: The fix for CVE-2020-9484 was
incomplete. When using Apache Tomcat with a configuration edge case that
was highly unlikely to be used, the Tomcat instance was still vulnerable
to CVE-2020-9494. Note that both the previously published prerequisites
for CVE-2020-9484 and the previously published mitigations for
CVE-2020-9484 also apply to this issue.
- CVE-2021-25329
* SECURITY UPDATE: Request Header Duplication
- debian/patches/CVE-2021-25122.patch: When responding to new h2c
connection requests, Apache Tomcat could duplicate request headers and a
limited amount of request body from one request to another meaning user
A and user B could both see the results of user A's request.
- CVE-2021-25122
* SECURITY UPDATE: HTTP/2 request header mix-up
- debian/patches/CVE-2020-17527.patch: HTTP/2 It was discovered that
Apache Tomcat could re-use an HTTP request header value from the previous
stream received on an HTTP/2 connection for the request associated with
the subsequent stream. While this would most likely lead to an error and
the closure of the HTTP/2 connection, it is possible that information
could leak between requests.
- CVE-2020-17527
* SECURITY UPDATE: HTTP/2 request mix-up
- debian/patches/CVE-2020-13943.patch: If an HTTP/2 client exceeded the
agreed maximum number of concurrent streams for a connection (in
violation of the HTTP/2 protocol), it was possible that a subsequent
request made on that connection could contain HTTP headers - including
HTTP/2 pseudo headers - from a previous request rather than the intended
headers. This could lead to users seeing responses for unexpected
resources.
- CVE-2020-13943
-- Paulo Flabiano Smorigo <email address hidden> Tue, 29 Mar 2022 15:05:11 +0000
Available diffs
tomcat9 (9.0.31-1ubuntu0.2) focal-security; urgency=medium
* SECURITY UPDATE: TLS Denial of Service
- debian/patches/CVE-2021-41079.patch: Apache Tomcat did not properly
validate incoming TLS packets. When Tomcat was configured to use
NIO+OpenSSL or NIO2+OpenSSL for TLS, a specially crafted packet could be
used to trigger an infinite loop resulting in a denial of service.
- CVE-2021-41079
* SECURITY UPDATE: Authentication Vulnerability
- debian/patches/CVE-2021-30640.patch: A vulnerability in the JNDI Realm
of Apache Tomcat allows an attacker to authenticate using variations of
a validc user name and/or to bypass some of the protection provided by
the LockOut Realm.
- CVE-2021-30640
* SECURITY UPDATE: Request Smuggling
- debian/patches/CVE-2021-33037.patch: Apache Tomcat did not correctly
parse the HTTP transfer-encoding request header in some circumstances
leading to the possibility to request smuggling when used with a reverse
proxy. Specifically: - Tomcat incorrectly ignored the transfer encoding
header if the client declared it would only accept an HTTP/1.0 response;
- Tomcat honoured the identify encoding; and - Tomcat did not ensure
that, if present, the chunked encoding was the final encoding.
- CVE-2021-33037
* SECURITY UPDATE: remote code execution via session persistence
- debian/patches/CVE-2021-25329.patch: The fix for CVE-2020-9484 was
incomplete. When using Apache Tomcat with a configuration edge case that
was highly unlikely to be used, the Tomcat instance was still vulnerable
to CVE-2020-9494. Note that both the previously published prerequisites
for CVE-2020-9484 and the previously published mitigations for
CVE-2020-9484 also apply to this issue.
- CVE-2021-25329
* SECURITY UPDATE: Request Header Duplication
- debian/patches/CVE-2021-25122.patch: When responding to new h2c
connection requests, Apache Tomcat could duplicate request headers and a
limited amount of request body from one request to another meaning user
A and user B could both see the results of user A's request.
- CVE-2021-25122
* SECURITY UPDATE: HTTP/2 request header mix-up
- debian/patches/CVE-2020-17527.patch: HTTP/2 It was discovered that
Apache Tomcat could re-use an HTTP request header value from the previous
stream received on an HTTP/2 connection for the request associated with
the subsequent stream. While this would most likely lead to an error and
the closure of the HTTP/2 connection, it is possible that information
could leak between requests.
