[tomcat6] 01/03: Import Debian patch 6.0.45+dfsg-1~deb7u3

Markus Koschany apo at moszumanska.debian.org
Thu Dec 1 20:42:37 UTC 2016


This is an automated email from the git hooks/post-receive script.

apo pushed a commit to annotated tag debian/6.0.45+dfsg-1_deb7u3
in repository tomcat6.

commit dacc8401d45abdb8b0c654607ed4a216937d00ff
Author: Markus Koschany <apo at debian.org>
Date:   Fri Nov 25 22:04:20 2016 +0100

    Import Debian patch 6.0.45+dfsg-1~deb7u3
---
 debian/changelog                   |  215 +++----
 debian/compat                      |    2 +-
 debian/control                     |  229 ++++----
 debian/copyright                   |    2 +-
 debian/defaults.template           |    2 -
 debian/orig-tar.sh                 |    2 +-
 debian/patches/CVE-2016-0762.patch |   85 +++
 debian/patches/CVE-2016-5018.patch |   88 +++
 debian/patches/CVE-2016-6794.patch |  141 +++++
 debian/patches/CVE-2016-6796.patch |   78 +++
 debian/patches/CVE-2016-6797.patch |  211 +++++++
 debian/patches/CVE-2016-6816.patch | 1105 ++++++++++++++++++++++++++++++++++++
 debian/patches/CVE-2016-8735.patch |   24 +
 debian/patches/series              |    7 +
 debian/rules                       |   58 +-
 debian/tomcat6.cron.daily          |   11 +-
 debian/tomcat6.init                |    7 +-
 debian/watch                       |    2 +-
 18 files changed, 2012 insertions(+), 257 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index 560fcbc..5ecc7a3 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,104 +1,129 @@
-tomcat6 (6.0.45+dfsg-1) unstable; urgency=medium
+tomcat6 (6.0.45+dfsg-1~deb7u3) UNRELEASED; urgency=high
+
+  * Fixed CVE-2016-0762: The Realm implementations did not process the supplied
+    password if the supplied user name did not exist. This made a timing attack
+    possible to determine valid user names.
+  * Fixed CVE-2016-5018: A malicious web application was able to bypass
+    a configured SecurityManager via a Tomcat utility method that was
+    accessible to web applications.
+  * Fixed CVE-2016-6794: When a SecurityManager is configured, a web
+    application's ability to read system properties should be controlled by
+    the SecurityManager. Tomcat's system property replacement feature for
+    configuration files could be used by a malicious web application to bypass
+    the SecurityManager and read system properties that should not be visible.
+  * Fixed CVE-2016-6796: A malicious web application was able to bypass
+    a configured SecurityManager via manipulation of the configuration
+    parameters for the JSP Servlet.
+  * Fixed CVE-2016-6797: The ResourceLinkFactory did not limit web application
+    access to global JNDI resources to those resources explicitly linked to the
+    web application. Therefore, it was possible for a web application to access
+    any global JNDI resource whether an explicit ResourceLink had been
+    configured or not.
+  * Fixed CVE-2016-6816: The code that parsed the HTTP request line permitted
+    invalid characters. This could be exploited, in conjunction with a proxy
+    that also permitted the invalid characters but with a different
+    interpretation, to inject data into the HTTP response. By manipulating the
+    HTTP response the attacker could poison a web-cache, perform an XSS attack
+    and/or obtain sensitive information from requests other then their own.
+  * Fixed CVE-2016-8735: The JmxRemoteLifecycleListener was not updated to take
+    account of Oracle's fix for CVE-2016-3427. Therefore, Tomcat installations
+    using this listener remained vulnerable to a similar remote code execution
+    vulnerability.
+  * CVE-2016-1240 follow-up:
+    - The previous init.d fix was vulnerable to a race condition that could
+      be exploited to make any existing file writable by the tomcat user.
+      Thanks to Paul Szabo for the report and the fix.
+    - The catalina.policy file generated on startup was affected by a similar
+      vulnerability that could be exploited to overwrite any file on the system.
+      Thanks to Paul Szabo for the report.
+  * Hardened the init.d script, thanks to Paul Szabo
+
+ -- Markus Koschany <apo at debian.org>  Fri, 25 Nov 2016 22:04:20 +0100
+
+tomcat6 (6.0.45+dfsg-1~deb7u2) wheezy-security; urgency=high
 
   * Team upload.
-  * Imported Upstream version 6.0.45+dfsg.
-    - Remove all prebuilt jar files.
-  * Declare compliance with Debian Policy 3.9.7.
-  * Vcs-fields: Use https.
-  * This update fixes the following security vulnerabilities in the source
-    package. Since src:tomcat6 only builds libservlet2.5-java and
-    documentation, users are not directly affected.
-    - CVE-2015-5174: Directory traversal vulnerability in RequestUtil.java.
-    - CVE-2015-5345: The Mapper component in Apache Tomcat before 6.0.45
-      processes redirects before considering security constraints and Filters.
-    - CVE-2016-0706: Apache Tomcat before 6.0.45 does not place
-      org.apache.catalina.manager.StatusManagerServlet on the
-      org/apache/catalina/core/RestrictedServlets.properties list which allows
-      remote authenticated users to bypass intended SecurityManager
-      restrictions.
-    - CVE-2016-0714: The session-persistence implementation in Apache Tomcat
-      before 6.0.45 mishandles session attributes, which allows remote
-      authenticated users to bypass intended SecurityManager restrictions.
-    - CVE-2016-0763: The setGlobalContext method in
-      org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat does
-      not consider whether ResourceLinkFactory.setGlobalContext callers are
-      authorized, which allows remote authenticated users to bypass intended
-      SecurityManager restrictions and read or write to arbitrary application
-      data, or cause a denial of service (application disruption), via a web
-      application that sets a crafted global context.
-    - CVE-2015-5351: The Manager and Host Manager applications in
-      Apache Tomcat establish sessions and send CSRF tokens for arbitrary new
-      requests, which allows remote attackers to bypass a CSRF protection
-      mechanism by using a token.
-
- -- Markus Koschany <apo at debian.org>  Sat, 27 Feb 2016 19:32:00 +0100
-
-tomcat6 (6.0.41-4) unstable; urgency=medium
-
-  * Removed the timstamp from the Javadoc of the Servlet API
-    to make the build reproducible
-
- -- Emmanuel Bourg <ebourg at apache.org>  Wed, 06 May 2015 09:35:37 +0200
-
-tomcat6 (6.0.41-3) unstable; urgency=medium
-
-  * Build only the libservlet2.5-java and libservlet2.5-java-doc packages.
-    Tomcat 6 will not be supported in Jessie, but the Servlet API is still
-    useful as a build dependency for other packages.
-  * Standards-Version updated to 3.9.6 (no changes)
-
- -- Emmanuel Bourg <ebourg at apache.org>  Wed, 22 Oct 2014 09:48:54 +0200
-
-tomcat6 (6.0.41-2) unstable; urgency=medium
-
-  [ Emmanuel Bourg ]
-  * Updated the version required for libtcnative-1 (>= 1.1.30)
+  * Fix CVE-2016-1240:
+    tomcat6.init: Protect /var/log/tomcat6/catalina.out against symlink
+    attacks and a possible root privilege escalation.
 
-  [ tony mancill ]
-  * Add patch for logfile compression. (Closes: #682955)
-    - Thank you to Thijs Kinkhorst.
-
- -- tony mancill <tmancill at debian.org>  Sun, 24 Aug 2014 13:52:40 -0700
-
-tomcat6 (6.0.41-1) unstable; urgency=medium
-
-  * New upstream release.
-    - Refreshed the patches
-
- -- Emmanuel Bourg <ebourg at apache.org>  Thu, 22 May 2014 10:03:04 +0200
-
-tomcat6 (6.0.39-1) unstable; urgency=medium
-
-  * Team upload.
-  * New upstream release.
-    - Refreshed the patches
-  * Standards-Version updated to 3.9.5 (no changes)
-  * Switch to debhelper level 9
-  * Use XZ compression for the upstream tarball
-  * Use canonical URL for the Vcs-Git field
-
- -- Emmanuel Bourg <ebourg at apache.org>  Mon, 17 Feb 2014 00:02:00 +0100
-
-tomcat6 (6.0.37-1) unstable; urgency=low
+ -- Markus Koschany <apo at debian.org>  Thu, 15 Sep 2016 15:41:21 +0200
 
-  * New upstream release.
-    - Drop patches for CVE-2012-4534, CVE-2012-4431, CVE-2012-3546,
-      CVE-2012-2733, CVE-2012-3439
-    - Drop 0011-CVE-02012-0022-regression-fix.patch
-    - Drop 0017-eclipse-compiler-update.patch
-  * Freshened remaining patches.
-
- -- tony mancill <tmancill at debian.org>  Sat, 03 Aug 2013 21:50:20 -0700
-
-tomcat6 (6.0.35-7) unstable; urgency=low
+tomcat6 (6.0.45+dfsg-1~deb7u1) wheezy-security; urgency=high
 
