-
tomcat9 (9.0.58-1ubuntu0.1) jammy; urgency=medium
* Fix logging for unprivileged rsyslogd (LP: #1964881):
- d/logrotate.template: use syslog:adm for log rotation so that
rsyslog can write to the file
- d/rsyslog/tomcat9.conf: drop "fileOwner" as it cannot be set by an
unprivileged rsyslogd
- d/tomcat9.postinst: adjust ownership of catalina.out so that
rsyslogd can write to it. Also change the rotated log files for
consistency.
-- Andreas Hasenack <email address hidden> Wed, 20 Jul 2022 16:05:45 -0300
-
tomcat9 (9.0.58-1) unstable; urgency=medium
* Team upload.
* New upstream version 9.0.58.
* Add disable-jacoco.patch and remove the dependency on jacoco when running
the test suite.
-- Markus Koschany <email address hidden> Wed, 09 Feb 2022 15:51:20 +0100
-
tomcat9 (9.0.55-1) unstable; urgency=medium
* Team upload.
* New upstream version 9.0.55.
-- Markus Koschany <email address hidden> Mon, 15 Nov 2021 22:12:42 +0100
-
tomcat9 (9.0.54-1) unstable; urgency=medium
* Team upload.
* New upstream version 9.0.54.
- Fix CVE-2021-42340:
The fix for bug 63362 introduced a memory leak. The object introduced to
collect metrics for HTTP upgrade connections was not released for
WebSocket connections once the connection was closed. This created a
memory leak that, over time, could lead to a denial of service via an
OutOfMemoryError.
* Update 0010-debianize-build-xml.patch and depend on the setup-bnd task to
prevent a FTBFS when building the tests. This replaces the workaround by
setting addOSGi to false.
Thanks to Aurimas FiĊĦeras for the report.
-- Markus Koschany <email address hidden> Fri, 22 Oct 2021 21:59:08 +0200
-
tomcat9 (9.0.53-1) unstable; urgency=medium
* Team upload.
* New upstream version 9.0.53.
- Drop security patches. Fixed upstream.
- Fix CVE-2021-41079:
Apache Tomcat did not properly validate incoming TLS packets. When Tomcat
was configured to use NIO+OpenSSL or NIO2+OpenSSL for TLS, a specially
crafted packet could be used to trigger an infinite loop resulting in a
denial of service.
* Declare compliance with Debian Policy 4.6.0.
* Set the fileOwner of catalina.out to tomcat explicitly.
Thanks to Adam Cecile for the report. (Closes: #987179)
* Refresh 0021-dont-test-unsupported-ciphers.patch
* tomcat9.cron.daily: Set maxdepth to 1 so that log files of custom
applications in subdirectories of /var/log/tomcat9 are not compressed.
Thanks to Ludovic Pouzenc for the report. (Closes: #982961)
* Exclude TestJNDIRealmIntegration because of missing dependencies.
* d/rules: dh_auto_test override: Set addOSGi to false when building the
tests to prevent a FTBFS.
-- Markus Koschany <email address hidden> Fri, 24 Sep 2021 15:37:51 +0200
-
tomcat9 (9.0.43-3) unstable; urgency=medium
* Team upload.
* CVE-2021-30640: Fix NullPointerException.
If no userRoleAttribute is specified in the user's Realm configuration its
default value will be null. This will cause a NPE in the methods
doFilterEscaping and doAttributeValueEscaping. This is upstream bug
https://bz.apache.org/bugzilla/show_bug.cgi?id=65308
-- Markus Koschany <email address hidden> Tue, 10 Aug 2021 17:17:56 +0200
