[pkg-java] r15368 - in tags/tomcat6: . 6.0.32-7/debian 6.0.32-7/debian/patches
Tony Mancill
tmancill at alioth.debian.org
Tue Nov 8 19:12:41 UTC 2011
Author: tmancill
Date: 2011-11-08 19:12:41 +0000 (Tue, 08 Nov 2011)
New Revision: 15368
Added:
tags/tomcat6/6.0.32-7/
tags/tomcat6/6.0.32-7/debian/changelog
tags/tomcat6/6.0.32-7/debian/patches/0014-CVE-2011-1184.patch
tags/tomcat6/6.0.32-7/debian/patches/0015-CVE-2011-2526.patch
tags/tomcat6/6.0.32-7/debian/patches/series
Removed:
tags/tomcat6/6.0.32-7/debian/changelog
tags/tomcat6/6.0.32-7/debian/patches/series
Log:
[svn-buildpackage] Tagging tomcat6 6.0.32-7
Deleted: tags/tomcat6/6.0.32-7/debian/changelog
===================================================================
--- trunk/tomcat6/debian/changelog 2011-11-08 14:21:37 UTC (rev 15366)
+++ tags/tomcat6/6.0.32-7/debian/changelog 2011-11-08 19:12:41 UTC (rev 15368)
@@ -1,645 +0,0 @@
-tomcat6 (6.0.32-7) UNRELEASED; urgency=low
-
- [ tony mancill ]
- * Team upload.
- * Add "unset LC_ALL" to /etc/defaults/tomcat6 to prevent user
- environment settings from leaking into the servlet container.
- - Thank you to Nicolas Pichon. (Closes: #645221)
-
- [ Niels Thykier ]
- * Added build-arch and build-indep targets in d/rules.
-
- -- tony mancill <tmancill at debian.org> Wed, 26 Oct 2011 21:13:17 -0700
-
-tomcat6 (6.0.32-6) unstable; urgency=medium
-
- [ tony mancill ]
- * Team upload.
- * Update Korean debconf translation. (Closes: #630950, 631482)
- Thanks to si-cheol Ko.
- * Add Dutch debconf translation. (Closes: #637507)
- Thanks to Jeroen Schot.
-
- [ Niels Thykier ]
- * Removed myself from uploaders.
-
- [ James Page ]
- * Added patch for CVE-2011-3190 (LP: #843701).
-
- -- tony mancill <tmancill at debian.org> Sat, 17 Sep 2011 09:48:42 -0700
-
-tomcat6 (6.0.32-5) unstable; urgency=low
-
- * Team upload.
- * Add Catalan debconf translation ca.po (Closes: #630073).
- * Correct Suggests for libtcnative-1 (tomcat-native) (Closes: #631919)
- * Add patch for CVE-2011-2204 (Closes: #632882)
-
- -- tony mancill <tmancill at debian.org> Wed, 06 Jul 2011 21:23:58 -0700
-
-tomcat6 (6.0.32-4) unstable; urgency=low
-
- * Team upload.
- * Add Italian debconf translation.
- Thanks to Dario Santamaria (Closes: #624376)
- * Add logrotate for catalina.out (Closes: 607050)
- * Bump standards version to 3.9.2 (no changes needed).
-
- -- tony mancill <tmancill at debian.org> Wed, 08 Jun 2011 22:13:07 -0700
-
-tomcat6 (6.0.32-3) unstable; urgency=low
-
- * Team upload.
- * Include upstream patch for ASF Bugzilla - Bug 50700
- (Context parameters are being overridden with parameters from the
- web application deployment descriptor) (Closes: #623242)
-
- -- tony mancill <tmancill at debian.org> Mon, 18 Apr 2011 20:38:29 -0700
-
-tomcat6 (6.0.32-2) unstable; urgency=low
-
- * Team upload.
-
- [ tony mancill ]
- * Patch debian/tomcat6-instance-create (LP: #707405)
- tomcat6-instance-create should accept -1 as the value of -c option
- as per http://tomcat.apache.org/tomcat-6.0-doc/config/server.html
- Thanks to Dave Walker. (Closes: #617553)
- * Move tomcat6-instance-create manpage from section 2 to section 8.
- Thanks to brian m. carlson (Closes: #607682)
- * Add tomcat6-extras package.
- Currently includes only catalina-jmx-remote.jar (Closes: #614333)
-
- [ Thierry Carrez ]
- * debian/tomcat6-instance-create: Eclipse can now be configured to use a
- user instance of tomcat6 using tomcat6-instance-create without any
- additional work. Patch from Abhinav Upadhyay (Closes: #551091, LP: #297675)
-
- -- tony mancill <tmancill at debian.org> Sun, 03 Apr 2011 21:16:08 -0700
-
-tomcat6 (6.0.32-1) unstable; urgency=low
-
- * Team upload.
- * New upstream release
- * Remove following patches applied upstream:
- CVE-2010-4172, CVE-2011-0534, CVE-2010-3718, CVE-2011-0013,
- 0009-allow-empty-PID-file.patch
- * Adjust 0004-split-deploy-webapps-target-from-deploy-target.patch
-
- -- tony mancill <tmancill at debian.org> Tue, 15 Feb 2011 22:41:42 -0800
-
-tomcat6 (6.0.28-10) unstable; urgency=medium
-
- * Team upload.
- * Add Portuguese/Brazilian debconf translation.
- Thanks to José de Figueiredo (Closes: #608527)
- * Add patches for CVE-2011-0534, CVE-2010-3718, CVE-2011-0013
- (Closes: #612257)
-
- -- tony mancill <tmancill at debian.org> Wed, 09 Feb 2011 21:49:33 -0800
-
-tomcat6 (6.0.28-9) unstable; urgency=medium
-
- * Team upload.
- * Update URL for manager application in README.Debian
- Thanks to Ernesto Ongaro (Closes: #606170)
- * Add patch for CVE-2010-4172. (Closes: #606388)
-
- -- tony mancill <tmancill at debian.org> Thu, 09 Dec 2010 22:52:08 -0800
-
-tomcat6 (6.0.28-8) unstable; urgency=low
-
- * Team upload.
-
- [ Thierry Carrez (ttx) ]
- * Do not fail to purge if /etc/tomcat6 was manually removed (LP: #648619)
- * Add missing -p option in start-stop-daemon when starting tomcat6 to avoid
- failing to start due to /bin/bash running (LP: #632554)
- * Fix build failure (missing TraXLiaison class) by adding ant-nodeps
- to the classpath.
-
- [ tony mancill ]
- * Use debconf to determine tomcat6 user and group to delete upon purge.
- Thanks to Misha Koshelev. (Closes: #599458)
- * Add tomcat-native to Suggests: for tomcat6 binary package.
- Thanks to Eddy Petrisor (Closes: #600590)
- * Add Danish debconf template translation.
- Thanks to Joe Dalton (Closes: #605070)
- * Actually add the Czech debconf template translation.
- Thanks this time to Christian PERRIER (Closes: #597863)
-
- -- tony mancill <tmancill at debian.org> Sat, 04 Dec 2010 17:20:11 -0800
-
-tomcat6 (6.0.28-7) unstable; urgency=low
-
- * Team upload.
- * Add Czech debconf template translation.
- Thanks to Michal Simunek. (Closes: #597863)
- * Add Spanish debconf template translation.
- Thanks to Javier Fernández-Sanguino (Closes: #599230)
- * Modify postinst to handle JAVA_OPTS strings containing the '/'
- character. This was causing upgrade failures for users.
- (Closes: #597814)
-
- -- tony mancill <tmancill at debian.org> Wed, 06 Oct 2010 14:40:19 -0700
-
-tomcat6 (6.0.28-6) unstable; urgency=low
-
- * Team upload.
- * Add Japanese debconf template translation.
- Thanks to Hideki Yamane. (Closes: #595460)
- * Add Russian debconf template translation.
- Thanks to Yuri Kozlov. (Closes: #592627)
- * Add Portuguese debconf template translation.
- Thanks to Américo Monteiro. (Closes: #592655)
- * Add Swedish debconf template translation.
- Thanks to Martin Bagge. (Closes: #593676)
- * Add German debconf template translation.
- Thanks to Holger Wansing. (Closes: #593200)
-
- -- tony mancill <tmancill at debian.org> Fri, 17 Sep 2010 21:30:27 -0700
-
-tomcat6 (6.0.28-5) unstable; urgency=low
-
- * Team upload.
-
- [Thierry Carrez (ttx)]
- * Check for group existence to avoid postinst failure (LP: #611721)
-
- [tony mancill]
- * Add French debconf template translation.
- Thanks to Steve Petruzzello. (Closes: #594313)
-
- -- tony mancill <tmancill at debian.org> Thu, 02 Sep 2010 21:49:08 -0700
-
-tomcat6 (6.0.28-4) unstable; urgency=medium
-
- * Ignore most errors during purge. (Closes: #591867)
- * Add po-debconf support.
-
- -- Torsten Werner <twerner at debian.org> Fri, 06 Aug 2010 04:08:40 +0200
-
-tomcat6 (6.0.28-3) unstable; urgency=low
-
- * UNRELEASED
- * Fix filename of /etc/tomcat6/tomcat-users in README.Debian. Thanks to
- Olivier Berger. (Closes: #590085)
-
- -- Torsten Werner <twerner at debian.org> Fri, 23 Jul 2010 23:36:49 +0200
-
-tomcat6 (6.0.28-2) unstable; urgency=low
-
- * Add debconf questions for user, group and Java options.
- * Use ucf to install /etc/default/tomcat6 from a template
- * Drop CATALINA_BASE and CATALINA_HOME from /etc/default/tomcat6 since we
- shouldn't encourage users to change those anyway
-
- -- Thierry Carrez <thierry.carrez at ubuntu.com> Tue, 20 Jul 2010 14:36:48 +0200
-
-tomcat6 (6.0.28-1) unstable; urgency=low
-
- [ Niels Thykier ]
- * Removed depends on JREs for the library packages. It is no longer
- required by the policy.
-
- [ Torsten Werner ]
- * New upstream release (Closes: #588813)
- - Fixes CVE-2010-2227: DoS and information disclosure
- * Remove 2 patches that were backports to 6.0.26.
-
- -- Torsten Werner <twerner at debian.org> Mon, 19 Jul 2010 18:22:52 +0200
-
-tomcat6 (6.0.26-5) unstable; urgency=medium
-
- * Convert patches to dep3 format.
- * Backport security fix from trunk to fix CVE-2010-1157. (Closes: #587447)
- * Set urgency to medium due to the security fix.
-
- -- Torsten Werner <twerner at debian.org> Mon, 28 Jun 2010 21:41:31 +0200
-
-tomcat6 (6.0.26-4) unstable; urgency=low
-
- [ Thierry Carrez ]
- * Fix issues preventing from running Tomcat6 with a security manager:
- - debian/tomcat6.init: Remove duplicate securitymanager options.
- - debian/patches/catalina-sh-security-manager.patch: Use the right
- location for the security.policy file in catalina.sh.
- - Closes: #585379, LP: #591802. Thanks to Jeff Turner for the original
- patches and to Adam Guthrie for the Lucid debdiff.
- * Allow binding to any interface when using authbind, rather than only allow
- binding to all (LP: #594989)
- * Force backgrounding of catalina.sh in start-stop-daemon, to allow the init
- script to be started through ssh -t (LP: #588481)
-
- [ Torsten Werner ]
- * Remove Paul from Uploaders list.
-
- -- Thierry Carrez <thierry.carrez at ubuntu.com> Thu, 24 Jun 2010 15:55:10 +0200
-
-tomcat6 (6.0.26-3) unstable; urgency=low
-
- [ Marcus Better ]
- * Apply upstream fix for deadlock in WebappClassLoader. (Closes: #583896)
-
- [ Thierry Carrez ]
- * debian/tomcat6.{install,postinst}: Do not store the default root webapp
- in /usr/share/tomcat6/webapps as it increases confusion on what this
- directory contains (and its relation with /var/lib/tomcat6/webapps).
- Store it inside /usr/share/tomcat6-root instead (LP: #575303).