   * Team upload.
-  * Fixed the watch file
-  * Fix FTBFS with ecj 3.8 (closes: #717279, #713796) 
-  * Updated the standards version to 3.9.4 - no changes
-  * Updated the Vcs-Git field to the canonical url
-
- -- Stephen Nelson <stephen at eccostudio.com>  Tue, 30 Jul 2013 23:07:18 +0100
+  * The full list of changes between 6.0.35 (the version previously available
+    in Wheezy) and 6.0.45 can be seen in the upstream changelog, which is
+    available online at http://tomcat.apache.org/tomcat-6.0-doc/changelog.html
+  * This update fixes the following security issues:
+    - CVE-2014-0033: prevent remote attackers from conducting session
+      fixation attacks via crafted URLs.
+    - CVE-2014-0119: Fix not properly constraining class loader that accesses
+      the XML parser used with an XSLT stylesheet which allowed remote
+      attackers to read arbitrary files via crafted web applications.
+    - CVE-2014-0099: Fix integer overflow in
+      java/org/apache/tomcat/util/buf/Ascii.java.
+    - CVE-2014-0096: Properly restrict XSLT stylesheets that allowed remote
+      attackers to bypass security-manager restrictions.
+    - CVE-2014-0075: Fix integer overflow in the parseChunkHeader function in
+      java/org/apache/coyote/http11/filters/ChunkedInputFilter.java.
+    - CVE-2013-4590: prevent "Tomcat internals" information leaks.
+    - CVE-2013-4322: prevent remote attackers from doing denial of service
+      attacks.
+    - CVE-2013-4286: reject requests with multiple content-length headers or
+      with a content-length header when chunked encoding is being used.
+    - Avoid CVE-2013-1571 when generating Javadoc.
+  * CVE-2014-0227.patch:
+    - Add error flag to allow subsequent attempts at reading after an error to
+      fail fast.
+  * CVE-2014-0230: Add support for maxSwallowSize.
+  * CVE-2014-7810:
+    - Fix potential BeanELResolver issue when running under a security manager.
+      Some classes may not be accessible but may have accessible interfaces.
+  * CVE-2015-5174: Directory traversal vulnerability in RequestUtil.java.
+  * CVE-2015-5345: The Mapper component in Apache Tomcat before 6.0.45
+    processes redirects before considering security constraints and Filters.
+  * CVE-2016-0706: Apache Tomcat before 6.0.45 does not place
+    org.apache.catalina.manager.StatusManagerServlet on the
+    org/apache/catalina/core/RestrictedServlets.properties list which allows
+    remote authenticated users to bypass intended SecurityManager
+    restrictions.
+  * CVE-2016-0714: The session-persistence implementation in Apache Tomcat
+    before 6.0.45 mishandles session attributes, which allows remote
+    authenticated users to bypass intended SecurityManager restrictions.
+  * CVE-2016-0763: The setGlobalContext method in
+    org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat does
+    not consider whether ResourceLinkFactory.setGlobalContext callers are
+    authorized, which allows remote authenticated users to bypass intended
+    SecurityManager restrictions and read or write to arbitrary application
+    data, or cause a denial of service (application disruption), via a web
+    application that sets a crafted global context.
+  * CVE-2015-5351: The Manager and Host Manager applications in
+    Apache Tomcat establish sessions and send CSRF tokens for arbitrary new
+    requests, which allows remote attackers to bypass a CSRF protection
+    mechanism by using a token.
+  * Drop the following patches. Applied upstream.
+    - 0011-CVE-2012-0022-regression-fix.patch
+    - 0012-CVE-2012-3544.patch
+    - 0014-CVE-2012-4534.patch
+    - 0015-CVE-2012-4431.patch
+    - 0016-CVE-2012-3546.patch
+    - 0017-CVE-2013-2067.patch
+    - cve-2012-2733.patch
+    - cve-2012-3439.patch
+    - CVE-2014-0227.patch
+    - CVE-2014-0230.patch
+    - CVE-2014-7810-1.patch
+    - CVE-2014-7810-2.patch
+    - 0011-Fix-for-NoSuchElementException-when-an-attribute-has.patch
+
+ -- Markus Koschany <apo at debian.org>  Wed, 16 Mar 2016 14:08:48 +0100
+
+tomcat6 (6.0.35-6+deb7u1) stable-security; urgency=low
+
+  * CVE-2012-3544, CVE-2013-2067
+
+ -- Moritz Mühlenhoff <jmm at debian.org>  Thu, 18 Jul 2013 00:00:35 +0200
 
 tomcat6 (6.0.35-6) unstable; urgency=high
 
diff --git a/debian/compat b/debian/compat
index ec63514..7f8f011 100644
--- a/debian/compat
+++ b/debian/compat
@@ -1 +1 @@
-9
+7
diff --git a/debian/control b/debian/control
index 2876bad..bb9e632 100644
--- a/debian/control
+++ b/debian/control
@@ -6,90 +6,89 @@ Uploaders: Torsten Werner <twerner at debian.org>,
  Ludovic Claude <ludovic.claude at laposte.net>,
  Damien Raude-Morvan <drazzib at debian.org>,
  Miguel Landaeta <miguel at miguel.cc>,
- tony mancill <tmancill at debian.org>,
- Emmanuel Bourg <ebourg at apache.org>
-Build-Depends: default-jdk, ant-optional, debhelper (>= 9), po-debconf
+ tony mancill <tmancill at debian.org>
+Build-Depends: default-jdk, ant-optional, debhelper (>= 7), po-debconf
 Build-Depends-Indep: maven-repo-helper (>> 1.0.1), libecj-java
-Standards-Version: 3.9.7
-Vcs-Git: https://anonscm.debian.org/git/pkg-java/tomcat6.git
-Vcs-Browser: https://anonscm.debian.org/cgit/pkg-java/tomcat6.git
+Standards-Version: 3.9.3
 Homepage: http://tomcat.apache.org
+Vcs-Git: git://git.debian.org/git/pkg-java/tomcat6.git
+Vcs-Browser: http://anonscm.debian.org/gitweb/?p=pkg-java/tomcat6.git
 
-#Package: tomcat6-common
-#Architecture: all
-#Depends: libtomcat6-java (>= ${source:Version}), ${misc:Depends},
-# default-jre-headless | java7-runtime-headless | java7-runtime | java6-runtime-headless | java6-runtime | java5-runtime
-#Description: Servlet and JSP engine -- common files
-# Apache Tomcat implements the Java Servlet and the JavaServer Pages (JSP)
-# specifications from Sun Microsystems, and provides a "pure Java" HTTP web
-# server environment for Java code to run.
-# .
-# This package contains common files needed by the tomcat6 and tomcat6-user
-# packages (Tomcat 6 scripts and libraries).
+Package: tomcat6-common
+Architecture: all
+Depends: libtomcat6-java (>= ${source:Version}), ${misc:Depends},
+ default-jre-headless | java7-runtime-headless | java7-runtime | java6-runtime-headless | java6-runtime | java5-runtime
+Description: Servlet and JSP engine -- common files
+ Apache Tomcat implements the Java Servlet and the JavaServer Pages (JSP)
+ specifications from Sun Microsystems, and provides a "pure Java" HTTP web
+ server environment for Java code to run.
+ .
+ This package contains common files needed by the tomcat6 and tomcat6-user
+ packages (Tomcat 6 scripts and libraries). 
 
-#Package: tomcat6
-#Architecture: all
-#Depends: tomcat6-common (>= ${source:Version}), ucf,
-# adduser, ${misc:Depends}
-#Recommends: authbind
-#Suggests: tomcat6-docs (>= ${source:Version}),
-# tomcat6-admin (>= ${source:Version}),
-# tomcat6-examples (>= ${source:Version}),
-# tomcat6-user (>= ${source:Version}),
-# libtcnative-1 (>= 1.1.30)
-#Description: Servlet and JSP engine
-# Apache Tomcat implements the Java Servlet and the JavaServer Pages (JSP)
-# specifications from Sun Microsystems, and provides a "pure Java" HTTP web
-# server environment for Java code to run.
-# .
-# This package contains only the startup scripts for the system-wide daemon.
-# No documentation or web applications are included here, please install
-# the tomcat6-docs and tomcat6-examples packages if you want them.
-# Install the authbind package if you need to use Tomcat on ports 1-1023.
-# Install tomcat6-user instead of this package if you don't want Tomcat to
-# start as a service.
+Package: tomcat6
+Architecture: all
+Depends: tomcat6-common (>= ${source:Version}), ucf,
+ adduser, ${misc:Depends}
+Recommends: authbind
+Suggests: tomcat6-docs (>= ${source:Version}),
+ tomcat6-admin (>= ${source:Version}),
+ tomcat6-examples (>= ${source:Version}),
+ tomcat6-user (>= ${source:Version}),
+ libtcnative-1
+Description: Servlet and JSP engine
+ Apache Tomcat implements the Java Servlet and the JavaServer Pages (JSP)
+ specifications from Sun Microsystems, and provides a "pure Java" HTTP web
+ server environment for Java code to run.
+ .
+ This package contains only the startup scripts for the system-wide daemon.
+ No documentation or web applications are included here, please install
+ the tomcat6-docs and tomcat6-examples packages if you want them.
+ Install the authbind package if you need to use Tomcat on ports 1-1023.
+ Install tomcat6-user instead of this package if you don't want Tomcat to
+ start as a service.
 