- CVE-2020-17527
* SECURITY UPDATE: HTTP/2 request mix-up
- debian/patches/CVE-2020-13943.patch: If an HTTP/2 client exceeded the
agreed maximum number of concurrent streams for a connection (in
violation of the HTTP/2 protocol), it was possible that a subsequent
request made on that connection could contain HTTP headers - including
HTTP/2 pseudo headers - from a previous request rather than the intended
headers. This could lead to users seeing responses for unexpected
resources.
- CVE-2020-13943
-- Evren Yurtesen <email address hidden> Wed, 16 Mar 2022 20:51:24 +0200
Available diffs
| Superseded in kinetic-release |
| Published in jammy-release |
| Deleted in jammy-proposed (Reason: Moved to jammy) |
tomcat9 (9.0.58-1) unstable; urgency=medium
* Team upload.
* New upstream version 9.0.58.
* Add disable-jacoco.patch and remove the dependency on jacoco when running
the test suite.
-- Markus Koschany <email address hidden> Wed, 09 Feb 2022 15:51:20 +0100
Available diffs
- diff from 9.0.55-1 to 9.0.58-1 (182.7 KiB)
tomcat9 (9.0.55-1) unstable; urgency=medium * Team upload. * New upstream version 9.0.55. -- Markus Koschany <email address hidden> Mon, 15 Nov 2021 22:12:42 +0100
Available diffs
- diff from 9.0.54-1 to 9.0.55-1 (46.8 KiB)
tomcat9 (9.0.54-1) unstable; urgency=medium
* Team upload.
* New upstream version 9.0.54.
- Fix CVE-2021-42340:
The fix for bug 63362 introduced a memory leak. The object introduced to
collect metrics for HTTP upgrade connections was not released for
WebSocket connections once the connection was closed. This created a
memory leak that, over time, could lead to a denial of service via an
OutOfMemoryError.
* Update 0010-debianize-build-xml.patch and depend on the setup-bnd task to
prevent a FTBFS when building the tests. This replaces the workaround by
setting addOSGi to false.
Thanks to Aurimas Fišeras for the report.
-- Markus Koschany <email address hidden> Fri, 22 Oct 2021 21:59:08 +0200
Available diffs
- diff from 9.0.43-3 to 9.0.54-1 (744.7 KiB)
- diff from 9.0.53-1 to 9.0.54-1 (42.3 KiB)
tomcat9 (9.0.53-1) unstable; urgency=medium
* Team upload.
* New upstream version 9.0.53.
- Drop security patches. Fixed upstream.
- Fix CVE-2021-41079:
Apache Tomcat did not properly validate incoming TLS packets. When Tomcat
was configured to use NIO+OpenSSL or NIO2+OpenSSL for TLS, a specially
crafted packet could be used to trigger an infinite loop resulting in a
denial of service.
* Declare compliance with Debian Policy 4.6.0.
* Set the fileOwner of catalina.out to tomcat explicitly.
Thanks to Adam Cecile for the report. (Closes: #987179)
* Refresh 0021-dont-test-unsupported-ciphers.patch
* tomcat9.cron.daily: Set maxdepth to 1 so that log files of custom
applications in subdirectories of /var/log/tomcat9 are not compressed.
Thanks to Ludovic Pouzenc for the report. (Closes: #982961)
* Exclude TestJNDIRealmIntegration because of missing dependencies.
* d/rules: dh_auto_test override: Set addOSGi to false when building the
tests to prevent a FTBFS.
-- Markus Koschany <email address hidden> Fri, 24 Sep 2021 15:37:51 +0200
| Superseded in jammy-release |
| Obsolete in impish-release |
| Deleted in impish-proposed (Reason: Moved to impish) |
tomcat9 (9.0.43-3) unstable; urgency=medium
* Team upload.
* CVE-2021-30640: Fix NullPointerException.
If no userRoleAttribute is specified in the user's Realm configuration its
default value will be null. This will cause a NPE in the methods
doFilterEscaping and doAttributeValueEscaping. This is upstream bug
https://bz.apache.org/bugzilla/show_bug.cgi?id=65308
-- Markus Koschany <email address hidden> Tue, 10 Aug 2021 17:17:56 +0200
Available diffs
- diff from 9.0.43-2 to 9.0.43-3 (1.1 KiB)
tomcat9 (9.0.43-2) unstable; urgency=medium
* Team upload.