-
- -- Marcus Better <marcus at better.se> Mon, 31 May 2010 15:50:57 +0200
-
-tomcat6 (6.0.26-2) unstable; urgency=low
-
- * debian/tomcat6.{postinst,prerm}: Respect TOMCAT6_USER and TOMCAT6_GROUP
- as defined in /etc/default/tomcat6 when setting directory permissions and
- authbind configuration (Closes: #581018, LP: #557300)
- * debian/tomcat6.postinst: Use group "tomcat6" instead of "adm" for
- permissions in /var/lib/tomcat6, so that group "adm" doesn't get write
- permissions over /var/lib/tomcat6/webapps (LP: #569118)
-
- -- Thierry Carrez <thierry.carrez at ubuntu.com> Fri, 21 May 2010 13:51:15 +0200
-
-tomcat6 (6.0.26-1) unstable; urgency=low
-
- * New upstream version
- * Apply patch from Mark Scott to fix
- tomcat6-instance-create which failed when multiple commandline
- options are provided, fix creation of FULLPATH (Closes: #575580)
-
- -- Ludovic Claude <ludovic.claude at laposte.net> Wed, 21 Apr 2010 23:07:09 +0100
-
-tomcat6 (6.0.24-5) unstable; urgency=low
-
- * Added optimised garbage collection options to tomcat6's default options.
- Thanks to Aaron J. Zirbes and Thierry Carrez for research and the patch.
- (Closes: LP: #541520)
- * Updated the changelog to mention closed CVE's in the 6.0.24-1 release.
- * Applied patch from Arto Jantunen fixing an issue with cleaning up the
- pid-file. (Closes: #574084)
-
- -- Niels Thykier <niels at thykier.net> Thu, 25 Mar 2010 23:45:32 +0100
-
-tomcat6 (6.0.24-4) unstable; urgency=low
-
- * debian/tomcat6.postrm: fix removal of Tomcat (Closes: #567548)
- * Set UTF-8 as default character encoding - Patch by Thomas Koch
- (Closes: #573539)
-
- -- Ludovic Claude <ludovic.claude at laposte.net> Thu, 11 Mar 2010 23:45:34 +0100
-
-tomcat6 (6.0.24-3) unstable; urgency=medium
-
- * Set the major, minor and build versions when calling Ant
- (Closes: LP: #495505)
- * Rebuild with a more recent version of maven-repo-helper which puts
- the javax jars at the correct location in the Maven repository.
- Fixes several FTBFS in other packages.
-
- -- Ludovic Claude <ludovic.claude at laposte.net> Wed, 03 Mar 2010 00:10:15 +0100
-
-tomcat6 (6.0.24-2) unstable; urgency=low
-
- * Fix missing symlinks to tomcat-coyote.jar and
- catalina-tribes.jar causing NoClassDefFoundException
- at startup (last minute packaging change, sorry)
- (Closes: #570220)
- * tomcat6-admin, tomcat6-examples and tomcat6-docs now depend on
- tomcat6-common instead of tomcat6, this allow users to install
- those packages without requiring tomcat6 and its automatic startup scripts
- being present. tomcat-users can be installed instead and allow full
- control over when Tomcat is started or stopped.
-
- -- Ludovic Claude <ludovic.claude at laposte.net> Wed, 17 Feb 2010 22:59:21 +0100
-
-tomcat6 (6.0.24-1) unstable; urgency=low
-
- [ Ludovic Claude ]
- * New upstream version
- - Fixes Directory traversal vulnerability (CVE-2009-2693,CVE-2009-2902)
- - Fixes Autodeployment vulnerability (CVE-2009-2901)
- * Update the POM files for the new version of Tomcat
- * Bump up Standards-Version to 3.8.4
- * Refresh patches deploy-webapps-build-xml.patch and var_loaders.patch
- * Remove patch fix_context_name.patch as it has been applied upstream
- * Fix the installation of servlet-api-2.5.jar: the jar
- goes to /usr/share/java as in older versions (6.0.20-2)
- and links to the jar are added to /usr/share/maven-repo
- * Moved NEWS.Debian into README.Debian
- * Add a link from /usr/share/doc/tomcat6-common/README.Debian to
- /usr/share/doc/tomcat6/README.Debian to include a minimum of
- documentation in the tomcat6 package and add some useful notes.
- (Closes: #563937, #563939)
- * Remove poms from the Debian packaging, use upstream pom files
-
- [ Jason Brittain ]
- * Fixed a bug in the init script: When a start fails, the PID file was
- being left in place. Now the init script makes sure it is deleted.
- * Fixed a packaging bug that results in the ROOT webapp not being properly
- installed after an uninstall, then a reinstall.
- * control: Corrected a couple of comments (no functional change).
-
- -- Ludovic Claude <ludovic.claude at laposte.net> Tue, 09 Feb 2010 23:06:51 +0100
-
-tomcat6 (6.0.20-dfsg1-2) unstable; urgency=low
-
- * JSVC is no longer used by the package. Instead, the init script invokes
- the stock catalina.sh script.
- * Authbind is now the standard method for binding Tomcat to ports lower
- than 1024 (when using IPv4).
- * The security manager now defaults to the disabled state, and is commented
- that way in /etc/default/tomcat6.
- * Reliable restarts are now implemented in the init script.
- (Closes: #561559)
- * Tomcat now sends STDOUT and STDERR to its usual, stock log file
- CATALINA_BASE/logs/catalina.out (/var/log/tomcat6/catalina.out in this
- package's case.
-
- -- Jason Brittain <jason.brittain at mulesoft.com> Wed, 27 Jan 2010 01:08:57 +0000
-
-tomcat6 (6.0.20-dfsg1-1) unstable; urgency=low
-
- * Fix debian/orig-tar.sh to exclude binary only standard.jar and jstl.jar.
- (Closes: #528119)
- * Upload a cleaned tarball.
- * Add ${misc:Depends} in debian/control.
-
- -- Torsten Werner <twerner at debian.org> Sat, 23 Jan 2010 19:40:38 +0100
-
-tomcat6 (6.0.20-9) unstable; urgency=low
-
- * Fix spelling issues.
- * Always set JSVC_CLASSPATH to a default value in init.
-
- -- Niels Thykier <niels at thykier.net> Sat, 19 Dec 2009 19:11:33 +0100
-
-tomcat6 (6.0.20-8) unstable; urgency=low
-
- * Corrected some spelling mistakes in debian/control.
- (Closes: #557377, #557378)
- * Added patches to install the OSGi metadata in some of the jars.
- (Closes: #558176)
- * Updated 03catalina.policy to allow "setContextClassLoader".
- - Fixes a problem where Sun's JVM would fail to generate log-files.
- (Closes: LP: #410379)
- * Updated /etc/default/tomcat6:
- - Clarified that JAVA_OPTS are passed to jscv and not the JVM.
- - Updated the JSP_COMPILER to javac (jikes is not in Debian anymore).
- (Closes: LP: #440685)
- * Use default-jdk and default-jre-headless instead of openjdk in
- (Build-)Depends.
- * Added more alternatives for java implementations to the Depends of
- libservlet2.5-java.
- * Exposed JSVC_CLASSPATH to the configuration file.
- (Closes: LP: #475457)
- * Updated description so it no longer refers to non-existent package.
- (Closes: #559475)
- * Used "set -e" in postinst and postrm instead of passing "-e" to sh
- in the #!-line.
- * Changed to 3.0 (quilt) source format.
-
- -- Niels Thykier <niels at thykier.net> Mon, 07 Dec 2009 21:17:55 +0100
-
-tomcat6 (6.0.20-7) unstable; urgency=low
-
- * New patch fix_context_name.patch:
- - Allow Service name != Engine name. Regression in fix for 42707.
- Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=47316
- - This has been fixed in trunk and will be in 6.0.21
- * Register libservlet2.5-java-doc API with doc-base
- * Fix short description of tomcat6-docs by using "documentation" suffix
-
- -- Damien Raude-Morvan <drazzib at debian.org> Sat, 10 Oct 2009 21:41:55 +0200
-
-tomcat6 (6.0.20-6) unstable; urgency=low
-
- [ Ludovic Claude ]
- * tomcat6.postinst: set the ownership of files in /etc/tomcat6/
- to root:tomcat6, to prevent an attacker running inside a tomcat6
- instance to change the tomcat configuration
- * debian/policy/02debian.policy: grant access to
- /usr/share/maven-repo/ as it is a valid source of Debian JARs.
- (Closes: #545674)
- * Bump up Standards-Version to 3.8.3
- - add debian/README.source that describes the quilt patch system.
- * debian/control: Add Conflicts on libtomcat6-java with old versions
- of tomcat6-common (Closes: #542397)
-
- [ Michael Koch ]
- * Replace dh_clean -k by dh_prep.
- * Added Ludovic and myself to Uploaders.
- * Build-Depends on debhelper >= 7.
-
- -- Michael Koch <konqueror at gmx.de> Fri, 25 Sep 2009 07:14:07 +0200
-
-tomcat6 (6.0.20-5) unstable; urgency=low
-
- * Fix jsp-api dependency in the Maven descriptors.
- * Put tomcat-juli.jar in /usr/share/java instead of juli.jar.
- This fixes a broken link which prevented tomcat to start
- when logging is turned on, and restores the file layout
- defined in 6.0.20-2.
- * Restore links to the jars in usr/share/tomcat6/lib
- * Change watch to download fresh sources from SVN.
- Should fix wrong encoding in tomcat-i18n-fr/es.jar in the next upstream
- version. (Closes: #522067)
- * Update ownership for files in /etc/tomcat6 and /var/lib/tomcat6/webapps.
- The new owner is tomcat6:adm (Closes: #532284)
- * Add additional directories for the common, server and shared classloader.
- Directories are also compatible with Alfresco's packaging done for
- Ubuntu. (Closes: #521318)
- * Update checksum in postrm script to reflect changes
- in the new upstream webapp
- * postrm removes the extra directories created in /var/lib/tomcat6
- to hold shared and common classes or jars.
- * Added commented out default options for enabling debug mode.
- (Closes: LP: #375493)
-
- -- Ludovic Claude <ludovic.claude at laposte.net> Wed, 05 Aug 2009 00:56:59 +0100
-
-tomcat6 (6.0.20-4) experimental; urgency=low
-
- * Fix init script:
- - Change Provides: tomcat6. (Closes: #532286)
- - Check for /etc/default/rcS before sourcing it.
- * Update Standards-Version: 3.8.2 (no changes).
-
- -- Torsten Werner <twerner at debian.org> Thu, 16 Jul 2009 23:36:32 +0200
-
-tomcat6 (6.0.20-3) experimental; urgency=low
-
- * Add the Maven POM to the package
- * Add a Build-Depends-Indep dependency on maven-repo-helper
- * Use mh_installpom and mh_installjar to install the POM and the jar to the
- Maven repository
-
- -- Ludovic Claude <ludovic.claude at laposte.net> Tue, 14 Jul 2009 14:17:27 +0100
-
-tomcat6 (6.0.20-2) unstable; urgency=low
-
- * Expose tomcat-juli.jar as a library in /usr/share/java
- as it is a dependency of jasper which is used also by jetty
-
- -- Ludovic Claude <ludovic.claude at laposte.net> Mon, 15 Jun 2009 13:33:13 +0100
-
-tomcat6 (6.0.20-1) unstable; urgency=low
-
- * new upstream release (Closes: #531873)
- * Remove patch tcnative-ipv6-fix-43327.patch that has been applied upstream.
- * Refresh other patches.
-
- -- Torsten Werner <twerner at debian.org> Fri, 05 Jun 2009 23:38:44 +0200
-
-tomcat6 (6.0.18-dfsg1-1) unstable; urgency=low
-
- [ Torsten Werner ]
- * Remove jstl.jar and standard.jar from orig tarball because it comes without
- source code. (Closes: #528119)
-
- [ Marcus Better ]
- * Let the init script exit silently if the package is
- uninstalled. (Closes: #529301)
-
- -- Torsten Werner <twerner at debian.org> Tue, 19 May 2009 21:23:18 +0200
-
-tomcat6 (6.0.18-4) unstable; urgency=low
-
- * Add patch tcnative-ipv6-fix-43327.patch provided by Thierry Carrez.
- (Closes: #527033)
- * Change Section: java (from web).
- * Bump up Standards-Version: 3.8.1 (no changes).
- * Remove redundant Depends: ant because we depend on ant-optional.
-
- -- Torsten Werner <twerner at debian.org> Sun, 10 May 2009 19:41:40 +0200
-
-tomcat6 (6.0.18-3) unstable; urgency=low
-
- * Remove unneeded dirs and symlinks; thanks to Thierry Carrez. (Closes:
- #517857)
- * Improve the long description of all binary packages. (Closes: #518140)
-
- -- Torsten Werner <twerner at debian.org> Wed, 04 Mar 2009 21:58:41 +0100
-
-tomcat6 (6.0.18-2) unstable; urgency=low
-
- * upload to unstable
-
- -- Torsten Werner <twerner at debian.org> Sat, 21 Feb 2009 11:31:20 +0100
-
-tomcat6 (6.0.18-1) experimental; urgency=low
-
- * Merge changes from Ubuntu. Thanks to the Ubuntu developers we are shipping
- a full Tomcat 6.0 server stack now. (Closes: #494674)
- * Add myself to Uploaders.