-#Package: tomcat6-user
-#Architecture: all
-#Depends: tomcat6-common (>= ${source:Version}), netcat, ${misc:Depends}
-#Suggests: tomcat6-docs (>= ${source:Version}),
-# tomcat6-admin (>= ${source:Version}),
-# tomcat6-examples (>= ${source:Version}),
-# tomcat6 (>= ${source:Version})
-#Description: Servlet and JSP engine -- tools to create user instances
-# Apache Tomcat implements the Java Servlet and the JavaServer Pages (JSP)
-# specifications from Sun Microsystems, and provides a "pure Java" HTTP web
-# server environment for Java code to run.
-# .
-# This package contains files needed to create a user Tomcat instance.
-# This user Tomcat instance can be started and stopped using the scripts
-# provided in the Tomcat instance directory.
+Package: tomcat6-user
+Architecture: all
+Depends: tomcat6-common (>= ${source:Version}), netcat, ${misc:Depends}
+Suggests: tomcat6-docs (>= ${source:Version}),
+ tomcat6-admin (>= ${source:Version}),
+ tomcat6-examples (>= ${source:Version}),
+ tomcat6 (>= ${source:Version})
+Description: Servlet and JSP engine -- tools to create user instances
+ Apache Tomcat implements the Java Servlet and the JavaServer Pages (JSP)
+ specifications from Sun Microsystems, and provides a "pure Java" HTTP web
+ server environment for Java code to run.
+ .
+ This package contains files needed to create a user Tomcat instance.
+ This user Tomcat instance can be started and stopped using the scripts
+ provided in the Tomcat instance directory.
 
-#Package: libtomcat6-java
-#Architecture: all
-#Depends: libecj-java,
-#         libcommons-dbcp-java,
-#         libcommons-pool-java,
-#         libservlet2.5-java (>= ${source:Version}), ${misc:Depends}
-#Suggests: tomcat6 (>= ${source:Version})
-#Conflicts: tomcat6-common (<< 6.0.20-5)
-#Description: Servlet and JSP engine -- core libraries
-# Apache Tomcat implements the Java Servlet and the JavaServer Pages (JSP)
-# specifications from Sun Microsystems, and provides a "pure Java" HTTP web
-# server environment for Java code to run.
-# .
-# This package contains the Tomcat core classes which can be used by other
-# Java applications to embed Tomcat.
+Package: libtomcat6-java
+Architecture: all
+Depends: libecj-java,
+         libcommons-dbcp-java,
+         libcommons-pool-java,
+         libservlet2.5-java (>= ${source:Version}), ${misc:Depends}
+Suggests: tomcat6 (>= ${source:Version})
+Conflicts: tomcat6-common (<< 6.0.20-5)
+Description: Servlet and JSP engine -- core libraries
+ Apache Tomcat implements the Java Servlet and the JavaServer Pages (JSP)
+ specifications from Sun Microsystems, and provides a "pure Java" HTTP web
+ server environment for Java code to run.
+ .
+ This package contains the Tomcat core classes which can be used by other
+ Java applications to embed Tomcat.
 
-#Package: libservlet2.4-java
-#Section: oldlibs
-#Priority: extra
-#Architecture: all
-#Depends: ${misc:Depends}, libservlet2.5-java
-#Description: Transitional package for libservlet2.5-java
-# This is a transitional package to facilitate upgrading from
-# libservlet2.4-java to libservlet2.5-java, and can be safely
-# removed after the installation is complete.
+Package: libservlet2.4-java
+Section: oldlibs
+Priority: extra
+Architecture: all
+Depends: ${misc:Depends}, libservlet2.5-java
+Description: Transitional package for libservlet2.5-java
+ This is a transitional package to facilitate upgrading from
+ libservlet2.4-java to libservlet2.5-java, and can be safely
+ removed after the installation is complete.
 
 Package: libservlet2.5-java
 Architecture: all
@@ -114,44 +113,44 @@ Description: Servlet 2.5 and JSP 2.1 Java API documentation
  .
  This package contains the documentation for the Java Servlet and JSP library.
 
-#Package: tomcat6-admin
-#Architecture: all
-#Depends: tomcat6-common (>= ${source:Version}), ${misc:Depends}
-#Description: Servlet and JSP engine -- admin web applications
-# Apache Tomcat implements the Java Servlet and the JavaServer Pages (JSP)
-# specifications from Sun Microsystems, and provides a "pure Java" HTTP web
-# server environment for Java code to run.
-# .
-# This package contains the administrative web interfaces.
+Package: tomcat6-admin
+Architecture: all
+Depends: tomcat6-common (>= ${source:Version}), ${misc:Depends}
+Description: Servlet and JSP engine -- admin web applications
+ Apache Tomcat implements the Java Servlet and the JavaServer Pages (JSP)
+ specifications from Sun Microsystems, and provides a "pure Java" HTTP web
+ server environment for Java code to run.
+ .
+ This package contains the administrative web interfaces.
 
-#Package: tomcat6-examples
-#Architecture: all
-#Depends: tomcat6-common (>= ${source:Version}), ${misc:Depends}
-#Description: Servlet and JSP engine -- example web applications
-# Apache Tomcat implements the Java Servlet and the JavaServer Pages (JSP)
-# specifications from Sun Microsystems, and provides a "pure Java" HTTP web
-# server environment for Java code to run.
-# .
-# This package contains the default Tomcat example webapps.
+Package: tomcat6-examples
+Architecture: all
+Depends: tomcat6-common (>= ${source:Version}), ${misc:Depends}
+Description: Servlet and JSP engine -- example web applications
+ Apache Tomcat implements the Java Servlet and the JavaServer Pages (JSP)
+ specifications from Sun Microsystems, and provides a "pure Java" HTTP web
+ server environment for Java code to run.
+ .
+ This package contains the default Tomcat example webapps.
 
-#Package: tomcat6-docs
-#Section: doc
-#Architecture: all
-#Depends: tomcat6-common (>= ${source:Version}), ${misc:Depends}
-#Description: Servlet and JSP engine -- documentation
-# Apache Tomcat implements the Java Servlet and the JavaServer Pages (JSP)
-# specifications from Sun Microsystems, and provides a "pure Java" HTTP web
-# server environment for Java code to run.
-# .
-# This package contains the online documentation web application.
+Package: tomcat6-docs
+Section: doc
+Architecture: all
+Depends: tomcat6-common (>= ${source:Version}), ${misc:Depends}
+Description: Servlet and JSP engine -- documentation
+ Apache Tomcat implements the Java Servlet and the JavaServer Pages (JSP)
+ specifications from Sun Microsystems, and provides a "pure Java" HTTP web
+ server environment for Java code to run.
+ .
+ This package contains the online documentation web application.
 
-#Package: tomcat6-extras
-#Architecture: all
-#Depends: tomcat6-common (>= ${source:Version}), ${misc:Depends}
-#Description: Servlet and JSP engine -- additional components
-# Apache Tomcat implements the Java Servlet and the JavaServer Pages (JSP)
-# specifications from Sun Microsystems, and provides a "pure Java" HTTP web
-# server environment for Java code to run.
-# .
-# This package contains additional ("extra") component libraries.
-# (Currently only catalina-jmx-remote.jar.)
+Package: tomcat6-extras
+Architecture: all
+Depends: tomcat6-common (>= ${source:Version}), ${misc:Depends}
+Description: Servlet and JSP engine -- additional components
+ Apache Tomcat implements the Java Servlet and the JavaServer Pages (JSP)
+ specifications from Sun Microsystems, and provides a "pure Java" HTTP web
+ server environment for Java code to run.
+ .
+ This package contains additional ("extra") component libraries.
+ (Currently only catalina-jmx-remote.jar.)
diff --git a/debian/copyright b/debian/copyright
index c9cb78a..12448db 100644
--- a/debian/copyright
+++ b/debian/copyright
@@ -9,7 +9,7 @@ on Tomcat 5.5 and initial packaging by David Pashley <david at davidpashley.com>.
 It was downloaded from http://tomcat.apache.org
 
 Copyright: 
-  Copyright (C) 2000-2014, The Apache Software Foundation.
+  Copyright (C) 2000-2007 Apache Software Foundation.
   Copyright (C) International Business Machines Corporation 2002
 
 Authors:
diff --git a/debian/defaults.template b/debian/defaults.template
index 3ef3280..416312c 100644
--- a/debian/defaults.template
+++ b/debian/defaults.template
@@ -33,8 +33,6 @@ JAVA_OPTS="-Djava.awt.headless=true -Xmx128m -XX:+UseConcMarkSweepGC"
 
