tomcat6 (6.0.35-1ubuntu3.8) precise-security; urgency=medium * SECURITY UPDATE: privilege escalation via insecure init script - debian/tomcat6.init: don't follow symlinks when handling the catalina.out file. - CVE-2016-1240 * SECURITY REGRESSION: change in behaviour after security update - debian/patches/CVE-2015-5345-2.patch: change mapperContextRootRedirectEnabled default to true in java/org/apache/catalina/core/StandardContext.java, webapps/docs/config/context.xml. This reverts the change in behaviour following the CVE-2015-5345 security update and was also done upstream in later releases. -- Marc Deslauriers Fri, 16 Sep 2016 09:34:48 -0400 tomcat6 (6.0.35-1ubuntu3.7) precise-security; urgency=medium * SECURITY UPDATE: directory traversal vulnerability in RequestUtil.java - debian/patches/CVE-2015-5174.patch: fix normalization edge cases in java/org/apache/tomcat/util/http/RequestUtil.java. - CVE-2015-5174 * SECURITY UPDATE: information disclosure via redirects by mapper - debian/patches/CVE-2015-5345.patch: fix redirect logic in java/org/apache/catalina/Context.java, java/org/apache/catalina/authenticator/FormAuthenticator.java, java/org/apache/catalina/connector/MapperListener.java, java/org/apache/catalina/core/StandardContext.java, java/org/apache/catalina/core/mbeans-descriptors.xml, java/org/apache/catalina/servlets/DefaultServlet.java, java/org/apache/catalina/servlets/WebdavServlet.java, java/org/apache/tomcat/util/http/mapper/Mapper.java, webapps/docs/config/context.xml. - CVE-2015-5345 * SECURITY UPDATE: securityManager restrictions bypass via StatusManagerServlet - debian/patches/CVE-2016-0706.patch: place servlet in restricted list in java/org/apache/catalina/core/RestrictedServlets.properties. - CVE-2016-0706 * SECURITY UPDATE: securityManager restrictions bypass via session-persistence implementation - debian/patches/CVE-2016-0714.patch: extend the session attribute filtering options in java/org/apache/catalina/ha/session/mbeans-descriptors.xml, java/org/apache/catalina/session/LocalStrings.properties, java/org/apache/catalina/session/ManagerBase.java, java/org/apache/catalina/session/mbeans-descriptors.xml, webapps/docs/config/cluster-manager.xml, webapps/docs/config/manager.xml, java/org/apache/catalina/session/StandardManager.java, java/org/apache/catalina/util/CustomObjectInputStream.java. - CVE-2016-0714 * SECURITY UPDATE: securityManager restrictions bypass via crafted global context - debian/patches/CVE-2016-0763.patch: protect initialization in java/org/apache/naming/factory/ResourceLinkFactory.java. - CVE-2016-0763 * SECURITY UPDATE: denial of service in FileUpload - debian/patches/CVE-2016-3092.patch: properly handle size in java/org/apache/tomcat/util/http/fileupload/MultipartStream.java. - CVE-2016-3092 -- Marc Deslauriers Wed, 29 Jun 2016 14:00:46 -0400 tomcat6 (6.0.35-1ubuntu3.6) precise-security; urgency=medium * SECURITY UPDATE: HTTP request smuggling or denial of service via streaming with malformed chunked transfer encoding (LP: #1449975) - debian/patches/CVE-2014-0227.patch: add error flag and improve i18n in java/org/apache/coyote/http11/filters/ChunkedInputFilter.java, java/org/apache/coyote/http11/filters/LocalStrings.properties. - CVE-2014-0227 * SECURITY UPDATE: denial of service via aborted upload attempts (LP: #1449975) - debian/patches/CVE-2014-0230.patch: limit amount of data in java/org/apache/coyote/Constants.java, java/org/apache/coyote/http11/filters/ChunkedInputFilter.java, java/org/apache/coyote/http11/filters/IdentityInputFilter.java, java/org/apache/coyote/http11/filters/LocalStrings.properties, webapps/docs/config/systemprops.xml. - CVE-2014-0230 * SECURITY UPDATE: SecurityManager bypass via Expression Language - debian/patches/CVE-2014-7810.patch: handle classes that may not be accessible but have accessible interfaces in java/javax/el/BeanELResolver.java, remove unnecessary code in java/org/apache/jasper/runtime/PageContextImpl.java, java/org/apache/jasper/security/SecurityClassLoad.java. - CVE-2014-7810 -- Marc Deslauriers Mon, 22 Jun 2015 08:16:23 -0400 tomcat6 (6.0.35-1ubuntu3.5) precise-security; urgency=medium * SECURITY UPDATE: denial of service via malformed chunk size - debian/patches/CVE-2014-0075.patch: fix overflow in java/org/apache/coyote/http11/filters/ChunkedInputFilter.java. - CVE-2014-0075 * SECURITY UPDATE: file disclosure via XXE issue - debian/patches/CVE-2014-0096.patch: change globalXsltFile to be a relative path in conf/web.xml, java/org/apache/catalina/servlets/DefaultServlet.java, java/org/apache/catalina/servlets/LocalStrings.properties, webapps/docs/default-servlet.xml. - CVE-2014-0096 * SECURITY UPDATE: HTTP request smuggling attack via crafted Content-Length HTTP header - debian/patches/CVE-2014-0099.patch: correctly handle long values in java/org/apache/tomcat/util/buf/Ascii.java. - CVE-2014-0099 -- Marc Deslauriers Thu, 24 Jul 2014 15:38:01 -0400 tomcat6 (6.0.35-1ubuntu3.4) precise-security; urgency=medium * SECURITY UPDATE: request smuggling attack via content-length headers - debian/patches/CVE-2013-4286.patch: handle multiple content lengths in java/org/apache/coyote/ajp/AbstractAjpProcessor.java, java/org/apache/coyote/ajp/AjpProcessor.java, handle content length and chunked encoding being both specified in java/org/apache/coyote/http11/Http11AprProcessor.java, java/org/apache/coyote/http11/Http11NioProcessor.java, java/org/apache/coyote/http11/Http11Processor.java. - CVE-2013-4286 * SECURITY UPDATE: denial of service via chunked transfer coding - debian/patches/CVE-2013-4322.patch: limit length of extension data in java/org/apache/coyote/Constants.java, java/org/apache/coyote/http11/filters/ChunkedInputFilter.java, webapps/docs/config/systemprops.xml. - CVE-2013-4322 * SECURITY UPDATE: session fixation attack via crafted URL - debian/patches/CVE-2014-0033.patch: properly handle disableURLRewriting in java/org/apache/catalina/connector/CoyoteAdapter.java. - CVE-2014-0033 -- Marc Deslauriers Tue, 04 Mar 2014 11:14:51 -0500 tomcat6 (6.0.35-1ubuntu3.3) precise-security; urgency=low * SECURITY UPDATE: denial of service via chunked transfer encoding - debian/patches/CVE-2012-3544.patch: properly parse CRLF in requests in java/org/apache/coyote/http11/filters/ChunkedInputFilter.java. - CVE-2012-3544 * SECURITY UPDATE: FORM authentication request injection - debian/patches/CVE-2013-2067.patch: properly change session ID in java/org/apache/catalina/authenticator/FormAuthenticator.java. - CVE-2013-2067 -- Marc Deslauriers Tue, 21 May 2013 09:39:22 -0400 tomcat6 (6.0.35-1ubuntu3.2) precise-security; urgency=low * SECURITY UPDATE: security-constraint bypass with FORM auth - debian/patches/CVE-2012-3546.patch: remove unneeded code in java/org/apache/catalina/realm/RealmBase.java. - CVE-2012-3546 * SECURITY UPDATE: CSRF bypass via request with no session identifier - debian/patches/CVE-2012-4431.patch: check for session identifier in java/org/apache/catalina/filters/CsrfPreventionFilter.java. - CVE-2012-4431 * SECURITY UPDATE: denial of service with NIO connector - debian/patches/CVE-2012-4534.patch: properly handle connection breaks in java/org/apache/tomcat/util/net/NioEndpoint.java. - CVE-2012-4534 -- Marc Deslauriers Thu, 10 Jan 2013 09:51:09 -0500 tomcat6 (6.0.35-1ubuntu3.1) precise-security; urgency=low * SECURITY UPDATE: denial of service via large header data - debian/patches/0012-CVE-2012-2733.patch: improve size logic in java/org/apache/coyote/http11/InternalNioInputBuffer.java. - CVE-2012-2733 * SECURITY UPDATE: multiple HTTP Digest Access Authentication flaws - debian/patches/0013-CVE-2012-588x.patch: disable caching of an authenticated user in the session by default, track server rather than client nonces, better handling of stale nonce values in java/org/apache/catalina/authenticator/DigestAuthenticator.java. - CVE-2012-3439 - CVE-2012-5885 - CVE-2012-5886 - CVE-2012-5887 -- Marc Deslauriers Wed, 21 Nov 2012 10:36:18 -0500 tomcat6 (6.0.35-1ubuntu3) precise; urgency=low * Handle creation of user instances with pathnames containing spaces (LP: #977498): - d/tomcat6-instance-create: Quote access to files and directories so that spaces can be used when creating user instances. -- James Page Wed, 11 Apr 2012 10:29:11 +0100 