- * Switch to openjdk-6 which is not the default in Debian.
-
- -- Torsten Werner <twerner at debian.org> Sat, 07 Feb 2009 17:02:57 +0100
-
-tomcat6 (6.0.18-0ubuntu5) jaunty; urgency=low
-
- [ Thierry Carrez ]
- * Removed tomcat6-[admin,docs,examples].post[inst,rm] and let Tomcat webapp
- autodeployment features handle application load/unload (LP: #302914)
- * tomcat6-instance-create, tomcat6-instance-create.1, control:
- Allow to change the HTTP port, control port and shutdown word on the
- tomcat6-instance-create command line (LP: #300691).
-
- [ Mathias Gug]
- * debian/tomcat6-instance-create: move directoryname from an option to
- an argument.
- * debian/tomcat6-instance-create.1: some updates to the man page.
- * debian/control: update maintainer field to Ubuntu Core Developers now that
- tomcat6 is in main.
-
- -- Mathias Gug <mathiaz at ubuntu.com> Wed, 07 Jan 2009 18:44:39 -0500
-
-tomcat6 (6.0.18-0ubuntu4) jaunty; urgency=low
-
- * tomcat6.init, tomcat6.postinst, tomcat6.dirs, tomcat6.default,
- README.debian: Use /tmp/tomcat6-temp instead of /var/lib/tomcat6/temp as
- the JVM temporary directory and clean it at each restart (LP: #287452)
- * policy/04webapps.policy: add rules to allow usage of java.io.tmpdir
- * tomcat6.init, rules: Do not use TearDown, as this results in
- LifecycleListener callbacks in webapps being bypassed (LP: #299436)
- * rules: Compile at Java 1.5 level to allow usage of Java 5 JREs
- (LP: #286427)
- * control, rules, libservlet2.5-java-doc.install,
- libservlet2.5-java-doc.links: New libservlet2.5-java-doc package ships
- missing Servlet/JSP API documentation (LP: #279645)
- * patches/use-commons-dbcp.patch: Change default DBCP factory class
- to org.apache.commons.dbcp.BasicDataSourceFactory (LP: #283852)
- * tomcat6.dirs, tomcat6.postinst, default_root/index.html: Create
- Catalina/localhost in /etc/tomcat6 and make it writeable by the tomcat6
- group, so that autodeploy and admin webapps work as expected (LP: #294277)
- * patches/disable-apr-loading.patch: Disable APR library loading until we
- properly provide it.
- * patches/disable-ajp-connector: Do not load AJP13 connector by default
- (LP: #300697)
- * rules: minor fixes to prevent build being called twice.
-
- -- Thierry Carrez <thierry.carrez at ubuntu.com> Thu, 27 Nov 2008 12:47:42 +0000
-
-tomcat6 (6.0.18-0ubuntu3) intrepid; urgency=low
-
- * debian/tomcat6.postinst:
- - Make /var/lib/tomcat6/temp writeable by the tomcat6 user (LP: #287126)
- - Make /var/lib/tomcat6/webapps writeable by tomcat6 group (LP: #287447)
- * debian/tomcat6.init: make status return nonzero if tomcat6 is not running
- (fixes LP: #288218)
-
- -- Thierry Carrez <thierry.carrez at ubuntu.com> Thu, 23 Oct 2008 18:19:15 +0200
-
-tomcat6 (6.0.18-0ubuntu2) intrepid; urgency=low
-
- * debian/rules: call dh_installinit with --error-handler so that install
- doesn't fail if Tomcat cannot be started during configure (LP: #274365)
-
- -- Thierry Carrez <thierry.carrez at ubuntu.com> Mon, 06 Oct 2008 13:55:21 +0200
-
-tomcat6 (6.0.18-0ubuntu1) intrepid; urgency=low
-
- * New upstream version (LP: #260016)
- - Fixes CVE-2008-2938: Directory traversal vulnerability (LP: #256802)
- - Fixes CVE-2008-2370: Information disclosure vulnerability (LP: #256922)
- - Fixes CVE-2008-1232: XSS through sendError vulnerability (LP: #256926)
- * Dropped CVE-2008-1947.patch (fix is shipped in this upstream release)
- * control: Improve short descriptions for the binary packages
- * copyright: Added link to /usr/share/common-licenses/Apache-2.0
- * control: To pull the right JRE, libtomcat6-java now depends on
- default-jre-headless | java6-runtime-headless
-
- -- Thierry Carrez <thierry.carrez at ubuntu.com> Fri, 22 Aug 2008 09:15:11 +0200
-
-tomcat6 (6.0.16-1ubuntu1) intrepid; urgency=low
-
- * Adding full Tomcat 6 server stack support (LP: #256052)
- - tomcat6 handles the system instance (/var/lib/tomcat6)
- - tomcat6-user allows users to create their own private instances
- - tomcat6-common installs common files in /usr/share/tomcat6
- - libtomcat6-java installs Tomcat 6 java libs in /usr/share/java
- - tomcat6-docs installs the documentation webapp
- - tomcat6-examples installs the examples webapp
- - tomcat6-admin installs the manager and host-manager webapps
- * Other key differences with the tomcat5.5 packages:
- - default-jdk build support
- - OpenJDK-6 JRE runtime support
- - tomcat6 installs a minimal ROOT webapp
- - new webapp locations follow Debian webapp policy
- - webapps restart tomcat6 in postrm rather than in prerm
- - added a doc-base entry
- - use standard upstream server.xml
- - initscript: try to check if Tomcat is really running before returning OK
- - removed transitional configuration migration code
- - autogenerate policy in /var/cache/tomcat6 rather than /etc/tomcat6
- - logging.properties is customized to remove -webapps-related lines
- - initscript: implement TearDown spec
- * CVE-2008-1947 fix (cross-site-scripting issue in host-manager webapp)
-
- -- Thierry Carrez <thierry.carrez at ubuntu.com> Fri, 08 Aug 2008 15:37:48 +0200
-
-tomcat6 (6.0.16-1) unstable; urgency=low
-
- * Initial release.
- (Closes: #480964).
-
- -- Paul Cager <paul-debian at home.paulcager.org> Mon, 12 May 2008 23:04:49 +0000
Copied: tags/tomcat6/6.0.32-7/debian/changelog (from rev 15367, trunk/tomcat6/debian/changelog)
===================================================================
--- tags/tomcat6/6.0.32-7/debian/changelog (rev 0)
+++ tags/tomcat6/6.0.32-7/debian/changelog 2011-11-08 19:12:41 UTC (rev 15368)
@@ -0,0 +1,647 @@
+tomcat6 (6.0.32-7) unstable; urgency=medium
+
+ [ tony mancill ]
+ * Team upload.
+ * Add "unset LC_ALL" to /etc/defaults/tomcat6 to prevent user
+ environment settings from leaking into the servlet container.
+ - Thank you to Nicolas Pichon. (Closes: #645221)
+ * Apply patch for CVE-2011-1184 and CVE-2011-2526.
+ - Thank you to Marc Deslauriers. (Closes: #648038)
+
+ [ Niels Thykier ]
+ * Added build-arch and build-indep targets in d/rules.
+
+ -- tony mancill <tmancill at debian.org> Tue, 08 Nov 2011 10:42:32 -0800
+
+tomcat6 (6.0.32-6) unstable; urgency=medium
+
+ [ tony mancill ]
+ * Team upload.
+ * Update Korean debconf translation. (Closes: #630950, 631482)
+ Thanks to si-cheol Ko.
+ * Add Dutch debconf translation. (Closes: #637507)
+ Thanks to Jeroen Schot.
+
+ [ Niels Thykier ]
+ * Removed myself from uploaders.
+
+ [ James Page ]
+ * Added patch for CVE-2011-3190 (LP: #843701).
+
+ -- tony mancill <tmancill at debian.org> Sat, 17 Sep 2011 09:48:42 -0700
+
+tomcat6 (6.0.32-5) unstable; urgency=low
+
+ * Team upload.
+ * Add Catalan debconf translation ca.po (Closes: #630073).
+ * Correct Suggests for libtcnative-1 (tomcat-native) (Closes: #631919)
+ * Add patch for CVE-2011-2204 (Closes: #632882)
+
+ -- tony mancill <tmancill at debian.org> Wed, 06 Jul 2011 21:23:58 -0700
+
+tomcat6 (6.0.32-4) unstable; urgency=low
+
+ * Team upload.
+ * Add Italian debconf translation.
+ Thanks to Dario Santamaria (Closes: #624376)
+ * Add logrotate for catalina.out (Closes: 607050)
+ * Bump standards version to 3.9.2 (no changes needed).
+
+ -- tony mancill <tmancill at debian.org> Wed, 08 Jun 2011 22:13:07 -0700
+
+tomcat6 (6.0.32-3) unstable; urgency=low
+
+ * Team upload.
+ * Include upstream patch for ASF Bugzilla - Bug 50700
+ (Context parameters are being overridden with parameters from the
+ web application deployment descriptor) (Closes: #623242)
+
+ -- tony mancill <tmancill at debian.org> Mon, 18 Apr 2011 20:38:29 -0700
+
+tomcat6 (6.0.32-2) unstable; urgency=low
+
+ * Team upload.
+
+ [ tony mancill ]
+ * Patch debian/tomcat6-instance-create (LP: #707405)
+ tomcat6-instance-create should accept -1 as the value of -c option
+ as per http://tomcat.apache.org/tomcat-6.0-doc/config/server.html
+ Thanks to Dave Walker. (Closes: #617553)
+ * Move tomcat6-instance-create manpage from section 2 to section 8.
+ Thanks to brian m. carlson (Closes: #607682)
+ * Add tomcat6-extras package.
+ Currently includes only catalina-jmx-remote.jar (Closes: #614333)
+
+ [ Thierry Carrez ]
+ * debian/tomcat6-instance-create: Eclipse can now be configured to use a
+ user instance of tomcat6 using tomcat6-instance-create without any
+ additional work. Patch from Abhinav Upadhyay (Closes: #551091, LP: #297675)
+
+ -- tony mancill <tmancill at debian.org> Sun, 03 Apr 2011 21:16:08 -0700
+
+tomcat6 (6.0.32-1) unstable; urgency=low
+
+ * Team upload.
+ * New upstream release
+ * Remove following patches applied upstream:
+ CVE-2010-4172, CVE-2011-0534, CVE-2010-3718, CVE-2011-0013,
+ 0009-allow-empty-PID-file.patch
+ * Adjust 0004-split-deploy-webapps-target-from-deploy-target.patch
+
+ -- tony mancill <tmancill at debian.org> Tue, 15 Feb 2011 22:41:42 -0800
+
+tomcat6 (6.0.28-10) unstable; urgency=medium
+
+ * Team upload.
+ * Add Portuguese/Brazilian debconf translation.
+ Thanks to José de Figueiredo (Closes: #608527)
+ * Add patches for CVE-2011-0534, CVE-2010-3718, CVE-2011-0013
+ (Closes: #612257)
+
+ -- tony mancill <tmancill at debian.org> Wed, 09 Feb 2011 21:49:33 -0800
+
+tomcat6 (6.0.28-9) unstable; urgency=medium
+
+ * Team upload.
+ * Update URL for manager application in README.Debian
+ Thanks to Ernesto Ongaro (Closes: #606170)
+ * Add patch for CVE-2010-4172. (Closes: #606388)
+
+ -- tony mancill <tmancill at debian.org> Thu, 09 Dec 2010 22:52:08 -0800
+
+tomcat6 (6.0.28-8) unstable; urgency=low
+
+ * Team upload.
+
+ [ Thierry Carrez (ttx) ]
+ * Do not fail to purge if /etc/tomcat6 was manually removed (LP: #648619)
+ * Add missing -p option in start-stop-daemon when starting tomcat6 to avoid
+ failing to start due to /bin/bash running (LP: #632554)
+ * Fix build failure (missing TraXLiaison class) by adding ant-nodeps
+ to the classpath.
+
+ [ tony mancill ]
+ * Use debconf to determine tomcat6 user and group to delete upon purge.
+ Thanks to Misha Koshelev. (Closes: #599458)
+ * Add tomcat-native to Suggests: for tomcat6 binary package.
+ Thanks to Eddy Petrisor (Closes: #600590)
+ * Add Danish debconf template translation.
+ Thanks to Joe Dalton (Closes: #605070)
+ * Actually add the Czech debconf template translation.
+ Thanks this time to Christian PERRIER (Closes: #597863)
+
+ -- tony mancill <tmancill at debian.org> Sat, 04 Dec 2010 17:20:11 -0800
+
+tomcat6 (6.0.28-7) unstable; urgency=low
+
+ * Team upload.