 # Number of days to keep logfiles in /var/log/tomcat6. Default is 14 days.
 #LOGFILE_DAYS=14
-# Whether to compress logfiles older than today's
-#LOGFILE_COMPRESS=1
 
 # Location of the JVM temporary directory
 # WARNING: This directory will be destroyed and recreated at every startup !
diff --git a/debian/orig-tar.sh b/debian/orig-tar.sh
index 22b8732..0dea910 100755
--- a/debian/orig-tar.sh
+++ b/debian/orig-tar.sh
@@ -6,7 +6,7 @@ DIR=tomcat6-$VERSION
 TAG=$(echo TOMCAT_$VERSION | sed -e 's/\./_/g')
 
 svn export http://svn.apache.org/repos/asf/tomcat/tc6.0.x/tags/$TAG $DIR
-tar -c -J -f $TAR --exclude 'standard.jar' --exclude 'jstl.jar' $DIR
+tar -c -z -f $TAR --exclude 'standard.jar' --exclude 'jstl.jar' $DIR
 rm -rf $DIR ../$TAG
 
 # move to directory 'tarballs'
diff --git a/debian/patches/CVE-2016-0762.patch b/debian/patches/CVE-2016-0762.patch
new file mode 100644
index 0000000..1bd0052
--- /dev/null
+++ b/debian/patches/CVE-2016-0762.patch
@@ -0,0 +1,85 @@
+From: Markus Koschany <apo at debian.org>
+Date: Mon, 7 Nov 2016 13:38:38 +0100
+Subject: CVE-2016-0762
+
+Origin: https://svn.apache.org/viewvc?view=revision&revision=1758506
+---
+ java/org/apache/catalina/realm/MemoryRealm.java | 30 +++++++++++++++----------
+ java/org/apache/catalina/realm/RealmBase.java   | 14 +++++++-----
+ 2 files changed, 27 insertions(+), 17 deletions(-)
+
+diff --git a/java/org/apache/catalina/realm/MemoryRealm.java b/java/org/apache/catalina/realm/MemoryRealm.java
+index 56bc970..8e6bf68 100644
+--- a/java/org/apache/catalina/realm/MemoryRealm.java
++++ b/java/org/apache/catalina/realm/MemoryRealm.java
+@@ -142,23 +142,29 @@ public class MemoryRealm  extends RealmBase {
+      * @param credentials Password or other credentials to use in
+      *  authenticating this username
+      */
++    @Override
+     public Principal authenticate(String username, String credentials) {
+ 
+-        GenericPrincipal principal =
+-            (GenericPrincipal) principals.get(username);
++        // No user or no credentials
++        // Can't possibly authenticate, don't bother the database then
++        if (username == null || credentials == null) {
++            return null;
++        }
++        
++        GenericPrincipal principal = principals.get(username);
+ 
+         boolean validated = false;
+-        if (principal != null && credentials != null) {
+-            if (hasMessageDigest()) {
+-                // Hex hashes should be compared case-insensitive
+-                validated = (digest(credentials)
+-                             .equalsIgnoreCase(principal.getPassword()));
+-            } else {
+-                validated =
+-                    (digest(credentials).equals(principal.getPassword()));
+-            }
++        String dbCredentials = null;
++        if (principal != null) {
++            dbCredentials = principal.getPassword();
+         }
+-
++        if (hasMessageDigest()) {
++            // Hex hashes should be compared case-insensitive
++            validated = (digest(credentials).equalsIgnoreCase(dbCredentials));
++        } else {
++            validated = (digest(credentials).equals(dbCredentials));
++        }
++    
+         if (validated) {
+             if (log.isDebugEnabled())
+                 log.debug(sm.getString("memoryRealm.authenticateSuccess", username));
+diff --git a/java/org/apache/catalina/realm/RealmBase.java b/java/org/apache/catalina/realm/RealmBase.java
+index 4f7c27f..cd62bf4 100644
+--- a/java/org/apache/catalina/realm/RealmBase.java
++++ b/java/org/apache/catalina/realm/RealmBase.java
+@@ -336,15 +336,19 @@ public abstract class RealmBase
+      */
+     public Principal authenticate(String username, String credentials) {
+ 
++        // No user or no credentials
++        // Can't possibly authenticate, don't bother the database then
++        if (username == null || credentials == null) {
++            return null;
++        }
++
+         String serverCredentials = getPassword(username);
+ 
+         boolean validated ;
+-        if ( serverCredentials == null ) {
+-            validated = false;
+-        } else if(hasMessageDigest()) {
+-            validated = serverCredentials.equalsIgnoreCase(digest(credentials));
++        if(hasMessageDigest()) {
++            validated = digest(credentials).equalsIgnoreCase(serverCredentials);
+         } else {
+-            validated = serverCredentials.equals(credentials);
++            validated = credentials.equals(serverCredentials);
+         }
+         if(! validated ) {
+             if (containerLog.isTraceEnabled()) {
diff --git a/debian/patches/CVE-2016-5018.patch b/debian/patches/CVE-2016-5018.patch
new file mode 100644
index 0000000..5d5d709
--- /dev/null
+++ b/debian/patches/CVE-2016-5018.patch
@@ -0,0 +1,88 @@
+From: Markus Koschany <apo at debian.org>
+Date: Mon, 7 Nov 2016 13:31:22 +0100
+Subject: CVE-2016-5018
+
+Origin: https://svn.apache.org/viewvc?view=revision&revision=1754904
+---
+ .../apache/jasper/runtime/JspRuntimeLibrary.java   | 54 +---------------------
+ 1 file changed, 1 insertion(+), 53 deletions(-)
+
+diff --git a/java/org/apache/jasper/runtime/JspRuntimeLibrary.java b/java/org/apache/jasper/runtime/JspRuntimeLibrary.java
+index 02d21dd..bdc769f 100644
+--- a/java/org/apache/jasper/runtime/JspRuntimeLibrary.java
++++ b/java/org/apache/jasper/runtime/JspRuntimeLibrary.java
+@@ -14,7 +14,6 @@
+  * See the License for the specific language governing permissions and
+  * limitations under the License.
+  */
+-
+ package org.apache.jasper.runtime;
+ 
+ import java.beans.PropertyEditor;
+@@ -60,35 +59,6 @@ public class JspRuntimeLibrary {
+     private static final String JSP_EXCEPTION
+ 	= "javax.servlet.jsp.jspException";
+ 
+-    protected static class PrivilegedIntrospectHelper
+-	implements PrivilegedExceptionAction {
+-
+-	private Object bean;
+-	private String prop;
+-	private String value;
+-	private ServletRequest request;
+-	private String param;
+-	private boolean ignoreMethodNF;
+-
+-        PrivilegedIntrospectHelper(Object bean, String prop,
+-                                   String value, ServletRequest request,
+-                                   String param, boolean ignoreMethodNF)
+-        {
+-	    this.bean = bean;
+-	    this.prop = prop;
+-	    this.value = value;
+-            this.request = request;
+-	    this.param = param;
+-	    this.ignoreMethodNF = ignoreMethodNF;
+-        }
+-         
+-        public Object run() throws JasperException {
+-	    internalIntrospecthelper(
+-                bean,prop,value,request,param,ignoreMethodNF);
+-            return null;
+-        }
+-    }
+-
+     /**
+      * Returns the value of the javax.servlet.error.exception request
+      * attribute value, if present, otherwise the value of the
+@@ -292,29 +262,7 @@ public class JspRuntimeLibrary {
+     public static void introspecthelper(Object bean, String prop,
+                                         String value, ServletRequest request,
+                                         String param, boolean ignoreMethodNF)
+-                                        throws JasperException
+-    {
+-        if( Constants.IS_SECURITY_ENABLED ) {
+-            try {
+-                PrivilegedIntrospectHelper dp =
+-		    new PrivilegedIntrospectHelper(
+-			bean,prop,value,request,param,ignoreMethodNF);
+-                AccessController.doPrivileged(dp);
+-            } catch( PrivilegedActionException pe) {
+-                Exception e = pe.getException();
+-                throw (JasperException)e;
+-            }
+-        } else {
+-            internalIntrospecthelper(
+-		bean,prop,value,request,param,ignoreMethodNF);
+-        }
+-    }
+-
+-    private static void internalIntrospecthelper(Object bean, String prop,
+-					String value, ServletRequest request,
+-					String param, boolean ignoreMethodNF) 
+-					throws JasperException
+-    {
++                                        throws JasperException {
+         Method method = null;
+         Class type = null;
+         Class propertyEditorClass = null;
diff --git a/debian/patches/CVE-2016-6794.patch b/debian/patches/CVE-2016-6794.patch
new file mode 100644
index 0000000..5ad88e7
--- /dev/null
+++ b/debian/patches/CVE-2016-6794.patch
@@ -0,0 +1,141 @@
+From: Markus Koschany <apo at debian.org>
+Date: Mon, 7 Nov 2016 12:36:03 +0100
+Subject: CVE-2016-6794
+
+Origin: https://svn.apache.org/viewvc?view=revision&revision=1754733
+---
+ .../apache/catalina/loader/WebappClassLoader.java  | 27 ++++++++++++--
+ java/org/apache/tomcat/util/digester/Digester.java | 10 +++++
+ .../tomcat/util/security/PermissionCheck.java      | 43 ++++++++++++++++++++++
+ 3 files changed, 76 insertions(+), 4 deletions(-)
+ create mode 100644 java/org/apache/tomcat/util/security/PermissionCheck.java
+