[ mirabilos ]
* fix /var/log/tomcat9 permissions
fixup for commit 51128fe9fb2d4d0b56be675d845cf92e4301a6c3
[ Markus Koschany ]
* Fix CVE-2021-30640:
A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to
authenticate using variations of a valid user name and/or to bypass some of
the protection provided by the LockOut Realm.
* Fix CVE-2021-33037:
Apache Tomcat did not correctly parse the HTTP transfer-encoding request
header in some circumstances leading to the possibility to request
smuggling when used with a reverse proxy. Specifically: - Tomcat
incorrectly ignored the transfer encoding header if the client declared it
would only accept an HTTP/1.0 response; - Tomcat honoured the identify
encoding; and - Tomcat did not ensure that, if present, the chunked
encoding was the final encoding.
(Closes: #991046)
-- Markus Koschany <email address hidden> Sat, 07 Aug 2021 00:11:43 +0200
Available diffs
- diff from 9.0.43-1 to 9.0.43-2 (6.8 KiB)
| Superseded in impish-release |
| Obsolete in hirsute-release |
| Deleted in hirsute-proposed (Reason: moved to Release) |
tomcat9 (9.0.43-1) unstable; urgency=medium
* New upstream release
- Refreshed the patches
* Rotate the catalina.out log file with the tomcat user (Closes: #971583)
* Switch to debhelper level 13
-- Emmanuel Bourg <email address hidden> Tue, 02 Feb 2021 20:23:51 +0100
Available diffs
- diff from 9.0.41-1 to 9.0.43-1 (157.4 KiB)
tomcat9 (9.0.41-1) unstable; urgency=medium
* New upstream release
- Refreshed the patches
* Standards-Version updated to 4.5.1
-- Emmanuel Bourg <email address hidden> Wed, 09 Dec 2020 16:03:00 +0100
Available diffs
- diff from 9.0.40-1 to 9.0.41-1 (19.3 KiB)
tomcat9 (9.0.40-1) unstable; urgency=medium
[ Emmanuel Bourg ]
* New upstream release
- Refreshed the patches
* Changed the home directory of the tomcat user to /var/lib/tomcat
(Closes: #926338)
[ Vincent McIntyre ]
* Automatically export the JAVA_HOME environment variable when the value
is defined in /etc/defaults/tomcat9 (Closes: #966338)
-- Emmanuel Bourg <email address hidden> Tue, 24 Nov 2020 08:21:29 +0100
Available diffs
- diff from 9.0.39-1 to 9.0.40-1 (110.2 KiB)
tomcat9 (9.0.31-1ubuntu0.1) focal-security; urgency=medium
* SECURITY UPDATE: HTTP/2 Denial of Service
- debian/patches/CVE-2020-13934.patch: ensure that the HTTP/1.1
processor is correctly recycled when a direct connection to h2c is
made
- CVE-2020-13934
* SECURITY UPDATE: WebSocket Denial of Service
- debian/patches/CVE-2020-13935.patch: add additional validation of
payload length for WebSocket messages
- CVE-2020-13935
* SECURITY UPDATE: HTTP/2 Denial of Service
- debian/patches/CVE-2020-11996.patch: improve performance of closing
idle HTTP/2 streams
- CVE-2020-11996
* SECURITY UPDATE: remote code execution via session persistence
- debian/patches/CVE-2020-9484.patch: improve validation of storage
location when using FileStore
- CVE-2020-9484
-- Emilia Torino <email address hidden> Tue, 20 Oct 2020 09:27:39 -0300
Available diffs
tomcat9 (9.0.39-1) unstable; urgency=medium
* New upstream release
- Refreshed the patches
* tomcat9-user now depends on netcat-openbsd instead of netcat
(Closes: #966158)
-- Emmanuel Bourg <email address hidden> Mon, 12 Oct 2020 17:16:57 +0200
Available diffs
- diff from 9.0.37-3 to 9.0.39-1 (339.9 KiB)
| Superseded in hirsute-release |
| Obsolete in groovy-release |
| Deleted in groovy-proposed (Reason: moved to Release) |
tomcat9 (9.0.37-3) unstable; urgency=medium
* control: Bump build-dep on bnd, drop bnd compat and re-export patches.