tomcat6 (6.0.35-1ubuntu2) precise; urgency=low * init: Make NAME dynamic, to allow starting multiple instances. -- Timo Aaltonen Fri, 16 Mar 2012 16:31:20 +0200 tomcat6 (6.0.35-1ubuntu1) precise; urgency=low * debian/patches/0011-CVE-2012-0022-regression-fix.patch: fix regression from the CVE-2012-0022 security fix that went into 6.0.35. -- Marc Deslauriers Mon, 13 Feb 2012 09:03:18 -0500 tomcat6 (6.0.35-1) unstable; urgency=low [ Miguel Landaeta ] * New upstream release. * Add myself to Uploaders. * Remove 0013-CVE-2011-3190.patch since it was included upstream. * Add mh_clean call in clean target. * Fix error in debian/rules that caused tomcat to report no version. Thanks to Jorge Barreiro for the patch. (Closes: #650656). [ tony mancill ] * Update Vcs-* fields in debian/control for switch to git. * Update to run with openjdk-7 and openjdk-6 when not default-jdk is not present. (Closes: #651448) * Allow java?-runtime-headless to satisfy Depends. * Add myself to Uploaders. -- tony mancill Mon, 12 Dec 2011 22:46:36 -0800 tomcat6 (6.0.33-1) unstable; urgency=low * Team upload. * New upstream release. * Remove the following patches (included upstream): - 0011-623242.patch - 0012-CVE-2011-2204.patch - 0015-CVE-2011-2526.patch - 0014-CVE-2011-1184.patch * Add patch for multi-instance startup. CATALINA_HOME no longer depends on the instance $NAME. JVM_TMP is now $NAME-specific. - Thank you to Julien Wajsberg. (Closes: #644365) * Add dependency on JRE to tomcat6-common (Closes: #644340) * Modify init script to look for JVM in /usr/lib/jvm/default-java -- tony mancill Mon, 28 Nov 2011 21:28:52 -0800 tomcat6 (6.0.32-7) unstable; urgency=medium [ tony mancill ] * Team upload. * Add "unset LC_ALL" to /etc/defaults/tomcat6 to prevent user environment settings from leaking into the servlet container. - Thank you to Nicolas Pichon. (Closes: #645221) * Apply patch for CVE-2011-1184 and CVE-2011-2526. - Thank you to Marc Deslauriers. (Closes: #648038) [ Niels Thykier ] * Added build-arch and build-indep targets in d/rules. -- tony mancill Tue, 08 Nov 2011 10:42:32 -0800 tomcat6 (6.0.32-6) unstable; urgency=medium [ tony mancill ] * Team upload. * Update Korean debconf translation. (Closes: #630950, 631482) Thanks to si-cheol Ko. * Add Dutch debconf translation. (Closes: #637507) Thanks to Jeroen Schot. [ Niels Thykier ] * Removed myself from uploaders. [ James Page ] * Added patch for CVE-2011-3190 (LP: #843701). -- tony mancill Sat, 17 Sep 2011 09:48:42 -0700 tomcat6 (6.0.32-5) unstable; urgency=low * Team upload. * Add Catalan debconf translation ca.po (Closes: #630073). * Correct Suggests for libtcnative-1 (tomcat-native) (Closes: #631919) * Add patch for CVE-2011-2204 (Closes: #632882) -- tony mancill Wed, 06 Jul 2011 21:23:58 -0700 tomcat6 (6.0.32-4) unstable; urgency=low * Team upload. * Add Italian debconf translation. Thanks to Dario Santamaria (Closes: #624376) * Add logrotate for catalina.out (Closes: 607050) * Bump standards version to 3.9.2 (no changes needed). -- tony mancill Wed, 08 Jun 2011 22:13:07 -0700 tomcat6 (6.0.32-3) unstable; urgency=low * Team upload. * Include upstream patch for ASF Bugzilla - Bug 50700 (Context parameters are being overridden with parameters from the web application deployment descriptor) (Closes: #623242) -- tony mancill Mon, 18 Apr 2011 20:38:29 -0700 tomcat6 (6.0.32-2) unstable; urgency=low * Team upload. [ tony mancill ] * Patch debian/tomcat6-instance-create (LP: #707405) tomcat6-instance-create should accept -1 as the value of -c option as per http://tomcat.apache.org/tomcat-6.0-doc/config/server.html Thanks to Dave Walker. (Closes: #617553) * Move tomcat6-instance-create manpage from section 2 to section 8. Thanks to brian m. carlson (Closes: #607682) * Add tomcat6-extras package. Currently includes only catalina-jmx-remote.jar (Closes: #614333) [ Thierry Carrez ] * debian/tomcat6-instance-create: Eclipse can now be configured to use a user instance of tomcat6 using tomcat6-instance-create without any additional work. Patch from Abhinav Upadhyay (Closes: #551091, LP: #297675) -- tony mancill Sun, 03 Apr 2011 21:16:08 -0700 