+ * Add Czech debconf template translation.
+ Thanks to Michal Simunek. (Closes: #597863)
+ * Add Spanish debconf template translation.
+ Thanks to Javier Fernández-Sanguino (Closes: #599230)
+ * Modify postinst to handle JAVA_OPTS strings containing the '/'
+ character. This was causing upgrade failures for users.
+ (Closes: #597814)
+
+ -- tony mancill <tmancill at debian.org> Wed, 06 Oct 2010 14:40:19 -0700
+
+tomcat6 (6.0.28-6) unstable; urgency=low
+
+ * Team upload.
+ * Add Japanese debconf template translation.
+ Thanks to Hideki Yamane. (Closes: #595460)
+ * Add Russian debconf template translation.
+ Thanks to Yuri Kozlov. (Closes: #592627)
+ * Add Portuguese debconf template translation.
+ Thanks to Américo Monteiro. (Closes: #592655)
+ * Add Swedish debconf template translation.
+ Thanks to Martin Bagge. (Closes: #593676)
+ * Add German debconf template translation.
+ Thanks to Holger Wansing. (Closes: #593200)
+
+ -- tony mancill <tmancill at debian.org> Fri, 17 Sep 2010 21:30:27 -0700
+
+tomcat6 (6.0.28-5) unstable; urgency=low
+
+ * Team upload.
+
+ [Thierry Carrez (ttx)]
+ * Check for group existence to avoid postinst failure (LP: #611721)
+
+ [tony mancill]
+ * Add French debconf template translation.
+ Thanks to Steve Petruzzello. (Closes: #594313)
+
+ -- tony mancill <tmancill at debian.org> Thu, 02 Sep 2010 21:49:08 -0700
+
+tomcat6 (6.0.28-4) unstable; urgency=medium
+
+ * Ignore most errors during purge. (Closes: #591867)
+ * Add po-debconf support.
+
+ -- Torsten Werner <twerner at debian.org> Fri, 06 Aug 2010 04:08:40 +0200
+
+tomcat6 (6.0.28-3) unstable; urgency=low
+
+ * UNRELEASED
+ * Fix filename of /etc/tomcat6/tomcat-users in README.Debian. Thanks to
+ Olivier Berger. (Closes: #590085)
+
+ -- Torsten Werner <twerner at debian.org> Fri, 23 Jul 2010 23:36:49 +0200
+
+tomcat6 (6.0.28-2) unstable; urgency=low
+
+ * Add debconf questions for user, group and Java options.
+ * Use ucf to install /etc/default/tomcat6 from a template
+ * Drop CATALINA_BASE and CATALINA_HOME from /etc/default/tomcat6 since we
+ shouldn't encourage users to change those anyway
+
+ -- Thierry Carrez <thierry.carrez at ubuntu.com> Tue, 20 Jul 2010 14:36:48 +0200
+
+tomcat6 (6.0.28-1) unstable; urgency=low
+
+ [ Niels Thykier ]
+ * Removed depends on JREs for the library packages. It is no longer
+ required by the policy.
+
+ [ Torsten Werner ]
+ * New upstream release (Closes: #588813)
+ - Fixes CVE-2010-2227: DoS and information disclosure
+ * Remove 2 patches that were backports to 6.0.26.
+
+ -- Torsten Werner <twerner at debian.org> Mon, 19 Jul 2010 18:22:52 +0200
+
+tomcat6 (6.0.26-5) unstable; urgency=medium
+
+ * Convert patches to dep3 format.
+ * Backport security fix from trunk to fix CVE-2010-1157. (Closes: #587447)
+ * Set urgency to medium due to the security fix.
+
+ -- Torsten Werner <twerner at debian.org> Mon, 28 Jun 2010 21:41:31 +0200
+
+tomcat6 (6.0.26-4) unstable; urgency=low
+
+ [ Thierry Carrez ]
+ * Fix issues preventing from running Tomcat6 with a security manager:
+ - debian/tomcat6.init: Remove duplicate securitymanager options.
+ - debian/patches/catalina-sh-security-manager.patch: Use the right
+ location for the security.policy file in catalina.sh.
+ - Closes: #585379, LP: #591802. Thanks to Jeff Turner for the original
+ patches and to Adam Guthrie for the Lucid debdiff.
+ * Allow binding to any interface when using authbind, rather than only allow
+ binding to all (LP: #594989)
+ * Force backgrounding of catalina.sh in start-stop-daemon, to allow the init
+ script to be started through ssh -t (LP: #588481)
+
+ [ Torsten Werner ]
+ * Remove Paul from Uploaders list.
+
+ -- Thierry Carrez <thierry.carrez at ubuntu.com> Thu, 24 Jun 2010 15:55:10 +0200
+
+tomcat6 (6.0.26-3) unstable; urgency=low
+
+ [ Marcus Better ]
+ * Apply upstream fix for deadlock in WebappClassLoader. (Closes: #583896)
+
+ [ Thierry Carrez ]
+ * debian/tomcat6.{install,postinst}: Do not store the default root webapp
+ in /usr/share/tomcat6/webapps as it increases confusion on what this
+ directory contains (and its relation with /var/lib/tomcat6/webapps).
+ Store it inside /usr/share/tomcat6-root instead (LP: #575303).
+
+ -- Marcus Better <marcus at better.se> Mon, 31 May 2010 15:50:57 +0200
+
+tomcat6 (6.0.26-2) unstable; urgency=low
+
+ * debian/tomcat6.{postinst,prerm}: Respect TOMCAT6_USER and TOMCAT6_GROUP
+ as defined in /etc/default/tomcat6 when setting directory permissions and
+ authbind configuration (Closes: #581018, LP: #557300)
+ * debian/tomcat6.postinst: Use group "tomcat6" instead of "adm" for
+ permissions in /var/lib/tomcat6, so that group "adm" doesn't get write
+ permissions over /var/lib/tomcat6/webapps (LP: #569118)
+
+ -- Thierry Carrez <thierry.carrez at ubuntu.com> Fri, 21 May 2010 13:51:15 +0200
+
+tomcat6 (6.0.26-1) unstable; urgency=low
+
+ * New upstream version
+ * Apply patch from Mark Scott to fix
+ tomcat6-instance-create which failed when multiple commandline
+ options are provided, fix creation of FULLPATH (Closes: #575580)
+
+ -- Ludovic Claude <ludovic.claude at laposte.net> Wed, 21 Apr 2010 23:07:09 +0100
+
+tomcat6 (6.0.24-5) unstable; urgency=low
+
+ * Added optimised garbage collection options to tomcat6's default options.
+ Thanks to Aaron J. Zirbes and Thierry Carrez for research and the patch.
+ (Closes: LP: #541520)
+ * Updated the changelog to mention closed CVE's in the 6.0.24-1 release.
+ * Applied patch from Arto Jantunen fixing an issue with cleaning up the
+ pid-file. (Closes: #574084)
+
+ -- Niels Thykier <niels at thykier.net> Thu, 25 Mar 2010 23:45:32 +0100
+
+tomcat6 (6.0.24-4) unstable; urgency=low
+
+ * debian/tomcat6.postrm: fix removal of Tomcat (Closes: #567548)
+ * Set UTF-8 as default character encoding - Patch by Thomas Koch
+ (Closes: #573539)
+
+ -- Ludovic Claude <ludovic.claude at laposte.net> Thu, 11 Mar 2010 23:45:34 +0100
+
+tomcat6 (6.0.24-3) unstable; urgency=medium
+
+ * Set the major, minor and build versions when calling Ant
+ (Closes: LP: #495505)
+ * Rebuild with a more recent version of maven-repo-helper which puts
+ the javax jars at the correct location in the Maven repository.
+ Fixes several FTBFS in other packages.
+
+ -- Ludovic Claude <ludovic.claude at laposte.net> Wed, 03 Mar 2010 00:10:15 +0100
+
+tomcat6 (6.0.24-2) unstable; urgency=low
+
+ * Fix missing symlinks to tomcat-coyote.jar and
+ catalina-tribes.jar causing NoClassDefFoundException
+ at startup (last minute packaging change, sorry)
+ (Closes: #570220)
+ * tomcat6-admin, tomcat6-examples and tomcat6-docs now depend on
+ tomcat6-common instead of tomcat6, this allow users to install
+ those packages without requiring tomcat6 and its automatic startup scripts
+ being present. tomcat-users can be installed instead and allow full
+ control over when Tomcat is started or stopped.
+
+ -- Ludovic Claude <ludovic.claude at laposte.net> Wed, 17 Feb 2010 22:59:21 +0100
+
+tomcat6 (6.0.24-1) unstable; urgency=low
+
+ [ Ludovic Claude ]
+ * New upstream version
+ - Fixes Directory traversal vulnerability (CVE-2009-2693,CVE-2009-2902)
+ - Fixes Autodeployment vulnerability (CVE-2009-2901)
+ * Update the POM files for the new version of Tomcat
+ * Bump up Standards-Version to 3.8.4
+ * Refresh patches deploy-webapps-build-xml.patch and var_loaders.patch
+ * Remove patch fix_context_name.patch as it has been applied upstream
+ * Fix the installation of servlet-api-2.5.jar: the jar
+ goes to /usr/share/java as in older versions (6.0.20-2)
+ and links to the jar are added to /usr/share/maven-repo
+ * Moved NEWS.Debian into README.Debian
+ * Add a link from /usr/share/doc/tomcat6-common/README.Debian to
+ /usr/share/doc/tomcat6/README.Debian to include a minimum of
+ documentation in the tomcat6 package and add some useful notes.
+ (Closes: #563937, #563939)
+ * Remove poms from the Debian packaging, use upstream pom files
+
+ [ Jason Brittain ]
+ * Fixed a bug in the init script: When a start fails, the PID file was
+ being left in place. Now the init script makes sure it is deleted.
+ * Fixed a packaging bug that results in the ROOT webapp not being properly
+ installed after an uninstall, then a reinstall.
+ * control: Corrected a couple of comments (no functional change).
+
+ -- Ludovic Claude <ludovic.claude at laposte.net> Tue, 09 Feb 2010 23:06:51 +0100
+
+tomcat6 (6.0.20-dfsg1-2) unstable; urgency=low
+
+ * JSVC is no longer used by the package. Instead, the init script invokes
+ the stock catalina.sh script.
+ * Authbind is now the standard method for binding Tomcat to ports lower
+ than 1024 (when using IPv4).
+ * The security manager now defaults to the disabled state, and is commented
+ that way in /etc/default/tomcat6.
+ * Reliable restarts are now implemented in the init script.
+ (Closes: #561559)
+ * Tomcat now sends STDOUT and STDERR to its usual, stock log file
+ CATALINA_BASE/logs/catalina.out (/var/log/tomcat6/catalina.out in this
+ package's case.
+
+ -- Jason Brittain <jason.brittain at mulesoft.com> Wed, 27 Jan 2010 01:08:57 +0000
+
+tomcat6 (6.0.20-dfsg1-1) unstable; urgency=low
+
+ * Fix debian/orig-tar.sh to exclude binary only standard.jar and jstl.jar.
+ (Closes: #528119)
+ * Upload a cleaned tarball.
+ * Add ${misc:Depends} in debian/control.
+
+ -- Torsten Werner <twerner at debian.org> Sat, 23 Jan 2010 19:40:38 +0100
+
+tomcat6 (6.0.20-9) unstable; urgency=low
+
+ * Fix spelling issues.
+ * Always set JSVC_CLASSPATH to a default value in init.
+
+ -- Niels Thykier <niels at thykier.net> Sat, 19 Dec 2009 19:11:33 +0100
+
+tomcat6 (6.0.20-8) unstable; urgency=low
+
+ * Corrected some spelling mistakes in debian/control.
+ (Closes: #557377, #557378)
+ * Added patches to install the OSGi metadata in some of the jars.
+ (Closes: #558176)
+ * Updated 03catalina.policy to allow "setContextClassLoader".
+ - Fixes a problem where Sun's JVM would fail to generate log-files.
+ (Closes: LP: #410379)
+ * Updated /etc/default/tomcat6:
+ - Clarified that JAVA_OPTS are passed to jscv and not the JVM.
+ - Updated the JSP_COMPILER to javac (jikes is not in Debian anymore).
+ (Closes: LP: #440685)
+ * Use default-jdk and default-jre-headless instead of openjdk in
+ (Build-)Depends.
+ * Added more alternatives for java implementations to the Depends of
+ libservlet2.5-java.
+ * Exposed JSVC_CLASSPATH to the configuration file.
+ (Closes: LP: #475457)
+ * Updated description so it no longer refers to non-existent package.