(Closes: #964433)
-- Timo Aaltonen <email address hidden> Thu, 06 Aug 2020 18:59:11 +0300
Available diffs
- diff from 9.0.36-1 to 9.0.37-3 (53.6 KiB)
- diff from 9.0.37-2 to 9.0.37-3 (1.4 KiB)
tomcat9 (9.0.37-2) unstable; urgency=medium
* d/p/0029-fix-regression-in-bz64540.patch: Re-export util.net.jsse
and util.modeler.modules. (Closes: #964433)
-- Timo Aaltonen <email address hidden> Tue, 28 Jul 2020 14:09:13 +0300
Available diffs
- diff from 9.0.37-1 to 9.0.37-2 (892 bytes)
tomcat9 (9.0.37-1) unstable; urgency=medium
* New upstream release
- Refreshed the patches
- Fixed the compatibility with the version of bnd in Debian
* Restored execute permission on /var/log/tomcat9 to the adm group
-- Emmanuel Bourg <email address hidden> Mon, 06 Jul 2020 22:39:32 +0200
Available diffs
- diff from 9.0.36-1 to 9.0.37-1 (53.7 KiB)
tomcat9 (9.0.36-1) unstable; urgency=medium
* New upstream release
- Refreshed the patches
* Grant write access on /var/log/tomcat9 to the adm group (LP: #1861881)
-- Emmanuel Bourg <email address hidden> Tue, 23 Jun 2020 11:47:47 +0200
Available diffs
- diff from 9.0.35-1 to 9.0.36-1 (39.4 KiB)
tomcat9 (9.0.35-1) unstable; urgency=medium
* New upstream release
- Fixes CVE-2020-9484: Remote Code Execution via session persistence (Closes: #961209)
- Refreshed the patches
-- Emmanuel Bourg <email address hidden> Thu, 21 May 2020 15:50:03 +0200
Available diffs
- diff from 9.0.34-1 to 9.0.35-1 (254.8 KiB)
tomcat9 (9.0.34-1) unstable; urgency=medium
* New upstream release
- Refreshed the patches
* Depend on libeclipse-jdt-core-java (>= 3.18.0)
* Switch to debhelper level 12
-- Emmanuel Bourg <email address hidden> Mon, 27 Apr 2020 00:36:59 +0200
Available diffs
- diff from 9.0.31-1 to 9.0.34-1 (156.2 KiB)
| Superseded in groovy-release |
| Published in focal-release |
| Deleted in focal-proposed (Reason: moved to Release) |
tomcat9 (9.0.31-1) unstable; urgency=medium
* New upstream release
- Fixes CVE-2019-10072: Denial of Service (Closes: #930872)
- Fixes CVE-2019-12418: Local Privilege Escalation
- Fixes CVE-2019-17563: Session fixation attack
- Fixes CVE-2019-17569: HTTP Request Smuggling
- Fixes CVE-2020-1935: HTTP Request Smuggling
- Fixes CVE-2020-1938: AJP Request Injection (Closes: #952437)
- Fixes CATALINA_PID handling in catalina.sh (Closes: #948553)
- Refreshed the patches
- Fixed the compilation with Java 11
* Moved the RequiresMountsFor directive in the service file
to the Unit section (Closes: #942316)
* Tightened the dependency on systemd (Closes: #931997)
* Standards-Version updated to 4.5.0
-- Emmanuel Bourg <email address hidden> Mon, 24 Feb 2020 23:37:00 +0100
Available diffs
- diff from 9.0.27-1 to 9.0.31-1 (215.1 KiB)
tomcat9 (9.0.27-1) unstable; urgency=medium
* New upstream release
- Refreshed the patches
* Standards-Version updated to 4.4.1
-- Emmanuel Bourg <email address hidden> Mon, 14 Oct 2019 11:31:50 +0200
Available diffs
- diff from 9.0.24-1 to 9.0.27-1 (181.1 KiB)
tomcat9 (9.0.16-3ubuntu0.19.04.1) disco-security; urgency=medium
* SECURITY UPDATE: XSS attack on SSI printenv command
- debian/patches/CVE-2019-0221.patch: escape debug output to aid
readability
- CVE-2019-0221
* SECURITY UPDATE: DoS via thread exhaustion
- debian/patches/CVE-2019-10072-1.patch: expand HTTP/2 timeout
handling to connection window exhaustion on write.