+diff --git a/java/org/apache/catalina/loader/WebappClassLoader.java b/java/org/apache/catalina/loader/WebappClassLoader.java
+index 528d906..dab7299 100644
+--- a/java/org/apache/catalina/loader/WebappClassLoader.java
++++ b/java/org/apache/catalina/loader/WebappClassLoader.java
+@@ -74,6 +74,7 @@ import org.apache.naming.resources.ProxyDirContext;
+ import org.apache.naming.resources.Resource;
+ import org.apache.naming.resources.ResourceAttributes;
+ import org.apache.tomcat.util.IntrospectionUtils;
++import org.apache.tomcat.util.security.PermissionCheck;
+ 
+ /**
+  * Specialized web application class loader.
+@@ -112,10 +113,8 @@ import org.apache.tomcat.util.IntrospectionUtils;
+  * @author Craig R. McClanahan
+  *
+  */
+-public class WebappClassLoader
+-    extends URLClassLoader
+-    implements Reloader, Lifecycle
+- {
++public class WebappClassLoader extends URLClassLoader
++    implements Reloader, Lifecycle, PermissionCheck {
+ 
+     protected static org.apache.juli.logging.Log log=
+         org.apache.juli.logging.LogFactory.getLog( WebappClassLoader.class );
+@@ -1711,6 +1710,26 @@ public class WebappClassLoader
+ 
+     }
+ 
++    public boolean check(Permission permission) {
++        if (!Globals.IS_SECURITY_ENABLED) {
++            return true;
++        }
++        Policy currentPolicy = Policy.getPolicy();
++        if (currentPolicy != null) {
++            ResourceEntry entry = findResourceInternal("/", "/");
++            if (entry != null) {
++                CodeSource cs = new CodeSource(
++                        entry.codeBase, (java.security.cert.Certificate[]) null);
++                PermissionCollection pc = currentPolicy.getPermissions(cs);
++                if (pc.implies(permission)) {
++                    return true;
++                }
++            }
++        }
++        return false;
++
++    }
++
+ 
+     /**
+      * Returns the search path of URLs for loading classes and resources.
+diff --git a/java/org/apache/tomcat/util/digester/Digester.java b/java/org/apache/tomcat/util/digester/Digester.java
+index ffae93f..afa8f6a 100644
+--- a/java/org/apache/tomcat/util/digester/Digester.java
++++ b/java/org/apache/tomcat/util/digester/Digester.java
+@@ -52,6 +52,9 @@ import org.xml.sax.SAXParseException;
+ import org.xml.sax.XMLReader;
+ import org.xml.sax.ext.DefaultHandler2;
+ import org.xml.sax.helpers.AttributesImpl;
++import java.security.Permission;
++import java.util.PropertyPermission;
++import org.apache.tomcat.util.security.PermissionCheck;
+ 
+ 
+ /**
+@@ -80,6 +83,13 @@ public class Digester extends DefaultHandler2 {
+     private static class SystemPropertySource
+         implements IntrospectionUtils.PropertySource {
+         public String getProperty( String key ) {
++            ClassLoader cl = Thread.currentThread().getContextClassLoader();
++            if (cl instanceof PermissionCheck) {
++                Permission p = new PropertyPermission(key, "read");
++                if (!((PermissionCheck) cl).check(p)) {
++                    return null;
++                }
++            }
+             return System.getProperty(key);
+         }
+     }
+diff --git a/java/org/apache/tomcat/util/security/PermissionCheck.java b/java/org/apache/tomcat/util/security/PermissionCheck.java
+new file mode 100644
+index 0000000..ba2bdd3
+--- /dev/null
++++ b/java/org/apache/tomcat/util/security/PermissionCheck.java
+@@ -0,0 +1,43 @@
++/*
++ * Licensed to the Apache Software Foundation (ASF) under one or more
++ * contributor license agreements.  See the NOTICE file distributed with
++ * this work for additional information regarding copyright ownership.
++ * The ASF licenses this file to You under the Apache License, Version 2.0
++ * (the "License"); you may not use this file except in compliance with
++ * the License.  You may obtain a copy of the License at
++ *
++ *      http://www.apache.org/licenses/LICENSE-2.0
++ *
++ * Unless required by applicable law or agreed to in writing, software
++ * distributed under the License is distributed on an "AS IS" BASIS,
++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
++ * See the License for the specific language governing permissions and
++ * limitations under the License.
++ */
++package org.apache.tomcat.util.security;
++
++import java.security.Permission;
++
++/**
++ * This interface is implemented by components to enable privileged code to
++ * check whether the component has a given permission.
++ * This is typically used when a privileged component (e.g. the container) is
++ * performing an action on behalf of an untrusted component (e.g. a web
++ * application) without the current thread having passed through a code source
++ * provided by the untrusted component. Because the current thread has not
++ * passed through a code source provided by the untrusted component the
++ * SecurityManager assumes the code is trusted so the standard checking
++ * mechanisms can't be used.
++ */
++public interface PermissionCheck {
++
++    /**
++     * Does this component have the given permission?
++     *
++     * @param permission The permission to test
++     *
++     * @return {@code false} if a SecurityManager is enabled and the component
++     *         does not have the given permission, otherwise {@code false}
++     */
++    boolean check(Permission permission);
++}
diff --git a/debian/patches/CVE-2016-6796.patch b/debian/patches/CVE-2016-6796.patch
new file mode 100644
index 0000000..1c0668a
--- /dev/null
+++ b/debian/patches/CVE-2016-6796.patch
@@ -0,0 +1,78 @@
+From: Markus Koschany <apo at debian.org>
+Date: Mon, 7 Nov 2016 12:54:08 +0100
+Subject: CVE-2016-6796
+
+Origin: https://svn.apache.org/viewvc?view=revision&revision=1758496
+---
+ conf/web.xml                                             | 4 ++++
+ java/org/apache/jasper/EmbeddedServletOptions.java       | 4 ++++
+ java/org/apache/jasper/resources/LocalStrings.properties | 1 +
+ java/org/apache/jasper/servlet/JspServlet.java           | 6 ++++++
+ 4 files changed, 15 insertions(+)
+
+diff --git a/conf/web.xml b/conf/web.xml
+index 2e8815e..7062250 100644
+--- a/conf/web.xml
++++ b/conf/web.xml
+@@ -189,6 +189,8 @@
+   <!--   engineOptionsClass  Allows specifying the Options class used to    -->
+   <!--                       configure Jasper. If not present, the default  -->
+   <!--                       EmbeddedServletOptions will be used.           -->
++  <!--                       This option is ignored when running under a    -->
++  <!--                       SecurityManager.                               -->
+   <!--                                                                      -->
+   <!--   errorOnUseBeanInvalidClassAttribute                                -->
+   <!--                       Should Jasper issue an error when the value of -->
+@@ -238,6 +240,8 @@
+   <!--   scratchdir          What scratch directory should we use when      -->
+   <!--                       compiling JSP pages?  [default work directory  -->
+   <!--                       for the current web application]               -->
++  <!--                       This option is ignored when running under a    -->
++  <!--                       SecurityManager.                               -->
+   <!--                                                                      -->
+   <!--   suppressSmap        Should the generation of SMAP info for JSR45   -->
+   <!--                       debugging be suppressed?  [false]              -->
+diff --git a/java/org/apache/jasper/EmbeddedServletOptions.java b/java/org/apache/jasper/EmbeddedServletOptions.java
+index 3399a32..fa3d5f2 100644
+--- a/java/org/apache/jasper/EmbeddedServletOptions.java
++++ b/java/org/apache/jasper/EmbeddedServletOptions.java
+@@ -586,6 +586,10 @@ public final class EmbeddedServletOptions implements Options {
+          * scratchdir
+          */
+         String dir = config.getInitParameter("scratchdir");
++        if (dir != null && Constants.IS_SECURITY_ENABLED) {
++            log.info(Localizer.getMessage("jsp.info.ignoreSetting", "scratchdir", dir));
++            dir = null;
++        }
+         if (dir != null) {
+             scratchDir = new File(dir);
+         } else {
+diff --git a/java/org/apache/jasper/resources/LocalStrings.properties b/java/org/apache/jasper/resources/LocalStrings.properties
+index 03532ea..edb02c9 100644
+--- a/java/org/apache/jasper/resources/LocalStrings.properties
++++ b/java/org/apache/jasper/resources/LocalStrings.properties
+@@ -448,6 +448,7 @@ jsp.error.nested_jsproot=Nested <jsp:root>
+ jsp.error.unbalanced.endtag=The end tag \"</{0}\" is unbalanced
+ jsp.error.invalid.bean=The value for the useBean class attribute {0} is invalid.
+ jsp.error.prefix.use_before_dcl=The prefix {0} specified in this tag directive has been previously used by an action in file {1} line {2}.