+ (Closes: #559475)
+ * Used "set -e" in postinst and postrm instead of passing "-e" to sh
+ in the #!-line.
+ * Changed to 3.0 (quilt) source format.
+
+ -- Niels Thykier <niels at thykier.net> Mon, 07 Dec 2009 21:17:55 +0100
+
+tomcat6 (6.0.20-7) unstable; urgency=low
+
+ * New patch fix_context_name.patch:
+ - Allow Service name != Engine name. Regression in fix for 42707.
+ Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=47316
+ - This has been fixed in trunk and will be in 6.0.21
+ * Register libservlet2.5-java-doc API with doc-base
+ * Fix short description of tomcat6-docs by using "documentation" suffix
+
+ -- Damien Raude-Morvan <drazzib at debian.org> Sat, 10 Oct 2009 21:41:55 +0200
+
+tomcat6 (6.0.20-6) unstable; urgency=low
+
+ [ Ludovic Claude ]
+ * tomcat6.postinst: set the ownership of files in /etc/tomcat6/
+ to root:tomcat6, to prevent an attacker running inside a tomcat6
+ instance to change the tomcat configuration
+ * debian/policy/02debian.policy: grant access to
+ /usr/share/maven-repo/ as it is a valid source of Debian JARs.
+ (Closes: #545674)
+ * Bump up Standards-Version to 3.8.3
+ - add debian/README.source that describes the quilt patch system.
+ * debian/control: Add Conflicts on libtomcat6-java with old versions
+ of tomcat6-common (Closes: #542397)
+
+ [ Michael Koch ]
+ * Replace dh_clean -k by dh_prep.
+ * Added Ludovic and myself to Uploaders.
+ * Build-Depends on debhelper >= 7.
+
+ -- Michael Koch <konqueror at gmx.de> Fri, 25 Sep 2009 07:14:07 +0200
+
+tomcat6 (6.0.20-5) unstable; urgency=low
+
+ * Fix jsp-api dependency in the Maven descriptors.
+ * Put tomcat-juli.jar in /usr/share/java instead of juli.jar.
+ This fixes a broken link which prevented tomcat to start
+ when logging is turned on, and restores the file layout
+ defined in 6.0.20-2.
+ * Restore links to the jars in usr/share/tomcat6/lib
+ * Change watch to download fresh sources from SVN.
+ Should fix wrong encoding in tomcat-i18n-fr/es.jar in the next upstream
+ version. (Closes: #522067)
+ * Update ownership for files in /etc/tomcat6 and /var/lib/tomcat6/webapps.
+ The new owner is tomcat6:adm (Closes: #532284)
+ * Add additional directories for the common, server and shared classloader.
+ Directories are also compatible with Alfresco's packaging done for
+ Ubuntu. (Closes: #521318)
+ * Update checksum in postrm script to reflect changes
+ in the new upstream webapp
+ * postrm removes the extra directories created in /var/lib/tomcat6
+ to hold shared and common classes or jars.
+ * Added commented out default options for enabling debug mode.
+ (Closes: LP: #375493)
+
+ -- Ludovic Claude <ludovic.claude at laposte.net> Wed, 05 Aug 2009 00:56:59 +0100
+
+tomcat6 (6.0.20-4) experimental; urgency=low
+
+ * Fix init script:
+ - Change Provides: tomcat6. (Closes: #532286)
+ - Check for /etc/default/rcS before sourcing it.
+ * Update Standards-Version: 3.8.2 (no changes).
+
+ -- Torsten Werner <twerner at debian.org> Thu, 16 Jul 2009 23:36:32 +0200
+
+tomcat6 (6.0.20-3) experimental; urgency=low
+
+ * Add the Maven POM to the package
+ * Add a Build-Depends-Indep dependency on maven-repo-helper
+ * Use mh_installpom and mh_installjar to install the POM and the jar to the
+ Maven repository
+
+ -- Ludovic Claude <ludovic.claude at laposte.net> Tue, 14 Jul 2009 14:17:27 +0100
+
+tomcat6 (6.0.20-2) unstable; urgency=low
+
+ * Expose tomcat-juli.jar as a library in /usr/share/java
+ as it is a dependency of jasper which is used also by jetty
+
+ -- Ludovic Claude <ludovic.claude at laposte.net> Mon, 15 Jun 2009 13:33:13 +0100
+
+tomcat6 (6.0.20-1) unstable; urgency=low
+
+ * new upstream release (Closes: #531873)
+ * Remove patch tcnative-ipv6-fix-43327.patch that has been applied upstream.
+ * Refresh other patches.
+
+ -- Torsten Werner <twerner at debian.org> Fri, 05 Jun 2009 23:38:44 +0200
+
+tomcat6 (6.0.18-dfsg1-1) unstable; urgency=low
+
+ [ Torsten Werner ]
+ * Remove jstl.jar and standard.jar from orig tarball because it comes without
+ source code. (Closes: #528119)
+
+ [ Marcus Better ]
+ * Let the init script exit silently if the package is
+ uninstalled. (Closes: #529301)
+
+ -- Torsten Werner <twerner at debian.org> Tue, 19 May 2009 21:23:18 +0200
+
+tomcat6 (6.0.18-4) unstable; urgency=low
+
+ * Add patch tcnative-ipv6-fix-43327.patch provided by Thierry Carrez.
+ (Closes: #527033)
+ * Change Section: java (from web).
+ * Bump up Standards-Version: 3.8.1 (no changes).
+ * Remove redundant Depends: ant because we depend on ant-optional.
+
+ -- Torsten Werner <twerner at debian.org> Sun, 10 May 2009 19:41:40 +0200
+
+tomcat6 (6.0.18-3) unstable; urgency=low
+
+ * Remove unneeded dirs and symlinks; thanks to Thierry Carrez. (Closes:
+ #517857)
+ * Improve the long description of all binary packages. (Closes: #518140)
+
+ -- Torsten Werner <twerner at debian.org> Wed, 04 Mar 2009 21:58:41 +0100
+
+tomcat6 (6.0.18-2) unstable; urgency=low
+
+ * upload to unstable
+
+ -- Torsten Werner <twerner at debian.org> Sat, 21 Feb 2009 11:31:20 +0100
+
+tomcat6 (6.0.18-1) experimental; urgency=low
+
+ * Merge changes from Ubuntu. Thanks to the Ubuntu developers we are shipping
+ a full Tomcat 6.0 server stack now. (Closes: #494674)
+ * Add myself to Uploaders.
+ * Switch to openjdk-6 which is not the default in Debian.
+
+ -- Torsten Werner <twerner at debian.org> Sat, 07 Feb 2009 17:02:57 +0100
+
+tomcat6 (6.0.18-0ubuntu5) jaunty; urgency=low
+
+ [ Thierry Carrez ]
+ * Removed tomcat6-[admin,docs,examples].post[inst,rm] and let Tomcat webapp
+ autodeployment features handle application load/unload (LP: #302914)
+ * tomcat6-instance-create, tomcat6-instance-create.1, control:
+ Allow to change the HTTP port, control port and shutdown word on the
+ tomcat6-instance-create command line (LP: #300691).
+
+ [ Mathias Gug]
+ * debian/tomcat6-instance-create: move directoryname from an option to
+ an argument.
+ * debian/tomcat6-instance-create.1: some updates to the man page.
+ * debian/control: update maintainer field to Ubuntu Core Developers now that
+ tomcat6 is in main.
+
+ -- Mathias Gug <mathiaz at ubuntu.com> Wed, 07 Jan 2009 18:44:39 -0500
+
+tomcat6 (6.0.18-0ubuntu4) jaunty; urgency=low
+
+ * tomcat6.init, tomcat6.postinst, tomcat6.dirs, tomcat6.default,
+ README.debian: Use /tmp/tomcat6-temp instead of /var/lib/tomcat6/temp as
+ the JVM temporary directory and clean it at each restart (LP: #287452)
+ * policy/04webapps.policy: add rules to allow usage of java.io.tmpdir
+ * tomcat6.init, rules: Do not use TearDown, as this results in
+ LifecycleListener callbacks in webapps being bypassed (LP: #299436)
+ * rules: Compile at Java 1.5 level to allow usage of Java 5 JREs
+ (LP: #286427)
+ * control, rules, libservlet2.5-java-doc.install,
+ libservlet2.5-java-doc.links: New libservlet2.5-java-doc package ships
+ missing Servlet/JSP API documentation (LP: #279645)
+ * patches/use-commons-dbcp.patch: Change default DBCP factory class
+ to org.apache.commons.dbcp.BasicDataSourceFactory (LP: #283852)
+ * tomcat6.dirs, tomcat6.postinst, default_root/index.html: Create
+ Catalina/localhost in /etc/tomcat6 and make it writeable by the tomcat6
+ group, so that autodeploy and admin webapps work as expected (LP: #294277)
+ * patches/disable-apr-loading.patch: Disable APR library loading until we
+ properly provide it.
+ * patches/disable-ajp-connector: Do not load AJP13 connector by default
+ (LP: #300697)
+ * rules: minor fixes to prevent build being called twice.
+
+ -- Thierry Carrez <thierry.carrez at ubuntu.com> Thu, 27 Nov 2008 12:47:42 +0000
+
+tomcat6 (6.0.18-0ubuntu3) intrepid; urgency=low
+
+ * debian/tomcat6.postinst:
+ - Make /var/lib/tomcat6/temp writeable by the tomcat6 user (LP: #287126)
+ - Make /var/lib/tomcat6/webapps writeable by tomcat6 group (LP: #287447)
+ * debian/tomcat6.init: make status return nonzero if tomcat6 is not running
+ (fixes LP: #288218)
+
+ -- Thierry Carrez <thierry.carrez at ubuntu.com> Thu, 23 Oct 2008 18:19:15 +0200
+
+tomcat6 (6.0.18-0ubuntu2) intrepid; urgency=low
+
+ * debian/rules: call dh_installinit with --error-handler so that install
+ doesn't fail if Tomcat cannot be started during configure (LP: #274365)
+
+ -- Thierry Carrez <thierry.carrez at ubuntu.com> Mon, 06 Oct 2008 13:55:21 +0200
+
+tomcat6 (6.0.18-0ubuntu1) intrepid; urgency=low
+
+ * New upstream version (LP: #260016)
+ - Fixes CVE-2008-2938: Directory traversal vulnerability (LP: #256802)
+ - Fixes CVE-2008-2370: Information disclosure vulnerability (LP: #256922)
+ - Fixes CVE-2008-1232: XSS through sendError vulnerability (LP: #256926)
+ * Dropped CVE-2008-1947.patch (fix is shipped in this upstream release)
+ * control: Improve short descriptions for the binary packages
+ * copyright: Added link to /usr/share/common-licenses/Apache-2.0
+ * control: To pull the right JRE, libtomcat6-java now depends on
+ default-jre-headless | java6-runtime-headless
+
+ -- Thierry Carrez <thierry.carrez at ubuntu.com> Fri, 22 Aug 2008 09:15:11 +0200
+
+tomcat6 (6.0.16-1ubuntu1) intrepid; urgency=low
+
+ * Adding full Tomcat 6 server stack support (LP: #256052)
+ - tomcat6 handles the system instance (/var/lib/tomcat6)
+ - tomcat6-user allows users to create their own private instances
+ - tomcat6-common installs common files in /usr/share/tomcat6
+ - libtomcat6-java installs Tomcat 6 java libs in /usr/share/java
+ - tomcat6-docs installs the documentation webapp
+ - tomcat6-examples installs the examples webapp
+ - tomcat6-admin installs the manager and host-manager webapps
+ * Other key differences with the tomcat5.5 packages:
+ - default-jdk build support
+ - OpenJDK-6 JRE runtime support
+ - tomcat6 installs a minimal ROOT webapp
+ - new webapp locations follow Debian webapp policy
+ - webapps restart tomcat6 in postrm rather than in prerm
+ - added a doc-base entry
+ - use standard upstream server.xml
+ - initscript: try to check if Tomcat is really running before returning OK
+ - removed transitional configuration migration code
+ - autogenerate policy in /var/cache/tomcat6 rather than /etc/tomcat6
+ - logging.properties is customized to remove -webapps-related lines
+ - initscript: implement TearDown spec
+ * CVE-2008-1947 fix (cross-site-scripting issue in host-manager webapp)
+
+ -- Thierry Carrez <thierry.carrez at ubuntu.com> Fri, 08 Aug 2008 15:37:48 +0200
+
+tomcat6 (6.0.16-1) unstable; urgency=low
+
+ * Initial release.
+ (Closes: #480964).