- debian/patches/CVE-2019-10072-2.patch: Fix test failures. Handle
full allocation case.
- CVE-2019-10072
-- Emilia Torino <email address hidden> Wed, 11 Sep 2019 14:56:27 -0300
Available diffs
tomcat9 (9.0.16-3ubuntu0.18.04.1) bionic-security; urgency=medium
* SECURITY UPDATE: XSS attack on SSI printenv command
- debian/patches/CVE-2019-0221.patch: escape debug output to aid
readability
- CVE-2019-0221
* SECURITY UPDATE: DoS via thread exhaustion
- debian/patches/CVE-2019-10072-1.patch: expand HTTP/2 timeout
handling to connection window exhaustion on write.
- debian/patches/CVE-2019-10072-2.patch: Fix test failures. Handle
full allocation case.
- CVE-2019-10072
-- Emilia Torino <email address hidden> Wed, 11 Sep 2019 16:47:51 -0300
| Superseded in focal-release |
| Obsolete in eoan-release |
| Deleted in eoan-proposed (Reason: moved to release) |
tomcat9 (9.0.24-1) unstable; urgency=medium
* New upstream release
- Refreshed the patches
-- Emmanuel Bourg <email address hidden> Thu, 22 Aug 2019 13:55:14 +0200
Available diffs
- diff from 9.0.22-1 to 9.0.24-1 (118.7 KiB)
tomcat9 (9.0.22-1) unstable; urgency=medium
* New upstream release
- Refreshed the patches
* Track and download the new releases from GitHub
* Standards-Version updated to 4.4.0
-- Emmanuel Bourg <email address hidden> Fri, 12 Jul 2019 15:01:28 +0200
Available diffs
- diff from 9.0.16-4 to 9.0.22-1 (317.2 KiB)
tomcat9 (9.0.16-4) unstable; urgency=medium
* Team upload.
[ Emmanuel Bourg ]
* Fixed CVE-2019-0221: The SSI printenv command echoes user provided data
without escaping and is, therefore, vulnerable to XSS. SSI is disabled
by default (Closes: #929895)
[ Thorsten Glaser ]
* Remove -XX:+UseG1GC from standard JAVA_OPTS; the JRE chooses
a suitable GC automatically anyway (Closes: #925928)
* Correct the ownership and permissions on the log directory:
group adm and setgid (Closes: #925929)
* Make the startup script honour the (renamed) $SECURITY_MANAGER
* debian/libexec/tomcat-locate-java.sh: Remove shebang and make
not executable as this is only ever sourced (makes no sense otherwise)
[ Christian Hänsel ]
* Restored the variable expansion in /etc/default/tomcat9 (Closes: #926319)
-- Emmanuel Bourg <email address hidden> Thu, 13 Jun 2019 23:26:12 +0200
Available diffs
- diff from 9.0.16-3 to 9.0.16-4 (2.3 KiB)
| Obsolete in cosmic-updates |
| Obsolete in cosmic-security |
| Deleted in cosmic-proposed (Reason: moved to -updates) |
tomcat9 (9.0.16-3~18.10) cosmic; urgency=medium * Backport for OpenJDK 11. LP: #1817567.
Available diffs
| Superseded in bionic-updates |
| Superseded in bionic-security |
| Deleted in bionic-proposed (Reason: moved to -updates) |
tomcat9 (9.0.16-3~18.04.1) bionic; urgency=medium
* Don't set nologin shell in sysusers.d/tomcat9.conf
It is the default anyway and systemd-sysusers in 18.04 can't parse it.
(LP: #1823125)
Available diffs
tomcat9 (9.0.16-3~18.04) bionic; urgency=medium * Backport for OpenJDK 11. LP: #1817567.
Available diffs
| Superseded in eoan-release |
| Obsolete in disco-release |
| Deleted in disco-proposed (Reason: moved to release) |
tomcat9 (9.0.16-3) unstable; urgency=medium
* Removed read/write access to /var/lib/solr (Closes: #923299)
* Removed the broken catalina-ws.jar and catalina-jmx-remote.jar
symlinks in /usr/share/tomcat9/lib/
-- Emmanuel Bourg <email address hidden> Tue, 26 Feb 2019 09:31:13 +0100
Available diffs
- diff from 9.0.16-2 to 9.0.16-3 (640 bytes)
tomcat9 (9.0.16-2) unstable; urgency=medium
* Team upload.