tomcat6 (6.0.32-1) unstable; urgency=low * Team upload. * New upstream release * Remove following patches applied upstream: CVE-2010-4172, CVE-2011-0534, CVE-2010-3718, CVE-2011-0013, 0009-allow-empty-PID-file.patch * Adjust 0004-split-deploy-webapps-target-from-deploy-target.patch -- tony mancill Tue, 15 Feb 2011 22:41:42 -0800 tomcat6 (6.0.28-10) unstable; urgency=medium * Team upload. * Add Portuguese/Brazilian debconf translation. Thanks to José de Figueiredo (Closes: #608527) * Add patches for CVE-2011-0534, CVE-2010-3718, CVE-2011-0013 (Closes: #612257) -- tony mancill Wed, 09 Feb 2011 21:49:33 -0800 tomcat6 (6.0.28-9) unstable; urgency=medium * Team upload. * Update URL for manager application in README.Debian Thanks to Ernesto Ongaro (Closes: #606170) * Add patch for CVE-2010-4172. (Closes: #606388) -- tony mancill Thu, 09 Dec 2010 22:52:08 -0800 tomcat6 (6.0.28-8) unstable; urgency=low * Team upload. [ Thierry Carrez (ttx) ] * Do not fail to purge if /etc/tomcat6 was manually removed (LP: #648619) * Add missing -p option in start-stop-daemon when starting tomcat6 to avoid failing to start due to /bin/bash running (LP: #632554) * Fix build failure (missing TraXLiaison class) by adding ant-nodeps to the classpath. [ tony mancill ] * Use debconf to determine tomcat6 user and group to delete upon purge. Thanks to Misha Koshelev. (Closes: #599458) * Add tomcat-native to Suggests: for tomcat6 binary package. Thanks to Eddy Petrisor (Closes: #600590) * Add Danish debconf template translation. Thanks to Joe Dalton (Closes: #605070) * Actually add the Czech debconf template translation. Thanks this time to Christian PERRIER (Closes: #597863) -- tony mancill Sat, 04 Dec 2010 17:20:11 -0800 tomcat6 (6.0.28-7) unstable; urgency=low * Team upload. * Add Czech debconf template translation. Thanks to Michal Simunek. (Closes: #597863) * Add Spanish debconf template translation. Thanks to Javier Fernández-Sanguino (Closes: #599230) * Modify postinst to handle JAVA_OPTS strings containing the '/' character. This was causing upgrade failures for users. (Closes: #597814) -- tony mancill Wed, 06 Oct 2010 14:40:19 -0700 tomcat6 (6.0.28-6) unstable; urgency=low * Team upload. * Add Japanese debconf template translation. Thanks to Hideki Yamane. (Closes: #595460) * Add Russian debconf template translation. Thanks to Yuri Kozlov. (Closes: #592627) * Add Portuguese debconf template translation. Thanks to Américo Monteiro. (Closes: #592655) * Add Swedish debconf template translation. Thanks to Martin Bagge. (Closes: #593676) * Add German debconf template translation. Thanks to Holger Wansing. (Closes: #593200) -- tony mancill Fri, 17 Sep 2010 21:30:27 -0700 tomcat6 (6.0.28-5) unstable; urgency=low * Team upload. [Thierry Carrez (ttx)] * Check for group existence to avoid postinst failure (LP: #611721) [tony mancill] * Add French debconf template translation. Thanks to Steve Petruzzello. (Closes: #594313) -- tony mancill Thu, 02 Sep 2010 21:49:08 -0700 tomcat6 (6.0.28-4) unstable; urgency=medium * Ignore most errors during purge. (Closes: #591867) * Add po-debconf support. -- Torsten Werner Fri, 06 Aug 2010 04:08:40 +0200 tomcat6 (6.0.28-3) unstable; urgency=low * UNRELEASED * Fix filename of /etc/tomcat6/tomcat-users in README.Debian. Thanks to Olivier Berger. (Closes: #590085) -- Torsten Werner Fri, 23 Jul 2010 23:36:49 +0200 tomcat6 (6.0.28-2) unstable; urgency=low * Add debconf questions for user, group and Java options. * Use ucf to install /etc/default/tomcat6 from a template * Drop CATALINA_BASE and CATALINA_HOME from /etc/default/tomcat6 since we shouldn't encourage users to change those anyway -- Thierry Carrez Tue, 20 Jul 2010 14:36:48 +0200 tomcat6 (6.0.28-1) unstable; urgency=low [ Niels Thykier ] * Removed depends on JREs for the library packages. It is no longer required by the policy. [ Torsten Werner ] * New upstream release (Closes: #588813) - Fixes CVE-2010-2227: DoS and information disclosure * Remove 2 patches that were backports to 6.0.26. -- Torsten Werner Mon, 19 Jul 2010 18:22:52 +0200 tomcat6 (6.0.26-5) unstable; urgency=medium * Convert patches to dep3 