+
+ -- Paul Cager <paul-debian at home.paulcager.org> Mon, 12 May 2008 23:04:49 +0000
Copied: tags/tomcat6/6.0.32-7/debian/patches/0014-CVE-2011-1184.patch (from rev 15367, trunk/tomcat6/debian/patches/0014-CVE-2011-1184.patch)
===================================================================
--- tags/tomcat6/6.0.32-7/debian/patches/0014-CVE-2011-1184.patch (rev 0)
+++ tags/tomcat6/6.0.32-7/debian/patches/0014-CVE-2011-1184.patch 2011-11-08 19:12:41 UTC (rev 15368)
@@ -0,0 +1,798 @@
+Description: fix HTTP DIGEST authentication weaknesses
+Origin: upstream, http://svn.apache.org/viewvc?view=revision&revision=1158180
+
+Index: tomcat6-6.0.32/java/org/apache/catalina/authenticator/DigestAuthenticator.java
+===================================================================
+--- tomcat6-6.0.32.orig/java/org/apache/catalina/authenticator/DigestAuthenticator.java 2010-04-29 11:00:41.000000000 -0400
++++ tomcat6-6.0.32/java/org/apache/catalina/authenticator/DigestAuthenticator.java 2011-10-13 16:38:43.989355250 -0400
+@@ -23,11 +23,14 @@
+ import java.security.MessageDigest;
+ import java.security.NoSuchAlgorithmException;
+ import java.security.Principal;
++import java.util.LinkedHashMap;
++import java.util.Map;
+ import java.util.StringTokenizer;
+
+ import javax.servlet.http.HttpServletResponse;
+
+
++import org.apache.catalina.LifecycleException;
+ import org.apache.catalina.Realm;
+ import org.apache.catalina.connector.Request;
+ import org.apache.catalina.connector.Response;
+@@ -47,8 +50,8 @@
+ * @version $Id: DigestAuthenticator.java 939336 2010-04-29 15:00:41Z kkolinko $
+ */
+
+-public class DigestAuthenticator
+- extends AuthenticatorBase {
++public class DigestAuthenticator extends AuthenticatorBase {
++
+ private static Log log = LogFactory.getLog(DigestAuthenticator.class);
+
+
+@@ -67,6 +70,11 @@
+ "org.apache.catalina.authenticator.DigestAuthenticator/1.0";
+
+
++ /**
++ * Tomcat's DIGEST implementation only supports auth quality of protection.
++ */
++ protected static final String QOP = "auth";
++
+ // ----------------------------------------------------------- Constructors
+
+
+@@ -92,17 +100,49 @@
+
+
+ /**
++ * List of client nonce values currently being tracked
++ */
++ protected Map<String,NonceInfo> cnonces;
++
++
++ /**
++ * Maximum number of client nonces to keep in the cache. If not specified,
++ * the default value of 1000 is used.
++ */
++ protected int cnonceCacheSize = 1000;
++
++
++ /**
+ * Private key.
+ */
+- protected String key = "Catalina";
++ protected String key = null;
+
+
+- // ------------------------------------------------------------- Properties
++ /**
++ * How long server nonces are valid for in milliseconds. Defaults to 5
++ * minutes.
++ */
++ protected long nonceValidity = 5 * 60 * 1000;
++
++
++ /**
++ * Opaque string.
++ */
++ protected String opaque;
+
+
+ /**
++ * Should the URI be validated as required by RFC2617? Can be disabled in
++ * reverse proxies where the proxy has modified the URI.
++ */
++ protected boolean validateUri = true;
++
++ // ------------------------------------------------------------- Properties
++
++ /**
+ * Return descriptive information about this Valve implementation.
+ */
++ @Override
+ public String getInfo() {
+
+ return (info);
+@@ -110,9 +150,58 @@
+ }
+
+
+- // --------------------------------------------------------- Public Methods
++ public int getCnonceCacheSize() {
++ return cnonceCacheSize;
++ }
++
++
++ public void setCnonceCacheSize(int cnonceCacheSize) {
++ this.cnonceCacheSize = cnonceCacheSize;
++ }
++
++
++ public String getKey() {
++ return key;
++ }
++
++
++ public void setKey(String key) {
++ this.key = key;
++ }
++
++
++ public long getNonceValidity() {
++ return nonceValidity;
++ }
++
++
++ public void setNonceValidity(long nonceValidity) {
++ this.nonceValidity = nonceValidity;
++ }
++
++
++ public String getOpaque() {
++ return opaque;
++ }
++
++
++ public void setOpaque(String opaque) {
++ this.opaque = opaque;
++ }
++
++
++ public boolean isValidateUri() {
++ return validateUri;
++ }
++
++
++ public void setValidateUri(boolean validateUri) {
++ this.validateUri = validateUri;
++ }
+
+
++ // --------------------------------------------------------- Public Methods
++
+ /**
+ * Authenticate the user making this request, based on the specified
+ * login configuration. Return <code>true</code> if any specified
+@@ -126,6 +215,7 @@
+ *
+ * @exception IOException if an input/output error occurs
+ */
++ @Override
+ public boolean authenticate(Request request,
+ Response response,
+ LoginConfig config)
+@@ -172,8 +262,13 @@
+
+ // Validate any credentials already included with this request
+ String authorization = request.getHeader("authorization");
++ DigestInfo digestInfo = new DigestInfo(getOpaque(), getNonceValidity(),
++ getKey(), cnonces, isValidateUri());
+ if (authorization != null) {
+- principal = findPrincipal(request, authorization, context.getRealm());
++ if (digestInfo.validate(request, authorization, config)) {
++ principal = digestInfo.authenticate(context.getRealm());
++ }
++
+ if (principal != null) {
+ String username = parseUsername(authorization);
+ register(request, response, principal,
+@@ -185,11 +280,12 @@
+
+ // Send an "unauthorized" response and an appropriate challenge
+
+- // Next, generate a nOnce token (that is a token which is supposed
++ // Next, generate a nonce token (that is a token which is supposed
+ // to be unique).
+- String nOnce = generateNOnce(request);
++ String nonce = generateNonce(request);
+
+- setAuthenticateHeader(request, response, config, nOnce);
++ setAuthenticateHeader(request, response, config, nonce,
++ digestInfo.isNonceStale());
+ response.sendError(HttpServletResponse.SC_UNAUTHORIZED);
+ // hres.flushBuffer();
+ return (false);
+@@ -201,92 +297,6 @@
+
+
+ /**
+- * Parse the specified authorization credentials, and return the
+- * associated Principal that these credentials authenticate (if any)
+- * from the specified Realm. If there is no such Principal, return
+- * <code>null</code>.
+- *
+- * @param request HTTP servlet request
+- * @param authorization Authorization credentials from this request
+- * @param realm Realm used to authenticate Principals
+- */
+- protected static Principal findPrincipal(Request request,
+- String authorization,
+- Realm realm) {
+-
+- //System.out.println("Authorization token : " + authorization);
+- // Validate the authorization credentials format
+- if (authorization == null)
+- return (null);
+- if (!authorization.startsWith("Digest "))
+- return (null);
+- authorization = authorization.substring(7).trim();
+-
+- // Bugzilla 37132: http://issues.apache.org/bugzilla/show_bug.cgi?id=37132
+- String[] tokens = authorization.split(",(?=(?:[^\"]*\"[^\"]*\")+$)");
+-
+- String userName = null;
+- String realmName = null;
+- String nOnce = null;
+- String nc = null;
+- String cnonce = null;
+- String qop = null;
+- String uri = null;
+- String response = null;
+- String method = request.getMethod();
+-
+- for (int i = 0; i < tokens.length; i++) {
+- String currentToken = tokens[i];
+- if (currentToken.length() == 0)
+- continue;
+-
+- int equalSign = currentToken.indexOf('=');
+- if (equalSign < 0)
+- return null;
+- String currentTokenName =
+- currentToken.substring(0, equalSign).trim();
+- String currentTokenValue =
+- currentToken.substring(equalSign + 1).trim();
+- if ("username".equals(currentTokenName))
+- userName = removeQuotes(currentTokenValue);
+- if ("realm".equals(currentTokenName))
+- realmName = removeQuotes(currentTokenValue, true);
+- if ("nonce".equals(currentTokenName))
+- nOnce = removeQuotes(currentTokenValue);
+- if ("nc".equals(currentTokenName))
+- nc = removeQuotes(currentTokenValue);
+- if ("cnonce".equals(currentTokenName))
+- cnonce = removeQuotes(currentTokenValue);
+- if ("qop".equals(currentTokenName))
+- qop = removeQuotes(currentTokenValue);
+- if ("uri".equals(currentTokenName))
+- uri = removeQuotes(currentTokenValue);
+- if ("response".equals(currentTokenName))
+- response = removeQuotes(currentTokenValue);
+- }
+-
+- if ( (userName == null) || (realmName == null) || (nOnce == null)
+- || (uri == null) || (response == null) )
+- return null;
+-
+- // Second MD5 digest used to calculate the digest :
+- // MD5(Method + ":" + uri)
+- String a2 = method + ":" + uri;
+- //System.out.println("A2:" + a2);
+-
+- byte[] buffer = null;
+- synchronized (md5Helper) {
+- buffer = md5Helper.digest(a2.getBytes());
+- }
+- String md5a2 = md5Encoder.encode(buffer);
+-
+- return (realm.authenticate(userName, response, nOnce, nc, cnonce, qop,
+- realmName, md5a2));
+-
+- }
+-
+-
+- /**
+ * Parse the username from the specified authorization string. If none
+ * can be identified, return <code>null</code>
+ *
+@@ -294,7 +304,6 @@
+ */
+ protected String parseUsername(String authorization) {
+
+- //System.out.println("Authorization token : " + authorization);
+ // Validate the authorization credentials format
+ if (authorization == null)
+ return (null);
+@@ -354,20 +363,20 @@
+ *
+ * @param request HTTP Servlet request
+ */
+- protected String generateNOnce(Request request) {
++ protected String generateNonce(Request request) {
+
+ long currentTime = System.currentTimeMillis();
+
+- String nOnceValue = request.getRemoteAddr() + ":" +
+- currentTime + ":" + key;
++
++ String ipTimeKey =
++ request.getRemoteAddr() + ":" + currentTime + ":" + getKey();
+
+- byte[] buffer = null;
++ byte[] buffer;
+ synchronized (md5Helper) {
+- buffer = md5Helper.digest(nOnceValue.getBytes());
++ buffer = md5Helper.digest(ipTimeKey.getBytes());
+ }
+- nOnceValue = md5Encoder.encode(buffer);
+
+- return nOnceValue;
++ return currentTime + ":" + md5Encoder.encode(buffer);
+ }
+
+
+@@ -379,7 +388,7 @@
+ * WWW-Authenticate = "WWW-Authenticate" ":" "Digest"
+ * digest-challenge
+ *
+- * digest-challenge = 1#( realm | [ domain ] | nOnce |
++ * digest-challenge = 1#( realm | [ domain ] | nonce |
+ * [ digest-opaque ] |[ stale ] | [ algorithm ] )
+ *
+ * realm = "realm" "=" realm-value
+@@ -396,29 +405,303 @@
+ * @param response HTTP Servlet response
+ * @param config Login configuration describing how authentication
+ * should be performed
+- * @param nOnce nonce token
++ * @param nonce nonce token
+ */
+ protected void setAuthenticateHeader(Request request,
+ Response response,
+ LoginConfig config,