* tomcat9.service: Permit read and write access to /var/lib/solr too.
(Closes: #919638)
-- Markus Koschany <email address hidden> Mon, 18 Feb 2019 20:58:51 +0100
Available diffs
- diff from 9.0.16-1 to 9.0.16-2 (473 bytes)
tomcat9 (9.0.16-1) unstable; urgency=medium
* New upstream release
- Refreshed the patches
- Install the new Chinese, Czech, German, Korean and Portuguese translations
- No longer build the extra WS and JMX jars
* Standards-Version updated to 4.3.0
-- Emmanuel Bourg <email address hidden> Fri, 08 Feb 2019 08:26:48 +0100
Available diffs
- diff from 9.0.14-1 to 9.0.16-1 (470.9 KiB)
tomcat9 (9.0.14-1) unstable; urgency=medium
* New upstream release
- Refreshed the patches
* Create the /var/log/tomcat9/ and /var/cache/tomcat9/ directories
at install time (Closes: #915791)
* Tightened the dependency on systemd
-- Emmanuel Bourg <email address hidden> Wed, 12 Dec 2018 13:45:52 +0100
Available diffs
- diff from 9.0.13-2 to 9.0.14-1 (441.7 KiB)
tomcat9 (9.0.13-2) unstable; urgency=medium
* Install the tomcat-embed-* artifacts with the 9.x version (Closes: #915578)
* Modified the dependencies required for creating the tomcat user
(adduser is replaced by systemd) (Closes: #915586)
* Fixed the tomcat-jasper pom to reference the ECJ dependency
from libeclipse-jdt-core-java
* Removed the redundant ReadWritePaths options in the service file for the log
and cache directories (Thanks to Lennart Poettering for the suggestion)
-- Emmanuel Bourg <email address hidden> Wed, 05 Dec 2018 10:04:52 +0100
Available diffs
- diff from 9.0.13-1 to 9.0.13-2 (945 bytes)
tomcat9 (9.0.13-1) unstable; urgency=medium
* New upstream release
- Refreshed the patches
- Renamed the package to tomcat9
- Removed the libservlet3.1-java package. From now on the Servlet API
is packaged in a separate package independent from Tomcat.
- Depend on libeclipse-jdt-core-java (>= 3.14.0) instead of libecj-java
- Updated the policy files in /etc/tomcat8/policy.d/
- Use the OSGi metadata generated by the upstream build
- Deploy the Tomcat artifacts in the Maven repository with the 9.x version
- Updated the README file
* Removed the SysV init script
* Restart the server automatically on failures
* Use a fixed non-configurable user 'tomcat' to run the server
* Removed the debconf integration. The user being now unmodifiable,
the remaining configuration parameter JAVA_OPTS can be edited in
/etc/default/tomcat9
* No longer add the 'common', 'server' and 'shared' directories under
CATALINA_HOME and CATALINA_BASE to the classpath. Extra jar files should go
to the 'lib' directory.
* Let Tomcat handle the rotation of its log files with the maxDays parameter
of the valves and log handlers instead of relying on a cron job
* Renamed the TOMCAT_SECURITY parameter to SECURITY_MANAGER in the service
configuration file
* Simplified the postinst script by using systemd-sysusers to create
the 'tomcat' user
* No longer create the /etc/tomcat9/Catalina/localhost directory at install
time and let Tomcat create it automatically
* Let systemd automatically create /var/log/tomcat9 and /var/cache/tomcat9
* Prevent Tomcat from writing outside of /var/log/tomcat9, /var/cache/tomcat9,
/var/lib/tomcat9/webapps and /etc/tomcat9/Catalina by default. This can be
overridden (see the README file).
* Build and install the extra jar catalina-ws.jar
* No longer recommend libcommons-pool-java and libcommons-dbcp-java since
Tomcat already embeds its own version of these libraries
* Support three-way merge when upgrading the configuration files
* Use the G1 garbage collector by default instead of Concurrent Mark Sweep
* The setenv.sh script in tomcat9-user and the service startup script now
share the same JDK detection logic
-- Emmanuel Bourg <email address hidden> Wed, 28 Nov 2018 15:06:00 +0100
| 1 → 47 of 47 results | First • Previous • Next • Last |
