Copied from
ubuntu xenial in
c42-backport-staging
by H.-Dirk Schmitt
Changelog
tomcat8 (8.5.21-1ubuntu1~ubuntu16.04.1~c42.ppa1) xenial; urgency=medium
* No-change backport to xenial
tomcat8 (8.5.21-1ubuntu1) artful; urgency=medium
* Demote libtcnative-1 from Recommends to Suggests as it is in
universe.
tomcat8 (8.5.21-1) unstable; urgency=medium
* Team upload.
[ Emmanuel Bourg ]
* New upstream release
- Refreshed the patches
- Disabled Checkstyle
* Changed the Class-Path manifest entry of tomcat8-jasper.jar to use
the specification jars from libtomcat8-java instead of libservlet3.1-java
(Closes: #867247)
[ Miguel Landaeta ]
* Remove myself from uploaders. (Closes: #871892)
* Update copyright info.
tomcat8 (8.5.16-1) unstable; urgency=medium
* Team upload.
* New upstream release
- Refreshed the patches
* Standards-Version updated to 4.0.0
tomcat8 (8.5.15-1) unstable; urgency=medium
* Team upload.
* New upstream release
- Refreshed the patches
tomcat8 (8.5.14-2) unstable; urgency=high
* Team upload.
* Fixed CVE-2017-5664: Static error pages can be overwritten if the
DefaultServlet is configured to permit writes (Closes: #864447)
tomcat8 (8.5.14-1) unstable; urgency=medium
* Team upload.
* New upstream release
- Removed the CVE patches (fixed in this release)
tomcat8 (8.5.12-1) unstable; urgency=medium
* Team upload.
* New upstream release
- Refreshed the patches
tomcat8 (8.5.11-2) unstable; urgency=medium
* Team upload.
* Fix the following security vulnerabilities (Closes: #860068):
Thanks to Salvatore Bonaccorso for the report.
- CVE-2017-5647:
A bug in the handling of the pipelined requests when send file was used
resulted in the pipelined request being lost when send file processing of
the previous request completed. This could result in responses appearing
to be sent for the wrong request. For example, a user agent that sent
requests A, B and C could see the correct response for request A, the
response for request C for request B and no response for request C.
- CVE-2017-5648:
It was noticed that some calls to application listeners did not use the
appropriate facade object. When running an untrusted application under a
SecurityManager, it was therefore possible for that untrusted application
to retain a reference to the request or response object and thereby access
and/or modify information associated with another web application.
- CVE-2017-5650:
The handling of an HTTP/2 GOAWAY frame for a connection did not close
streams associated with that connection that were currently waiting for a
WINDOW_UPDATE before allowing the application to write more data. These
waiting streams each consumed a thread. A malicious client could therefore
construct a series of HTTP/2 requests that would consume all available
processing threads.
- CVE-2017-5651:
The refactoring of the HTTP connectors for 8.5.x onwards, introduced a
regression in the send file processing. If the send file processing
completed quickly, it was possible for the Processor to be added to the
processor cache twice. This could result in the same Processor being used
for multiple requests which in turn could lead to unexpected errors and/or
response mix-up.
* debian/control: tomcat8: Fix Lintian error and depend on lsb-base.
tomcat8 (8.5.11-1) unstable; urgency=medium
* Team upload.
* New upstream release
- Refreshed the patches
* Recommend Java 8 in /etc/default/tomcat8
tomcat8 (8.5.9-2) unstable; urgency=medium
* Team upload.
* Require Java 8 or higher (Closes: #848612)
tomcat8 (8.5.9-1) unstable; urgency=medium
* Team upload.
* New upstream release
- Refreshed the patches
* Restored the classloading from the common, server and shared directories
under CATALINA_BASE (Closes: #847137)
* Fixed the installation error when JAVA_OPTS in /etc/default/tomcat8
contains the '%' character (Closes: #770911)
tomcat8 (8.5.8-2) unstable; urgency=medium
* Team upload.
* Upload to unstable.