+- String nOnce) {
++ String nonce,
++ boolean isNonceStale) {
+
+ // Get the realm name
+ String realmName = config.getRealmName();
+ if (realmName == null)
+ realmName = REALM_NAME;
+
+- byte[] buffer = null;
+- synchronized (md5Helper) {
+- buffer = md5Helper.digest(nOnce.getBytes());
++ String authenticateHeader;
++ if (isNonceStale) {
++ authenticateHeader = "Digest realm=\"" + realmName + "\", " +
++ "qop=\"" + QOP + "\", nonce=\"" + nonce + "\", " + "opaque=\"" +
++ getOpaque() + "\", stale=true";
++ } else {
++ authenticateHeader = "Digest realm=\"" + realmName + "\", " +
++ "qop=\"" + QOP + "\", nonce=\"" + nonce + "\", " + "opaque=\"" +
++ getOpaque() + "\"";
+ }
+
+- String authenticateHeader = "Digest realm=\"" + realmName + "\", "
+- + "qop=\"auth\", nonce=\"" + nOnce + "\", " + "opaque=\""
+- + md5Encoder.encode(buffer) + "\"";
+ response.setHeader("WWW-Authenticate", authenticateHeader);
+
+ }
+
+
++ // ------------------------------------------------------- Lifecycle Methods
++
++ @Override
++ public void start() throws LifecycleException {
++ super.start();
++
++ // Generate a random secret key
++ if (getKey() == null) {
++ setKey(generateSessionId());
++ }
++
++ // Generate the opaque string the same way
++ if (getOpaque() == null) {
++ setOpaque(generateSessionId());
++ }
++
++ cnonces = new LinkedHashMap<String, DigestAuthenticator.NonceInfo>() {
++
++ private static final long serialVersionUID = 1L;
++ private static final long LOG_SUPPRESS_TIME = 5 * 60 * 1000;
++
++ private long lastLog = 0;
++
++ @Override
++ protected boolean removeEldestEntry(
++ Map.Entry<String,NonceInfo> eldest) {
++ // This is called from a sync so keep it simple
++ long currentTime = System.currentTimeMillis();
++ if (size() > getCnonceCacheSize()) {
++ if (lastLog < currentTime &&
++ currentTime - eldest.getValue().getTimestamp() <
++ getNonceValidity()) {
++ // Replay attack is possible
++ log.warn(sm.getString(
++ "digestAuthenticator.cacheRemove"));
++ lastLog = currentTime + LOG_SUPPRESS_TIME;
++ }
++ return true;
++ }
++ return false;
++ }
++ };
++ }
++
++ private static class DigestInfo {
++
++ private String opaque;
++ private long nonceValidity;
++ private String key;
++ private Map<String,NonceInfo> cnonces;
++ private boolean validateUri = true;
++
++ private String userName = null;
++ private String method = null;
++ private String uri = null;
++ private String response = null;
++ private String nonce = null;
++ private String nc = null;
++ private String cnonce = null;
++ private String realmName = null;
++ private String qop = null;
++
++ private boolean nonceStale = false;
++
++
++ public DigestInfo(String opaque, long nonceValidity, String key,
++ Map<String,NonceInfo> cnonces, boolean validateUri) {
++ this.opaque = opaque;
++ this.nonceValidity = nonceValidity;
++ this.key = key;
++ this.cnonces = cnonces;
++ this.validateUri = validateUri;
++ }
++
++ public boolean validate(Request request, String authorization,
++ LoginConfig config) {
++ // Validate the authorization credentials format
++ if (authorization == null) {
++ return false;
++ }
++ if (!authorization.startsWith("Digest ")) {
++ return false;
++ }
++ authorization = authorization.substring(7).trim();
++
++ // Bugzilla 37132: http://issues.apache.org/bugzilla/show_bug.cgi?id=37132
++ String[] tokens = authorization.split(",(?=(?:[^\"]*\"[^\"]*\")+$)");
++
++ method = request.getMethod();
++ String opaque = null;
++
++ for (int i = 0; i < tokens.length; i++) {
++ String currentToken = tokens[i];
++ if (currentToken.length() == 0)
++ continue;
++
++ int equalSign = currentToken.indexOf('=');
++ if (equalSign < 0) {
++ return false;
++ }
++ String currentTokenName =
++ currentToken.substring(0, equalSign).trim();
++ String currentTokenValue =
++ currentToken.substring(equalSign + 1).trim();
++ if ("username".equals(currentTokenName))
++ userName = removeQuotes(currentTokenValue);
++ if ("realm".equals(currentTokenName))
++ realmName = removeQuotes(currentTokenValue, true);
++ if ("nonce".equals(currentTokenName))
++ nonce = removeQuotes(currentTokenValue);
++ if ("nc".equals(currentTokenName))
++ nc = removeQuotes(currentTokenValue);
++ if ("cnonce".equals(currentTokenName))
++ cnonce = removeQuotes(currentTokenValue);
++ if ("qop".equals(currentTokenName))
++ qop = removeQuotes(currentTokenValue);
++ if ("uri".equals(currentTokenName))
++ uri = removeQuotes(currentTokenValue);
++ if ("response".equals(currentTokenName))
++ response = removeQuotes(currentTokenValue);
++ if ("opaque".equals(currentTokenName))
++ opaque = removeQuotes(currentTokenValue);
++ }
++
++ if ( (userName == null) || (realmName == null) || (nonce == null)
++ || (uri == null) || (response == null) ) {
++ return false;
++ }
++
++ // Validate the URI - should match the request line sent by client
++ if (validateUri) {
++ String uriQuery;
++ String query = request.getQueryString();
++ if (query == null) {
++ uriQuery = request.getRequestURI();
++ } else {
++ uriQuery = request.getRequestURI() + "?" + query;
++ }
++ if (!uri.equals(uriQuery)) {
++ return false;
++ }
++ }
++
++ // Validate the Realm name
++ String lcRealm = config.getRealmName();
++ if (lcRealm == null) {
++ lcRealm = REALM_NAME;
++ }
++ if (!lcRealm.equals(realmName)) {
++ return false;
++ }
++
++ // Validate the opaque string
++ if (!this.opaque.equals(opaque)) {
++ return false;
++ }
++
++ // Validate nonce
++ int i = nonce.indexOf(":");
++ if (i < 0 || (i + 1) == nonce.length()) {
++ return false;
++ }
++ long nonceTime;
++ try {
++ nonceTime = Long.parseLong(nonce.substring(0, i));
++ } catch (NumberFormatException nfe) {
++ return false;
++ }
++ String md5clientIpTimeKey = nonce.substring(i + 1);
++ long currentTime = System.currentTimeMillis();
++ if ((currentTime - nonceTime) > nonceValidity) {
++ nonceStale = true;
++ return false;
++ }
++ String serverIpTimeKey =
++ request.getRemoteAddr() + ":" + nonceTime + ":" + key;
++ byte[] buffer = null;
++ synchronized (md5Helper) {
++ buffer = md5Helper.digest(serverIpTimeKey.getBytes());
++ }
++ String md5ServerIpTimeKey = md5Encoder.encode(buffer);
++ if (!md5ServerIpTimeKey.equals(md5clientIpTimeKey)) {
++ return false;
++ }
++
++ // Validate qop
++ if (qop != null && !QOP.equals(qop)) {
++ return false;
++ }
++
++ // Validate cnonce and nc
++ // Check if presence of nc and nonce is consistent with presence of qop
++ if (qop == null) {
++ if (cnonce != null || nc != null) {
++ return false;
++ }
++ } else {
++ if (cnonce == null || nc == null) {
++ return false;
++ }
++ if (nc.length() != 8) {
++ return false;
++ }
++ long count;
++ try {
++ count = Long.parseLong(nc, 16);
++ } catch (NumberFormatException nfe) {
++ return false;
++ }
++ NonceInfo info;
++ synchronized (cnonces) {
++ info = cnonces.get(cnonce);
++ }
++ if (info == null) {
++ info = new NonceInfo();
++ } else {
++ if (count <= info.getCount()) {
++ return false;
++ }
++ }
++ info.setCount(count);
++ info.setTimestamp(currentTime);
++ synchronized (cnonces) {
++ cnonces.put(cnonce, info);
++ }
++ }
++ return true;
++ }
++
++ public boolean isNonceStale() {
++ return nonceStale;
++ }
++
++ public Principal authenticate(Realm realm) {
++ // Second MD5 digest used to calculate the digest :
++ // MD5(Method + ":" + uri)
++ String a2 = method + ":" + uri;
++
++ byte[] buffer;
++ synchronized (md5Helper) {
++ buffer = md5Helper.digest(a2.getBytes());
++ }
++ String md5a2 = md5Encoder.encode(buffer);
++
++ return realm.authenticate(userName, response, nonce, nc, cnonce,
++ qop, realmName, md5a2);
++ }
++
++ }
++
++ private static class NonceInfo {
++ private volatile long count;
++ private volatile long timestamp;
++
++ public void setCount(long l) {
++ count = l;
++ }
++
++ public long getCount() {
++ return count;
++ }
++
++ public void setTimestamp(long l) {
++ timestamp = l;
++ }
++
++ public long getTimestamp() {
++ return timestamp;
++ }
++ }
+ }
+Index: tomcat6-6.0.32/java/org/apache/catalina/authenticator/LocalStrings.properties
+===================================================================
+--- tomcat6-6.0.32.orig/java/org/apache/catalina/authenticator/LocalStrings.properties 2009-12-21 07:56:09.000000000 -0500
++++ tomcat6-6.0.32/java/org/apache/catalina/authenticator/LocalStrings.properties 2011-10-13 16:38:43.989355250 -0400
+@@ -28,5 +28,7 @@
+ authenticator.unauthorized=Cannot authenticate with the provided credentials
+ authenticator.userDataConstraint=This request violates a User Data constraint for this application
+
++digestAuthenticator.cacheRemove=A valid entry has been removed from client nonce cache to make room for new entries. A replay attack is now possible. To prevent the possibility of replay attacks, reduce nonceValidity or increase cnonceCacheSize. Further warnings of this type will be suppressed for 5 minutes.
++
+ formAuthenticator.forwardErrorFail=Unexpected error forwarding to error page
+ formAuthenticator.forwardLoginFail=Unexpected error forwarding to login page
+Index: tomcat6-6.0.32/java/org/apache/catalina/authenticator/mbeans-descriptors.xml
+===================================================================
+--- tomcat6-6.0.32.orig/java/org/apache/catalina/authenticator/mbeans-descriptors.xml 2007-08-04 19:30:01.000000000 -0400
++++ tomcat6-6.0.32/java/org/apache/catalina/authenticator/mbeans-descriptors.xml 2011-10-13 16:38:43.989355250 -0400
+@@ -60,10 +60,30 @@
+ description="Fully qualified class name of the managed object"
+ type="java.lang.String"
+ writeable="false"/>
+-
++
++ <attribute name="cnonceCacheSize"
++ description="The size of the cnonce cache used to prevent replay attacks"
++ type="int"/>
++
+ <attribute name="entropy"
+ description="A String initialization parameter used to increase the entropy of the initialization of our random number generator"
+ type="java.lang.String"/>
++
++ <attribute name="key"
++ description="The secret key used by digest authentication"
++ type="java.lang.String"/>
++
++ <attribute name="nonceValidity"
++ description="The time, in milliseconds, for which a server issued nonce will be valid"
++ type="long"/>
++
++ <attribute name="opaque"
++ description="The opaque server string used by digest authentication"
++ type="java.lang.String"/>
++
++ <attribute name="validateUri"
++ description="Should the uri be validated as required by RFC2617?"