format. * Backport security fix from trunk to fix CVE-2010-1157. (Closes: #587447) * Set urgency to medium due to the security fix. -- Torsten Werner Mon, 28 Jun 2010 21:41:31 +0200 tomcat6 (6.0.26-4) unstable; urgency=low [ Thierry Carrez ] * Fix issues preventing from running Tomcat6 with a security manager: - debian/tomcat6.init: Remove duplicate securitymanager options. - debian/patches/catalina-sh-security-manager.patch: Use the right location for the security.policy file in catalina.sh. - Closes: #585379, LP: #591802. Thanks to Jeff Turner for the original patches and to Adam Guthrie for the Lucid debdiff. * Allow binding to any interface when using authbind, rather than only allow binding to all (LP: #594989) * Force backgrounding of catalina.sh in start-stop-daemon, to allow the init script to be started through ssh -t (LP: #588481) [ Torsten Werner ] * Remove Paul from Uploaders list. -- Thierry Carrez Thu, 24 Jun 2010 15:55:10 +0200 tomcat6 (6.0.26-3) unstable; urgency=low [ Marcus Better ] * Apply upstream fix for deadlock in WebappClassLoader. (Closes: #583896) [ Thierry Carrez ] * debian/tomcat6.{install,postinst}: Do not store the default root webapp in /usr/share/tomcat6/webapps as it increases confusion on what this directory contains (and its relation with /var/lib/tomcat6/webapps). Store it inside /usr/share/tomcat6-root instead (LP: #575303). -- Marcus Better Mon, 31 May 2010 15:50:57 +0200 tomcat6 (6.0.26-2) unstable; urgency=low * debian/tomcat6.{postinst,prerm}: Respect TOMCAT6_USER and TOMCAT6_GROUP as defined in /etc/default/tomcat6 when setting directory permissions and authbind configuration (Closes: #581018, LP: #557300) * debian/tomcat6.postinst: Use group "tomcat6" instead of "adm" for permissions in /var/lib/tomcat6, so that group "adm" doesn't get write permissions over /var/lib/tomcat6/webapps (LP: #569118) -- Thierry Carrez Fri, 21 May 2010 13:51:15 +0200 tomcat6 (6.0.26-1) unstable; urgency=low * New upstream version * Apply patch from Mark Scott to fix tomcat6-instance-create which failed when multiple commandline options are provided, fix creation of FULLPATH (Closes: #575580) -- Ludovic Claude Wed, 21 Apr 2010 23:07:09 +0100 tomcat6 (6.0.24-5) unstable; urgency=low * Added optimised garbage collection options to tomcat6's default options. Thanks to Aaron J. Zirbes and Thierry Carrez for research and the patch. (Closes: LP: #541520) * Updated the changelog to mention closed CVE's in the 6.0.24-1 release. * Applied patch from Arto Jantunen fixing an issue with cleaning up the pid-file. (Closes: #574084) -- Niels Thykier Thu, 25 Mar 2010 23:45:32 +0100 tomcat6 (6.0.24-4) unstable; urgency=low * debian/tomcat6.postrm: fix removal of Tomcat (Closes: #567548) * Set UTF-8 as default character encoding - Patch by Thomas Koch (Closes: #573539) -- Ludovic Claude Thu, 11 Mar 2010 23:45:34 +0100 tomcat6 (6.0.24-3) unstable; urgency=medium * Set the major, minor and build versions when calling Ant (Closes: LP: #495505) * Rebuild with a more recent version of maven-repo-helper which puts the javax jars at the correct location in the Maven repository. Fixes several FTBFS in other packages. -- Ludovic Claude Wed, 03 Mar 2010 00:10:15 +0100 tomcat6 (6.0.24-2) unstable; urgency=low * Fix missing symlinks to tomcat-coyote.jar and catalina-tribes.jar causing NoClassDefFoundException at startup (last minute packaging change, sorry) (Closes: #570220) * tomcat6-admin, tomcat6-examples and tomcat6-docs now depend on tomcat6-common instead of tomcat6, this allow users to install those packages without requiring tomcat6 and its automatic startup scripts being present. tomcat-users can be installed instead and allow full control over when Tomcat is started or stopped. -- Ludovic Claude Wed, 17 Feb 2010 22:59:21 +0100 tomcat6 (6.0.24-1) unstable; urgency=low [ Ludovic Claude ] * New upstream version - Fixes Directory traversal vulnerability (CVE-2009-2693,CVE-2009-2902) - Fixes Autodeployment vulnerability (CVE-2009-2901) * Update the POM files for the new version of Tomcat * Bump up Standards-Version to 3.8.4 * Refresh patches deploy-webapps-build-xml.patch