* No longer make /etc/tomcat8/Catalina/localhost writable by the tomcat8 user
in the postinst script (Closes: #845393)
* The tomcat8 user is no longer removed when the package is purged
(Closes: #845385)
* Compress and remove the access log files with a .txt extension
(Closes: #845661)
* Added the delaycompress option to the logrotate configuration
of catalina.out (Closes: #843135)
* Changed the home directory for the tomcat8 user from /usr/share/tomcat8
to /var/lib/tomcat8 (Closes: #833261)
* Aligned the logging configuration with the upstream one
* Set the proper permissions for /etc/tomcat8/jaspic-providers.xml
* Install the new library jaspic-api.jar
* Install the Maven artifacts for tomcat-storeconfig
* Simplified debian/rules
tomcat8 (8.5.8-1) experimental; urgency=medium
* Team upload.
* New upstream release
- Refreshed the patches
- Tomcat no longer builds tomcat-embed-logging-juli.jar
- Updated the policy files
- Added a NEWS file detailing the major changes in Tomcat 8.5.x
* Enabled the APR library loading by default (required for HTTP/2 support)
* Promoted libtcnative-1 from suggested to recommended dependency
* Enabled the APR tests
* Fixed the test failure with TestStandardContextAliases
* Added a link to the Tomcat 8.5 migration guide in README.Debian
* Adapted debian/orig-tar.sh to download the 8.5.x releases
tomcat8 (8.0.39-1) unstable; urgency=medium
* Team upload.
* New upstream release
- Refreshed the patches
tomcat8 (8.0.38-2) unstable; urgency=high
* Team upload.
* CVE-2016-1240 follow-up:
- The previous init.d fix was vulnerable to a race condition that could
be exploited to make any existing file writable by the tomcat user.
Thanks to Paul Szabo for the report and the fix.
- The catalina.policy file generated on startup was affected by a similar
vulnerability that could be exploited to overwrite any file on the system.
Thanks to Paul Szabo for the report.
* Install the extra jar catalina-jmx-remote.jar (Closes: #762916)
* Added the new libtomcat8-embed-java package containing the libraries
for embedding Tomcat into other applications.
* Switch to debhelper level 10
tomcat8 (8.0.38-1) unstable; urgency=medium
* Team upload.
* New upstream release
- Refreshed the patches
* Hardened the init.d script, thanks to Paul Szabo (Closes: #840685)
* Fixed the OSGi metadata for tomcat8-jasper.jar and tomcat8-jasper-el.jar
* Depend on libcglib-nodep-java instead of libcglib3-java
* Removed the unused Lintian overrides
tomcat8 (8.0.37-1) unstable; urgency=medium
* Team upload.
* New upstream release
* Removed 0001-set-UTF-8-as-default-character-encoding.patch (fixed upstream)
tomcat8 (8.0.36-3) unstable; urgency=high
* Team upload.
* Fixed CVE-2016-1240: A flaw in the init.d startup script allows local
attackers who have gained access to the server in the context of the
tomcat user through a vulnerability in a web application to replace
the catalina.out file with a symlink to an arbitrary file on the system,
potentially leading to a root privilege escalation.
Thanks to Dawid Golunski for the report.
* Removed the default 128M heap limit (LP: #568823)
* Depend on taglibs-standard instead of jakarta-taglibs-standard
tomcat8 (8.0.36-2) unstable; urgency=medium
* Team upload.
* Do not unconditionally overwrite files in /etc/tomcat8 anymore.
(Closes: #825786)
* Change file permissions to 640 for Debian files in /etc/tomcat8.
tomcat8 (8.0.36-1) unstable; urgency=medium
* Team upload.
* New upstream release
- Refreshed the patches
- Depend on libecj-java (>= 3.11.0)
* Standards-Version updated to 3.9.8 (no changes)
* Use a secure Vcs-Git URL
-- <email address hidden> (H.-Dirk Schmitt) Sun, 05 Nov 2017 22:33:49 +0100