++ type="boolean"/>
+ </mbean>
+
+ <mbean name="FormAuthenticator"
+Index: tomcat6-6.0.32/java/org/apache/catalina/realm/RealmBase.java
+===================================================================
+--- tomcat6-6.0.32.orig/java/org/apache/catalina/realm/RealmBase.java 2010-04-29 20:08:58.000000000 -0400
++++ tomcat6-6.0.32/java/org/apache/catalina/realm/RealmBase.java 2011-10-13 16:38:43.989355250 -0400
+@@ -353,22 +353,27 @@
+ *
+ * @param username Username of the Principal to look up
+ * @param clientDigest Digest which has been submitted by the client
+- * @param nOnce Unique (or supposedly unique) token which has been used
++ * @param nonce Unique (or supposedly unique) token which has been used
+ * for this request
+ * @param realm Realm name
+ * @param md5a2 Second MD5 digest used to calculate the digest :
+ * MD5(Method + ":" + uri)
+ */
+ public Principal authenticate(String username, String clientDigest,
+- String nOnce, String nc, String cnonce,
++ String nonce, String nc, String cnonce,
+ String qop, String realm,
+ String md5a2) {
+
+ String md5a1 = getDigest(username, realm);
+ if (md5a1 == null)
+ return null;
+- String serverDigestValue = md5a1 + ":" + nOnce + ":" + nc + ":"
+- + cnonce + ":" + qop + ":" + md5a2;
++ String serverDigestValue;
++ if (qop == null) {
++ serverDigestValue = md5a1 + ":" + nonce + ":" + md5a2;
++ } else {
++ serverDigestValue = md5a1 + ":" + nonce + ":" + nc + ":" +
++ cnonce + ":" + qop + ":" + md5a2;
++ }
+
+ byte[] valueBytes = null;
+ if(getDigestEncoding() == null) {
+@@ -390,7 +395,7 @@
+
+ if (log.isDebugEnabled()) {
+ log.debug("Digest : " + clientDigest + " Username:" + username
+- + " ClientSigest:" + clientDigest + " nOnce:" + nOnce
++ + " ClientSigest:" + clientDigest + " nonce:" + nonce
+ + " nc:" + nc + " cnonce:" + cnonce + " qop:" + qop
+ + " realm:" + realm + "md5a2:" + md5a2
+ + " Server digest:" + serverDigest);
+Index: tomcat6-6.0.32/webapps/docs/config/valve.xml
+===================================================================
+--- tomcat6-6.0.32.orig/webapps/docs/config/valve.xml 2010-11-02 15:26:07.000000000 -0400
++++ tomcat6-6.0.32/webapps/docs/config/valve.xml 2011-10-13 16:38:43.989355250 -0400
+@@ -460,6 +460,12 @@
+ used.</p>
+ </attribute>
+
++ <attribute name="cnonceCacheSize" required="false">
++ <p>To protect against replay attacks, the DIGEST authenticator tracks
++ client nonce and nonce count values. This attribute controls the size
++ of that cache. If not specified, the default value of 1000 is used.</p>
++ </attribute>
++
+ <attribute name="disableProxyCaching" required="false">
+ <p>Controls the caching of pages that are protected by security
+ constraints. Setting this to <code>false</code> may help work around
+@@ -470,6 +476,26 @@
+ <code>true</code> will be used.</p>
+ </attribute>
+
++ <attribute name="key" required="false">
++ <p>The secret key used by digest authentication. If not set, a secure
++ random value is generated. This should normally only be set when it is
++ necessary to keep key values constant either across server restarts
++ and/or across a cluster.</p>
++ </attribute>
++
++ <attribute name="nonceValidity" required="false">
++ <p>The time, in milliseconds, that a server generated nonce will be
++ considered valid for use in authentication. If not specified, the
++ default value of 300000 (5 minutes) will be used.</p>
++ </attribute>
++
++ <attribute name="opaque" required="false">
++ <p>The opaque server string used by digest authentication. If not set, a
++ random value is generated. This should normally only be set when it is
++ necessary to keep opaque values constant either across server restarts
++ and/or across a cluster.</p>
++ </attribute>
++
+ <attribute name="securePagesWithPragma" required="false">
+ <p>Controls the caching of pages that are protected by security
+ constraints. Setting this to <code>false</code> may help work around
+@@ -479,6 +505,14 @@
+ If not set, the default value of <code>true</code> will be used.</p>
+ </attribute>
+
++ <attribute name="validateUri" required="false">
++ <p>Should the URI be validated as required by RFC2617? If not specified,
++ the default value of <code>true</code> will be used. This should
++ normally only be set when Tomcat is located behind a reverse proxy and
++ the proxy is modifying the URI passed to Tomcat such that DIGEST
++ authentication always fails.</p>
++ </attribute>
++
+ </attributes>
+
+ </subsection>
Copied: tags/tomcat6/6.0.32-7/debian/patches/0015-CVE-2011-2526.patch (from rev 15367, trunk/tomcat6/debian/patches/0015-CVE-2011-2526.patch)
===================================================================
--- tags/tomcat6/6.0.32-7/debian/patches/0015-CVE-2011-2526.patch (rev 0)
+++ tags/tomcat6/6.0.32-7/debian/patches/0015-CVE-2011-2526.patch 2011-11-08 19:12:41 UTC (rev 15368)
@@ -0,0 +1,144 @@
+Description: fix file restriction bypass or denial of service via untrusted web application
+Origin: upstream, http://svn.apache.org/viewvc?view=revision&revision=1146703
+Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=634992
+
+Index: tomcat6-6.0.32/java/org/apache/catalina/connector/LocalStrings.properties
+===================================================================
+--- tomcat6-6.0.32.orig/java/org/apache/catalina/connector/LocalStrings.properties 2011-01-20 16:36:06.000000000 -0500
++++ tomcat6-6.0.32/java/org/apache/catalina/connector/LocalStrings.properties 2011-10-13 16:40:14.477357566 -0400
+@@ -61,6 +61,7 @@
+ coyoteRequest.parseParameters=Exception thrown whilst processing POSTed parameters
+ coyoteRequest.postTooLarge=Parameters were not parsed because the size of the posted data was too big. Use the maxPostSize attribute of the connector to resolve this if the application should accept large POSTs.
+ coyoteRequest.chunkedPostTooLarge=Parameters were not parsed because the size of the posted data was too big. Because this request was a chunked request, it could not be processed further. Use the maxPostSize attribute of the connector to resolve this if the application should accept large POSTs.
++coyoteRequest.sendfileNotCanonical=Unable to determine canonical name of file [{0}] specified for use with sendfile
+ coyoteRequest.sessionEndAccessFail=Exception triggered ending access to session while recycling request
+
+ requestFacade.nullRequest=The request object has been recycled and is no longer associated with this facade
+Index: tomcat6-6.0.32/java/org/apache/catalina/connector/Request.java
+===================================================================
+--- tomcat6-6.0.32.orig/java/org/apache/catalina/connector/Request.java 2011-02-01 22:09:54.000000000 -0500
++++ tomcat6-6.0.32/java/org/apache/catalina/connector/Request.java 2011-10-13 16:39:36.549356595 -0400
+@@ -19,6 +19,7 @@
+ package org.apache.catalina.connector;
+
+
++import java.io.File;
+ import java.io.InputStream;
+ import java.io.IOException;
+ import java.io.BufferedReader;
+@@ -1455,6 +1456,26 @@
+ return;
+ }
+
++ // Do the security check before any updates are made
++ if (Globals.IS_SECURITY_ENABLED &&
++ name.equals("org.apache.tomcat.sendfile.filename")) {
++ // Use the canonical file name to avoid any possible symlink and
++ // relative path issues
++ String canonicalPath;
++ try {
++ canonicalPath = new File(value.toString()).getCanonicalPath();
++ } catch (IOException e) {
++ throw new SecurityException(sm.getString(
++ "coyoteRequest.sendfileNotCanonical", value), e);
++ }
++ // Sendfile is performed in Tomcat's security context so need to
++ // check if the web app is permitted to access the file while still
++ // in the web app's security context
++ System.getSecurityManager().checkRead(canonicalPath);
++ // Update the value so the canonical path is used
++ value = canonicalPath;
++ }
++
+ oldValue = attributes.put(name, value);
+ if (oldValue != null) {
+ replaced = true;
+Index: tomcat6-6.0.32/java/org/apache/catalina/servlets/DefaultServlet.java
+===================================================================
+--- tomcat6-6.0.32.orig/java/org/apache/catalina/servlets/DefaultServlet.java 2011-01-20 12:08:54.000000000 -0500
++++ tomcat6-6.0.32/java/org/apache/catalina/servlets/DefaultServlet.java 2011-10-13 16:39:36.549356595 -0400
+@@ -1619,7 +1619,6 @@
+ request.setAttribute("org.apache.tomcat.sendfile.start", new Long(range.start));
+ request.setAttribute("org.apache.tomcat.sendfile.end", new Long(range.end + 1));
+ }
+- request.setAttribute("org.apache.tomcat.sendfile.token", this);
+ return true;
+ } else {
+ return false;
+Index: tomcat6-6.0.32/java/org/apache/coyote/http11/Http11AprProcessor.java
+===================================================================
+--- tomcat6-6.0.32.orig/java/org/apache/coyote/http11/Http11AprProcessor.java 2011-01-07 12:49:20.000000000 -0500
++++ tomcat6-6.0.32/java/org/apache/coyote/http11/Http11AprProcessor.java 2011-10-13 16:39:36.549356595 -0400
+@@ -910,7 +910,18 @@
+ sendfileData.socket = socket;
+ sendfileData.keepAlive = keepAlive;
+ if (!endpoint.getSendfile().add(sendfileData)) {
+- openSocket = true;
++ if (sendfileData.socket == 0) {
++ // Didn't send all the data but the socket is no longer
++ // set. Something went wrong. Close the connection.
++ // Too late to set status code.
++ if (log.isDebugEnabled()) {
++ log.debug(sm.getString(
++ "http11processor.sendfile.error"));
++ }
++ error = true;
++ } else {
++ openSocket = true;
++ }
+ break;
+ }
+ }
+Index: tomcat6-6.0.32/java/org/apache/coyote/http11/LocalStrings.properties
+===================================================================
+--- tomcat6-6.0.32.orig/java/org/apache/coyote/http11/LocalStrings.properties 2009-05-02 21:29:42.000000000 -0400
++++ tomcat6-6.0.32/java/org/apache/coyote/http11/LocalStrings.properties 2011-10-13 16:39:36.549356595 -0400
+@@ -56,6 +56,7 @@
+ http11processor.socket.info=Exception getting socket information
+ http11processor.socket.ssl=Exception getting SSL attributes
+ http11processor.socket.timeout=Error setting socket timeout
++http11processor.sendfile.error=Error sending data using sendfile. May be caused by invalid request attributes for start/end points
+
+ #
+ # InternalInputBuffer
+Index: tomcat6-6.0.32/java/org/apache/tomcat/util/net/AprEndpoint.java
+===================================================================
+--- tomcat6-6.0.32.orig/java/org/apache/tomcat/util/net/AprEndpoint.java 2011-02-01 03:07:46.000000000 -0500
++++ tomcat6-6.0.32/java/org/apache/tomcat/util/net/AprEndpoint.java 2011-10-13 16:41:23.769359341 -0400
+@@ -1812,7 +1812,9 @@
+ data.pos, data.end - data.pos, 0);
+ if (nw < 0) {
+ if (!(-nw == Status.EAGAIN)) {
+- destroySocket(data.socket);
++ Pool.destroy(data.fdpool);
++ // No need to close socket, this will be done by
++ // calling code since data.socket == 0
+ data.socket = 0;
+ return false;
+ } else {
+Index: tomcat6-6.0.32/java/org/apache/tomcat/util/net/NioEndpoint.java
+===================================================================
+--- tomcat6-6.0.32.orig/java/org/apache/tomcat/util/net/NioEndpoint.java 2011-01-07 13:43:39.000000000 -0500
++++ tomcat6-6.0.32/java/org/apache/tomcat/util/net/NioEndpoint.java 2011-10-13 16:39:36.553356596 -0400
+@@ -1734,6 +1734,13 @@
+ sd.pos += written;
+ sd.length -= written;
+ attachment.access();
++ } else {
++ // Unusual not to be able to transfer any bytes
++ // Check the length was set correctly
++ if (sd.fchannel.size() <= sd.pos) {
++ throw new IOException("Sendfile configured to " +
++ "send more data than was available");
++ }
+ }
+ }
+ if ( sd.length <= 0 && sc.getOutboundRemaining()<=0) {
+@@ -1758,6 +1765,7 @@
+ log.debug("Send file connection is being closed");
+ }
+ cancelledKey(sk,SocketStatus.STOP,false);
++ return false;
+ }
+ } else if ( attachment.interestOps() == 0 && reg ) {
+ if (log.isDebugEnabled()) {
Deleted: tags/tomcat6/6.0.32-7/debian/patches/series
===================================================================
--- trunk/tomcat6/debian/patches/series 2011-11-08 14:21:37 UTC (rev 15366)
+++ tags/tomcat6/6.0.32-7/debian/patches/series 2011-11-08 19:12:41 UTC (rev 15368)
@@ -1,12 +0,0 @@
-0001-set-UTF-8-as-default-character-encoding.patch
-0002-do-not-load-AJP13-connector-by-default.patch
-0003-disable-APR-library-loading.patch
-0004-split-deploy-webapps-target-from-deploy-target.patch
-0005-change-default-DBCP-factory-class.patch
-0006-add-JARs-below-var-to-class-loader.patch
-0007-add-OSGi-headers-to-servlet-api.patch
-0008-add-OSGI-headers-to-jsp-api.patch
-0010-Use-java.security.policy-file-in-catalina.sh.patch
-0011-623242.patch
-0012-CVE-2011-2204.patch
-0013-CVE-2011-3190.patch
Copied: tags/tomcat6/6.0.32-7/debian/patches/series (from rev 15367, trunk/tomcat6/debian/patches/series)
===================================================================
--- tags/tomcat6/6.0.32-7/debian/patches/series (rev 0)
+++ tags/tomcat6/6.0.32-7/debian/patches/series 2011-11-08 19:12:41 UTC (rev 15368)
@@ -0,0 +1,14 @@
+0001-set-UTF-8-as-default-character-encoding.patch
+0002-do-not-load-AJP13-connector-by-default.patch
+0003-disable-APR-library-loading.patch
+0004-split-deploy-webapps-target-from-deploy-target.patch
+0005-change-default-DBCP-factory-class.patch
+0006-add-JARs-below-var-to-class-loader.patch
+0007-add-OSGi-headers-to-servlet-api.patch
+0008-add-OSGI-headers-to-jsp-api.patch
+0010-Use-java.security.policy-file-in-catalina.sh.patch
+0011-623242.patch
+0012-CVE-2011-2204.patch
+0013-CVE-2011-3190.patch
+0014-CVE-2011-1184.patch
+0015-CVE-2011-2526.patch
More information about the pkg-java-commits
mailing list