and var_loaders.patch * Remove patch fix_context_name.patch as it has been applied upstream * Fix the installation of servlet-api-2.5.jar: the jar goes to /usr/share/java as in older versions (6.0.20-2) and links to the jar are added to /usr/share/maven-repo * Moved NEWS.Debian into README.Debian * Add a link from /usr/share/doc/tomcat6-common/README.Debian to /usr/share/doc/tomcat6/README.Debian to include a minimum of documentation in the tomcat6 package and add some useful notes. (Closes: #563937, #563939) * Remove poms from the Debian packaging, use upstream pom files [ Jason Brittain ] * Fixed a bug in the init script: When a start fails, the PID file was being left in place. Now the init script makes sure it is deleted. * Fixed a packaging bug that results in the ROOT webapp not being properly installed after an uninstall, then a reinstall. * control: Corrected a couple of comments (no functional change). -- Ludovic Claude Tue, 09 Feb 2010 23:06:51 +0100 tomcat6 (6.0.20-dfsg1-2) unstable; urgency=low * JSVC is no longer used by the package. Instead, the init script invokes the stock catalina.sh script. * Authbind is now the standard method for binding Tomcat to ports lower than 1024 (when using IPv4). * The security manager now defaults to the disabled state, and is commented that way in /etc/default/tomcat6. * Reliable restarts are now implemented in the init script. (Closes: #561559) * Tomcat now sends STDOUT and STDERR to its usual, stock log file CATALINA_BASE/logs/catalina.out (/var/log/tomcat6/catalina.out in this package's case. -- Jason Brittain Wed, 27 Jan 2010 01:08:57 +0000 tomcat6 (6.0.20-dfsg1-1) unstable; urgency=low * Fix debian/orig-tar.sh to exclude binary only standard.jar and jstl.jar. (Closes: #528119) * Upload a cleaned tarball. * Add ${misc:Depends} in debian/control. -- Torsten Werner Sat, 23 Jan 2010 19:40:38 +0100 tomcat6 (6.0.20-9) unstable; urgency=low * Fix spelling issues. * Always set JSVC_CLASSPATH to a default value in init. -- Niels Thykier Sat, 19 Dec 2009 19:11:33 +0100 tomcat6 (6.0.20-8) unstable; urgency=low * Corrected some spelling mistakes in debian/control. (Closes: #557377, #557378) * Added patches to install the OSGi metadata in some of the jars. (Closes: #558176) * Updated 03catalina.policy to allow "setContextClassLoader". - Fixes a problem where Sun's JVM would fail to generate log-files. (Closes: LP: #410379) * Updated /etc/default/tomcat6: - Clarified that JAVA_OPTS are passed to jscv and not the JVM. - Updated the JSP_COMPILER to javac (jikes is not in Debian anymore). (Closes: LP: #440685) * Use default-jdk and default-jre-headless instead of openjdk in (Build-)Depends. * Added more alternatives for java implementations to the Depends of libservlet2.5-java. * Exposed JSVC_CLASSPATH to the configuration file. (Closes: LP: #475457) * Updated description so it no longer refers to non-existent package. (Closes: #559475) * Used "set -e" in postinst and postrm instead of passing "-e" to sh in the #!-line. * Changed to 3.0 (quilt) source format. -- Niels Thykier Mon, 07 Dec 2009 21:17:55 +0100 tomcat6 (6.0.20-7) unstable; urgency=low * New patch fix_context_name.patch: - Allow Service name != Engine name. Regression in fix for 42707. Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=47316 - This has been fixed in trunk and will be in 6.0.21 * Register libservlet2.5-java-doc API with doc-base * Fix short description of tomcat6-docs by using "documentation" suffix -- Damien Raude-Morvan Sat, 10 Oct 2009 21:41:55 +0200 tomcat6 (6.0.20-6) unstable; urgency=low [ Ludovic Claude ] * tomcat6.postinst: set the ownership of files in /etc/tomcat6/ to root:tomcat6, to prevent an attacker running inside a tomcat6 instance to change the tomcat configuration * debian/policy/02debian.policy: grant access to /usr/share/maven-repo/ as it is a valid source of Debian JARs. (Closes: #545674) * Bump up Standards-Version to 3.8.3 - add debian/README.source that describes the quilt patch system. * debian/control: Add Conflicts on libtomcat6-java with old versions of tomcat6-common (Closes: #542397) [ Michael Koch ] * Replace