++jsp.info.ignoreSetting=Ignored setting for [{0}] of [{1}] because a SecurityManager was enabled
+ 
+ jsp.exception=An exception occurred processing JSP page {0} at line {1}
+ 
+diff --git a/java/org/apache/jasper/servlet/JspServlet.java b/java/org/apache/jasper/servlet/JspServlet.java
+index 76ea446..6830093 100644
+--- a/java/org/apache/jasper/servlet/JspServlet.java
++++ b/java/org/apache/jasper/servlet/JspServlet.java
+@@ -79,6 +79,12 @@ public class JspServlet extends HttpServlet implements PeriodicEventListener {
+         // Check for a custom Options implementation
+         String engineOptionsName = 
+             config.getInitParameter("engineOptionsClass");
++        if (Constants.IS_SECURITY_ENABLED && engineOptionsName != null) {
++            log.info(Localizer.getMessage(
++                "jsp.info.ignoreSetting", "engineOptionsClass", engineOptionsName));
++            engineOptionsName = null;
++        }
++
+         if (engineOptionsName != null) {
+             // Instantiate the indicated Options implementation
+             try {
diff --git a/debian/patches/CVE-2016-6797.patch b/debian/patches/CVE-2016-6797.patch
new file mode 100644
index 0000000..9f42f47
--- /dev/null
+++ b/debian/patches/CVE-2016-6797.patch
@@ -0,0 +1,211 @@
+From: Markus Koschany <apo at debian.org>
+Date: Mon, 7 Nov 2016 13:20:10 +0100
+Subject: CVE-2016-6797
+
+Origin: https://svn.apache.org/viewvc?view=revision&revision=1757285
+---
+ .../catalina/core/NamingContextListener.java       | 78 ++++++++++++++--------
+ .../apache/naming/factory/ResourceLinkFactory.java | 60 +++++++++++++++++
+ 2 files changed, 112 insertions(+), 26 deletions(-)
+
+diff --git a/java/org/apache/catalina/core/NamingContextListener.java b/java/org/apache/catalina/core/NamingContextListener.java
+index 2b8256a..cfd612f 100644
+--- a/java/org/apache/catalina/core/NamingContextListener.java
++++ b/java/org/apache/catalina/core/NamingContextListener.java
+@@ -71,6 +71,7 @@ import org.apache.naming.ResourceRef;
+ import org.apache.naming.ServiceRef;
+ import org.apache.naming.TransactionRef;
+ import org.apache.tomcat.util.modeler.Registry;
++import org.apache.naming.factory.ResourceLinkFactory;
+ 
+ 
+ /**
+@@ -280,37 +281,48 @@ public class NamingContextListener
+             if (!initialized)
+                 return;
+ 
+-            // Setting the context in read/write mode
+-            ContextAccessController.setWritable(getName(), container);
+-            ContextBindings.unbindContext(container, container);
++            try {
++                // Setting the context in read/write mode
++                ContextAccessController.setWritable(getName(), container);
++                ContextBindings.unbindContext(container, container);
++
++                if (container instanceof Context) {
++                    ContextBindings.unbindClassLoader
++                         (container, container,
++                          ((Container) container).getLoader().getClassLoader());
++                }
+ 
+-            if (container instanceof Context) {
+-                ContextBindings.unbindClassLoader
+-                    (container, container, 
+-                     ((Container) container).getLoader().getClassLoader());
+-            }
++                if (container instanceof Server) {
++                    namingResources.removePropertyChangeListener(this);
++                    ContextBindings.unbindClassLoader
++                        (container, container,
++                         this.getClass().getClassLoader());
++                }
+ 
+-            if (container instanceof Server) {
+-                namingResources.removePropertyChangeListener(this);
+-                ContextBindings.unbindClassLoader
+-                    (container, container, 
+-                     this.getClass().getClassLoader());
+-            }
++                ContextAccessController.unsetSecurityToken(getName(), container);
++                ContextAccessController.unsetSecurityToken(container, container);
+ 
+-            ContextAccessController.unsetSecurityToken(getName(), container);
+-            ContextAccessController.unsetSecurityToken(container, container);
++                // unregister mbeans.
++                if (!objectNames.isEmpty()) {
++                    Collection<ObjectName> names = objectNames.values();
++                    Registry registry = Registry.getRegistry(null, null);
++                    for (ObjectName objectName : names) {
++                        registry.unregisterComponent(objectName);
++                    }
++                }
+ 
+-            // unregister mbeans.
+-            Collection<ObjectName> names = objectNames.values();
+-            for (ObjectName objectName : names) {
+-                Registry.getRegistry(null, null).unregisterComponent(objectName);
+-            }
+-            objectNames.clear();
++                javax.naming.Context global = getGlobalNamingContext();
++                if (global != null) {
++                    ResourceLinkFactory.deregisterGlobalResourceAccess(global);
++                }
++            } finally {
++                objectNames.clear();
+ 
+-            namingContext = null;
+-            envCtx = null;
+-            compCtx = null;
+-            initialized = false;
++                namingContext = null;
++                envCtx = null;
++                compCtx = null;
++                initialized = false;
++            }
+ 
+         }
+ 
+@@ -1096,6 +1108,20 @@ public class NamingContextListener
+             logger.error(sm.getString("naming.bindFailed", e));
+         }
+ 
++        ResourceLinkFactory.registerGlobalResourceAccess(
++                getGlobalNamingContext(), resourceLink.getName(), resourceLink.getGlobal());
++    }
++
++    private javax.naming.Context getGlobalNamingContext() {
++         if (container instanceof Context) {
++              Engine e = (Engine) ((Context) container).getParent().getParent();
++              Server s = e.getService().getServer();
++              if (s instanceof StandardServer) {
++                  return ((StandardServer) s).getGlobalNamingContext();
++              }
++        }
++        return null;
++
+     }
+ 
+ 
+diff --git a/java/org/apache/naming/factory/ResourceLinkFactory.java b/java/org/apache/naming/factory/ResourceLinkFactory.java
+index 6df82dd..56b1423 100644
+--- a/java/org/apache/naming/factory/ResourceLinkFactory.java
++++ b/java/org/apache/naming/factory/ResourceLinkFactory.java
+@@ -18,7 +18,10 @@
+ 
+ package org.apache.naming.factory;
+ 
++import java.util.HashMap;
+ import java.util.Hashtable;
++import java.util.Map;
++import java.util.concurrent.ConcurrentHashMap;
+ 
+ import javax.naming.Context;
+ import javax.naming.Name;
+@@ -52,6 +55,8 @@ public class ResourceLinkFactory
+      */
+     private static Context globalContext = null;
+ 
++    private static Map<ClassLoader,Map<String,String>> globalResourceRegistrations =
++            new ConcurrentHashMap<ClassLoader,Map<String,String>>();
+ 
+     // --------------------------------------------------------- Public Methods
+ 
+@@ -71,6 +76,56 @@ public class ResourceLinkFactory
+     }
+ 
+ 
++    public static void registerGlobalResourceAccess(Context globalContext, String localName,
++            String globalName) {
++        validateGlobalContext(globalContext);
++        ClassLoader cl = Thread.currentThread().getContextClassLoader();
++        Map<String,String> registrations = globalResourceRegistrations.get(cl);
++        if (registrations == null) {
++            // Web application initialization is single threaded so this is
++            // safe.
++            registrations = new HashMap<String,String>();
++            globalResourceRegistrations.put(cl, registrations);
++        }
++        registrations.put(localName, globalName);
++    }
++
++
++    public static void deregisterGlobalResourceAccess(Context globalContext, String localName) {
++        validateGlobalContext(globalContext);
++        ClassLoader cl = Thread.currentThread().getContextClassLoader();
++        Map<String,String> registrations = globalResourceRegistrations.get(cl);
++        if (registrations != null) {
++            registrations.remove(localName);
++        }
++    }
++
++
++    public static void deregisterGlobalResourceAccess(Context globalContext) {
++        validateGlobalContext(globalContext);
++        ClassLoader cl = Thread.currentThread().getContextClassLoader();
++        globalResourceRegistrations.remove(cl);
++    }
++
++
++    private static void validateGlobalContext(Context globalContext) {
++        if (ResourceLinkFactory.globalContext != null &&
++                ResourceLinkFactory.globalContext != globalContext) {
++            throw new SecurityException("Caller provided invalid global context");
++        }
++    }
++
++
++    private static boolean validateGlobalResourceAccess(String globalName) {
++        ClassLoader cl = Thread.currentThread().getContextClassLoader();
++        Map<String,String> registrations = globalResourceRegistrations.get(cl);
++        if (registrations != null && registrations.containsValue(globalName)) {
++            return true;
++        }
++        return false;
++    }
++
++
+     // -------------------------------------------------- ObjectFactory Methods
+ 
+ 
+@@ -96,6 +151,11 @@ public class ResourceLinkFactory
+         RefAddr refAddr = ref.get(ResourceLinkRef.GLOBALNAME);
+         if (refAddr != null) {
+             globalName = refAddr.getContent().toString();
++            // Confirm that the current web application is currently configured
++            // to access the specified global resource
++            if (!validateGlobalResourceAccess(globalName)) {
++                return null;
++            }
+             Object result = null;
+             result = globalContext.lookup(globalName);
+             // FIXME: Check type
diff --git a/debian/patches/CVE-2016-6816.patch b/debian/patches/CVE-2016-6816.patch
new file mode 100644
index 0000000..d936b4e
--- /dev/null
+++ b/debian/patches/CVE-2016-6816.patch
@@ -0,0 +1,1105 @@
+From: Markus Koschany <apo at debian.org>
+Date: Fri, 25 Nov 2016 20:08:42 +0100
+Subject: CVE-2016-6816
+
+Origin: http://svn.apache.org/r1767683
+---
+ .../apache/coyote/http11/AbstractInputBuffer.java  |  52 +---------
+ .../coyote/http11/InternalAprInputBuffer.java      |  77 +++++++--------
+ .../apache/coyote/http11/InternalInputBuffer.java  |  69 ++++++-------
+ .../coyote/http11/InternalNioInputBuffer.java      | 110 ++++++++++-----------
+ .../apache/coyote/http11/LocalStrings.properties   |   3 +
+ .../apache/tomcat/util/http/parser/HttpParser.java |  45 ++++++++-
+ java/org/apache/tomcat/util/res/StringManager.java |   3 +
+ 7 files changed, 168 insertions(+), 191 deletions(-)
+
+diff --git a/java/org/apache/coyote/http11/AbstractInputBuffer.java b/java/org/apache/coyote/http11/AbstractInputBuffer.java
+index 05e9d34..587755f 100644
+--- a/java/org/apache/coyote/http11/AbstractInputBuffer.java
++++ b/java/org/apache/coyote/http11/AbstractInputBuffer.java
+@@ -17,56 +17,8 @@
+ package org.apache.coyote.http11;
+ 
+ import org.apache.coyote.InputBuffer;
++import org.apache.tomcat.util.res.StringManager;
+ 
+ public abstract class AbstractInputBuffer implements InputBuffer {
+-    
+-    protected static final boolean[] HTTP_TOKEN_CHAR = new boolean[128];
+ 
+-    static {
+-        for (int i = 0; i < 128; i++) {
+-            if (i < 32) {
+-                HTTP_TOKEN_CHAR[i] = false;
+-            } else if (i == 127) {
+-                HTTP_TOKEN_CHAR[i] = false;
+-            } else if (i == '(') {
+-                HTTP_TOKEN_CHAR[i] = false;
+-            } else if (i == ')') {
+-                HTTP_TOKEN_CHAR[i] = false;
+-            } else if (i == '<') {
+-                HTTP_TOKEN_CHAR[i] = false;
+-            } else if (i == '>') {
+-                HTTP_TOKEN_CHAR[i] = false;
+-            } else if (i == '@') {
+-                HTTP_TOKEN_CHAR[i] = false;
+-            } else if (i == ',') {
+-                HTTP_TOKEN_CHAR[i] = false;
+-            } else if (i == ';') {
+-                HTTP_TOKEN_CHAR[i] = false;
+-            } else if (i == ':') {
+-                HTTP_TOKEN_CHAR[i] = false;
+-            } else if (i == '\\') {
+-                HTTP_TOKEN_CHAR[i] = false;
+-            } else if (i == '\"') {
+-                HTTP_TOKEN_CHAR[i] = false;
+-            } else if (i == '/') {
+-                HTTP_TOKEN_CHAR[i] = false;
+-            } else if (i == '[') {
+-                HTTP_TOKEN_CHAR[i] = false;
+-            } else if (i == ']') {
+-                HTTP_TOKEN_CHAR[i] = false;
+-            } else if (i == '?') {
+-                HTTP_TOKEN_CHAR[i] = false;
+-            } else if (i == '=') {
+-                HTTP_TOKEN_CHAR[i] = false;
+-            } else if (i == '{') {
+-                HTTP_TOKEN_CHAR[i] = false;
+-            } else if (i == '}') {
+-                HTTP_TOKEN_CHAR[i] = false;
+-            } else if (i == ' ') {
+-                HTTP_TOKEN_CHAR[i] = false;
+-            } else {
+-                HTTP_TOKEN_CHAR[i] = true;
+-            }
+-        }
+-    }
+-}
++    protected static final StringManager sm = StringManager.getManager(AbstractInputBuffer.class);}
+diff --git a/java/org/apache/coyote/http11/InternalAprInputBuffer.java b/java/org/apache/coyote/http11/InternalAprInputBuffer.java
+index f703719..a5f2804 100644
+--- a/java/org/apache/coyote/http11/InternalAprInputBuffer.java
++++ b/java/org/apache/coyote/http11/InternalAprInputBuffer.java
+@@ -26,7 +26,7 @@ import org.apache.tomcat.jni.Status;
+ import org.apache.tomcat.util.buf.ByteChunk;
+ import org.apache.tomcat.util.buf.MessageBytes;
+ import org.apache.tomcat.util.http.MimeHeaders;
+-import org.apache.tomcat.util.res.StringManager;
++import org.apache.tomcat.util.http.parser.HttpParser;
+ import org.apache.coyote.InputBuffer;
+ import org.apache.coyote.Request;
+ import org.apache.juli.logging.Log;
+@@ -68,23 +68,12 @@ public class InternalAprInputBuffer extends AbstractInputBuffer {
+ 
+         parsingHeader = true;
+         swallowInput = true;
+-        
+-    }
+-
+-
+-    // -------------------------------------------------------------- Variables
+ 
+-
+-    /**
+-     * The string manager for this package.
+-     */
+-    protected static StringManager sm =
+-        StringManager.getManager(Constants.Package);
++    }
+ 
+ 
+     // ----------------------------------------------------- Instance Variables
+ 
+-
+     /**
+      * Associated Coyote request.
+      */
+@@ -196,7 +185,7 @@ public class InternalAprInputBuffer extends AbstractInputBuffer {
+      */
+     public void addFilter(InputFilter filter) {
+ 
+-        InputFilter[] newFilterLibrary = 
++        InputFilter[] newFilterLibrary =
+             new InputFilter[filterLibrary.length + 1];
+         for (int i = 0; i < filterLibrary.length; i++) {
+             newFilterLibrary[i] = filterLibrary[i];
+@@ -264,7 +253,7 @@ public class InternalAprInputBuffer extends AbstractInputBuffer {
+ 
+ 
+     /**
+-     * Recycle the input buffer. This should be called when closing the 
++     * Recycle the input buffer. This should be called when closing the
+      * connection.
+      */
+     public void recycle() {
+@@ -289,7 +278,7 @@ public class InternalAprInputBuffer extends AbstractInputBuffer {
+ 
+     /**
+      * End processing of current HTTP request.
+-     * Note: All bytes of the current request should have been already 
++     * Note: All bytes of the current request should have been already
+      * consumed. This method only resets all the pointers so that we are ready
+      * to parse the next HTTP request.
+      */
+@@ -302,7 +291,7 @@ public class InternalAprInputBuffer extends AbstractInputBuffer {
+         if (lastValid - pos > 0 && pos > 0) {
+             System.arraycopy(buf, pos, buf, 0, lastValid - pos);
+         }
+-        
++
+         // Recycle filters
+         for (int i = 0; i <= lastActiveFilter; i++) {
+             activeFilters[i].recycle();
+@@ -320,7 +309,7 @@ public class InternalAprInputBuffer extends AbstractInputBuffer {
+ 
+     /**
+      * End request (consumes leftover bytes).
+-     * 
++     *
+      * @throws IOException an undelying I/O error occured
+      */
+     public void endRequest()
+@@ -335,14 +324,14 @@ public class InternalAprInputBuffer extends AbstractInputBuffer {
+ 
+ 
+     /**
+-     * Read the request line. This function is meant to be used during the 
+-     * HTTP request header parsing. Do NOT attempt to read the request body 
++     * Read the request line. This function is meant to be used during the
++     * HTTP request header parsing. Do NOT attempt to read the request body
+      * using it.
+      *
+      * @throws IOException If an exception occurs during the underlying socket
+      * read operations, or if the given buffer is not big enough to accomodate
+      * the whole line.
+-     * @return true if data is properly fed; false if no data is available 
++     * @return true if data is properly fed; false if no data is available
+      * immediately and thread should be freed
+      */
+     public boolean parseRequestLine(boolean useAvailableData)
+@@ -398,17 +387,19 @@ public class InternalAprInputBuffer extends AbstractInputBuffer {
+                     throw new EOFException(sm.getString("iib.eof.error"));
+             }
+ 
+-            // Spec says no CR or LF in method name
+-            if (buf[pos] == Constants.CR || buf[pos] == Constants.LF) {