dh_clean -k by dh_prep. * Added Ludovic and myself to Uploaders. * Build-Depends on debhelper >= 7. -- Michael Koch Fri, 25 Sep 2009 07:14:07 +0200 tomcat6 (6.0.20-5) unstable; urgency=low * Fix jsp-api dependency in the Maven descriptors. * Put tomcat-juli.jar in /usr/share/java instead of juli.jar. This fixes a broken link which prevented tomcat to start when logging is turned on, and restores the file layout defined in 6.0.20-2. * Restore links to the jars in usr/share/tomcat6/lib * Change watch to download fresh sources from SVN. Should fix wrong encoding in tomcat-i18n-fr/es.jar in the next upstream version. (Closes: #522067) * Update ownership for files in /etc/tomcat6 and /var/lib/tomcat6/webapps. The new owner is tomcat6:adm (Closes: #532284) * Add additional directories for the common, server and shared classloader. Directories are also compatible with Alfresco's packaging done for Ubuntu. (Closes: #521318) * Update checksum in postrm script to reflect changes in the new upstream webapp * postrm removes the extra directories created in /var/lib/tomcat6 to hold shared and common classes or jars. * Added commented out default options for enabling debug mode. (Closes: LP: #375493) -- Ludovic Claude Wed, 05 Aug 2009 00:56:59 +0100 tomcat6 (6.0.20-4) experimental; urgency=low * Fix init script: - Change Provides: tomcat6. (Closes: #532286) - Check for /etc/default/rcS before sourcing it. * Update Standards-Version: 3.8.2 (no changes). -- Torsten Werner Thu, 16 Jul 2009 23:36:32 +0200 tomcat6 (6.0.20-3) experimental; urgency=low * Add the Maven POM to the package * Add a Build-Depends-Indep dependency on maven-repo-helper * Use mh_installpom and mh_installjar to install the POM and the jar to the Maven repository -- Ludovic Claude Tue, 14 Jul 2009 14:17:27 +0100 tomcat6 (6.0.20-2) unstable; urgency=low * Expose tomcat-juli.jar as a library in /usr/share/java as it is a dependency of jasper which is used also by jetty -- Ludovic Claude Mon, 15 Jun 2009 13:33:13 +0100 tomcat6 (6.0.20-1) unstable; urgency=low * new upstream release (Closes: #531873) * Remove patch tcnative-ipv6-fix-43327.patch that has been applied upstream. * Refresh other patches. -- Torsten Werner Fri, 05 Jun 2009 23:38:44 +0200 tomcat6 (6.0.18-dfsg1-1) unstable; urgency=low [ Torsten Werner ] * Remove jstl.jar and standard.jar from orig tarball because it comes without source code. (Closes: #528119) [ Marcus Better ] * Let the init script exit silently if the package is uninstalled. (Closes: #529301) -- Torsten Werner Tue, 19 May 2009 21:23:18 +0200 tomcat6 (6.0.18-4) unstable; urgency=low * Add patch tcnative-ipv6-fix-43327.patch provided by Thierry Carrez. (Closes: #527033) * Change Section: java (from web). * Bump up Standards-Version: 3.8.1 (no changes). * Remove redundant Depends: ant because we depend on ant-optional. -- Torsten Werner Sun, 10 May 2009 19:41:40 +0200 tomcat6 (6.0.18-3) unstable; urgency=low * Remove unneeded dirs and symlinks; thanks to Thierry Carrez. (Closes: #517857) * Improve the long description of all binary packages. (Closes: #518140) -- Torsten Werner Wed, 04 Mar 2009 21:58:41 +0100 tomcat6 (6.0.18-2) unstable; urgency=low * upload to unstable -- Torsten Werner Sat, 21 Feb 2009 11:31:20 +0100 tomcat6 (6.0.18-1) experimental; urgency=low * Merge changes from Ubuntu. Thanks to the Ubuntu developers we are shipping a full Tomcat 6.0 server stack now. (Closes: #494674) * Add myself to Uploaders. * Switch to openjdk-6 which is not the default in Debian. -- Torsten Werner Sat, 07 Feb 2009 17:02:57 +0100 tomcat6 (6.0.18-0ubuntu5) jaunty; urgency=low [ Thierry Carrez ] * Removed tomcat6-[admin,docs,examples].post[inst,rm] and let Tomcat webapp autodeployment features handle application load/unload (LP: #302914) * tomcat6-instance-create, tomcat6-instance-create.1, control: Allow to change the HTTP port, control port and shutdown word on the tomcat6-instance-create command line (LP: #300691). [ Mathias Gug] * debian/tomcat6-instance-create: move directoryname from an option to an argument. * debian/tomcat6-instance-create.1: some updates to the man page. * debian/control: update maintainer field to Ubuntu Core Developers now that tomcat6 is in main. -- Mathias Gug Wed, 07 Jan 2009 18:44:39 -0500 tomcat6 (6.0.18-0ubuntu4) jaunty; urgency=low * tomcat6.init, tomcat6.postinst, tomcat6.dirs, tomcat6.default, README.debian: Use /tmp/tomcat6-temp instead of /var/lib/tomcat6/temp as the JVM temporary directory and clean it at each restart (LP: #287452) * policy/04webapps.policy: add rules to allow usage of java.io.tmpdir * tomcat6.init, rules: Do not use TearDown, as this results in LifecycleListener callbacks in webapps being bypassed (LP: #299436) * rules: Compile at Java 1.5 level to allow usage of Java 5 JREs (LP: #286427) * control, rules, libservlet2.5-java-doc.install, libservlet2.5-java-doc.links: New libservlet2.5-java-doc package ships missing Servlet/JSP API documentation (LP: #279645) * patches/use-commons-dbcp.patch: Change default DBCP factory class to org.apache.commons.dbcp.BasicDataSourceFactory (LP: #283852) * tomcat6.dirs, tomcat6.postinst, default_root/index.html: Create Catalina/localhost in /etc/tomcat6 and make it writeable by the tomcat6 group, so that autodeploy and admin webapps work as expected (LP: #294277) * patches/disable-apr-loading.patch: Disable APR library loading until we properly provide it. * patches/disable-ajp-connector: Do not load AJP13 connector by default (LP: #300697) * rules: minor fixes to prevent build being called twice. -- Thierry Carrez Thu, 27 Nov 2008 12:47:42 +0000 tomcat6 (6.0.18-0ubuntu3) intrepid; urgency=low * debian/tomcat6.postinst: - Make /var/lib/tomcat6/temp writeable by the tomcat6 user (LP: #287126) - Make /var/lib/tomcat6/webapps writeable by tomcat6 group (LP: #287447) * debian/tomcat6.init: make status return nonzero if tomcat6 is not running (fixes LP: #288218) -- Thierry Carrez Thu, 23 Oct 2008 18:19:15 +0200 tomcat6 (6.0.18-0ubuntu2) intrepid; urgency=low * debian/rules: call dh_installinit with --error-handler so that install doesn't fail if Tomcat cannot be started during configure (LP: #274365) -- Thierry Carrez Mon, 06 Oct 2008 13:55:21 +0200 tomcat6 (6.0.18-0ubuntu1) intrepid; urgency=low * New upstream version (LP: #260016) - Fixes CVE-2008-2938: Directory traversal vulnerability (LP: #256802) - Fixes CVE-2008-2370: Information disclosure vulnerability (LP: #256922) - Fixes CVE-2008-1232: XSS through sendError vulnerability (LP: #256926) * Dropped CVE-2008-1947.patch (fix is shipped in this upstream release) * control: Improve short descriptions for the binary packages * copyright: Added link to /usr/share/common-licenses/Apache-2.0 * control: To pull the right JRE, libtomcat6-java now depends on default-jre-headless | java6-runtime-headless -- Thierry Carrez Fri, 22 Aug 2008 09:15:11 +0200 tomcat6 (6.0.16-1ubuntu1) intrepid; urgency=low * Adding full Tomcat 6 server stack support (LP: #256052) - tomcat6 handles the system instance (/var/lib/tomcat6) - tomcat6-user allows users to create their own private instances - tomcat6-common installs common files in /usr/share/tomcat6 - libtomcat6-java installs Tomcat 6 java libs in /usr/share/java - tomcat6-docs installs the documentation webapp - tomcat6-examples installs the examples webapp - tomcat6-admin installs the manager and host-manager webapps * Other key differences with the tomcat5.5 packages: - default-jdk build support - OpenJDK-6 JRE runtime support - tomcat6 installs a minimal ROOT webapp - new webapp locations follow Debian webapp policy - webapps restart tomcat6 in postrm rather than in prerm - added a doc-base entry - use standard upstream server.xml - initscript: try to check if Tomcat is really running before returning OK - removed transitional configuration migration code - autogenerate policy in /var/cache/tomcat6 rather than /etc/tomcat6 - logging.properties is customized to remove -webapps-related lines - initscript: implement TearDown spec * CVE-2008-1947 fix (cross-site-scripting issue in host-manager webapp) -- Thierry Carrez Fri, 08 Aug 2008 15:37:48 +0200 tomcat6 (6.0.16-1) unstable; urgency=low * Initial release. (Closes: #480964). -- Paul Cager Mon, 12 May 2008 23:04:49 +0000