+-                throw new IllegalArgumentException(
+-                        sm.getString("iib.invalidmethod"));
++            // Spec says method name is a token followed by a single SP but
++            // also be tolerant of multiple SP and/or HT.
++            if (buf[pos] == Constants.SP || buf[pos] == Constants.HT) {
+             }
+             // Spec says single SP but it also says be tolerant of HT
+             if (buf[pos] == Constants.SP || buf[pos] == Constants.HT) {
+                 space = true;
+                 request.method().setBytes(buf, start, pos - start);
++            } else if (!HttpParser.isToken(buf[pos])) {
++                throw new IllegalArgumentException(sm.getString("iib.invalidmethod"));
+             }
+ 
++
+             pos++;
+ 
+         }
+@@ -450,15 +441,17 @@ public class InternalAprInputBuffer extends AbstractInputBuffer {
+             if (buf[pos] == Constants.SP || buf[pos] == Constants.HT) {
+                 space = true;
+                 end = pos;
+-            } else if ((buf[pos] == Constants.CR) 
++            } else if ((buf[pos] == Constants.CR)
+                        || (buf[pos] == Constants.LF)) {
+                 // HTTP/0.9 style request
+                 eol = true;
+                 space = true;
+                 end = pos;
+-            } else if ((buf[pos] == Constants.QUESTION) 
++            } else if ((buf[pos] == Constants.QUESTION)
+                        && (questionPos == -1)) {
+                 questionPos = pos;
++            } else if (HttpParser.isNotRequestTarget(buf[pos])) {
++                throw new IllegalArgumentException(sm.getString("iib.invalidRequestTarget"));
+             }
+ 
+             pos++;
+@@ -467,7 +460,7 @@ public class InternalAprInputBuffer extends AbstractInputBuffer {
+ 
+         request.unparsedURI().setBytes(buf, start, end - start);
+         if (questionPos >= 0) {
+-            request.queryString().setBytes(buf, questionPos + 1, 
++            request.queryString().setBytes(buf, questionPos + 1,
+                                            end - questionPos - 1);
+             request.requestURI().setBytes(buf, start, questionPos - start);
+         } else {
+@@ -495,7 +488,7 @@ public class InternalAprInputBuffer extends AbstractInputBuffer {
+ 
+         //
+         // Reading the protocol
+-        // Protocol is always US-ASCII
++        // Protocol is always "HTTP/" DIGIT "." DIGIT
+         //
+ 
+         while (!eol) {
+@@ -512,6 +505,8 @@ public class InternalAprInputBuffer extends AbstractInputBuffer {
+                 if (end == 0)
+                     end = pos;
+                 eol = true;
++            } else if (!HttpParser.isHttpProtocol(buf[pos])) {
++                throw new IllegalArgumentException(sm.getString("iib.invalidHttpProtocol"));
+             }
+ 
+             pos++;
+@@ -523,7 +518,7 @@ public class InternalAprInputBuffer extends AbstractInputBuffer {
+         } else {
+             request.protocol().setString("");
+         }
+-        
++
+         return true;
+ 
+     }
+@@ -546,7 +541,7 @@ public class InternalAprInputBuffer extends AbstractInputBuffer {
+ 
+     /**
+      * Parse an HTTP header.
+-     * 
++     *
+      * @return false after reading a blank line (which indicates that the
+      * HTTP header parsing is done
+      */
+@@ -604,7 +599,7 @@ public class InternalAprInputBuffer extends AbstractInputBuffer {
+             if (buf[pos] == Constants.COLON) {
+                 colon = true;
+                 headerValue = headers.addValue(buf, start, pos - start);
+-            } else if (!HTTP_TOKEN_CHAR[buf[pos]]) {
++            } else if (!HttpParser.isToken(buf[pos])) {
+                 // If a non-token header is detected, skip the line and
+                 // ignore the header
+                 skipLine(start);
+@@ -710,14 +705,14 @@ public class InternalAprInputBuffer extends AbstractInputBuffer {
+ 
+     }
+ 
+-    
++
+     private void skipLine(int start) throws IOException {
+         boolean eol = false;
+         int lastRealByte = start;
+         if (pos - 1 > start) {
+             lastRealByte = pos - 1;
+         }
+-        
++
+         while (!eol) {
+ 
+             // Read new bytes if needed
+@@ -741,8 +736,8 @@ public class InternalAprInputBuffer extends AbstractInputBuffer {
+                     lastRealByte - start + 1, "ISO-8859-1")));
+         }
+     }
+-    
+-    
++
++
+     /**
+      * Available bytes (note that due to encoding, this may not correspond )
+      */
+@@ -763,7 +758,7 @@ public class InternalAprInputBuffer extends AbstractInputBuffer {
+     /**
+      * Read some bytes.
+      */
+-    public int doRead(ByteChunk chunk, Request req) 
++    public int doRead(ByteChunk chunk, Request req)
+         throws IOException {
+ 
+         if (lastActiveFilter == -1)
+@@ -779,7 +774,7 @@ public class InternalAprInputBuffer extends AbstractInputBuffer {
+ 
+     /**
+      * Fill the internal buffer using data from the undelying input stream.
+-     * 
++     *
+      * @return false if at end of stream
+      */
+     protected boolean fill()
+@@ -811,7 +806,7 @@ public class InternalAprInputBuffer extends AbstractInputBuffer {
+         } else {
+ 
+             if (buf.length - end < 4500) {
+-                // In this case, the request header was really large, so we allocate a 
++                // In this case, the request header was really large, so we allocate a
+                 // brand new one; the old one will get GCed when subsequent requests
+                 // clear all references
+                 buf = new byte[buf.length];
+@@ -850,14 +845,14 @@ public class InternalAprInputBuffer extends AbstractInputBuffer {
+      * This class is an input buffer which will read its data from an input
+      * stream.
+      */
+-    protected class SocketInputBuffer 
++    protected class SocketInputBuffer
+         implements InputBuffer {
+ 
+ 
+         /**
+          * Read bytes into the specified chunk.
+          */
+-        public int doRead(ByteChunk chunk, Request req ) 
++        public int doRead(ByteChunk chunk, Request req )
+             throws IOException {
+ 
+             if (pos >= lastValid) {
+diff --git a/java/org/apache/coyote/http11/InternalInputBuffer.java b/java/org/apache/coyote/http11/InternalInputBuffer.java
+index ffad9da..94f3017 100644
+--- a/java/org/apache/coyote/http11/InternalInputBuffer.java
++++ b/java/org/apache/coyote/http11/InternalInputBuffer.java
+@@ -23,8 +23,7 @@ import java.io.EOFException;
+ import org.apache.tomcat.util.buf.ByteChunk;
+ import org.apache.tomcat.util.buf.MessageBytes;
+ import org.apache.tomcat.util.http.MimeHeaders;
+-import org.apache.tomcat.util.res.StringManager;
+-
++import org.apache.tomcat.util.http.parser.HttpParser;
+ import org.apache.coyote.InputBuffer;
+ import org.apache.coyote.Request;
+ import org.apache.juli.logging.Log;
+@@ -39,7 +38,7 @@ import org.apache.juli.logging.LogFactory;
+ public class InternalInputBuffer extends AbstractInputBuffer {
+ 
+     private static final Log log = LogFactory.getLog(InternalInputBuffer.class);
+-    
++
+     // -------------------------------------------------------------- Constants
+ 
+ 
+@@ -76,19 +75,8 @@ public class InternalInputBuffer extends AbstractInputBuffer {
+     }
+ 
+ 
+-    // -------------------------------------------------------------- Variables
+-
+-
+-    /**
+-     * The string manager for this package.
+-     */
+-    protected static StringManager sm =
+-        StringManager.getManager(Constants.Package);
+-
+-
+     // ----------------------------------------------------- Instance Variables
+ 
+-
+     /**
+      * Associated Coyote request.
+      */
+@@ -201,7 +189,7 @@ public class InternalInputBuffer extends AbstractInputBuffer {
+ 
+         // FIXME: Check for null ?
+ 
+-        InputFilter[] newFilterLibrary = 
++        InputFilter[] newFilterLibrary =
+             new InputFilter[filterLibrary.length + 1];
+         for (int i = 0; i < filterLibrary.length; i++) {
+             newFilterLibrary[i] = filterLibrary[i];
+@@ -269,7 +257,7 @@ public class InternalInputBuffer extends AbstractInputBuffer {
+ 
+ 
+     /**
+-     * Recycle the input buffer. This should be called when closing the 
++     * Recycle the input buffer. This should be called when closing the
+      * connection.
+      */
+     public void recycle() {
+@@ -294,7 +282,7 @@ public class InternalInputBuffer extends AbstractInputBuffer {
+ 
+     /**
+      * End processing of current HTTP request.
+-     * Note: All bytes of the current request should have been already 
++     * Note: All bytes of the current request should have been already
+      * consumed. This method only resets all the pointers so that we are ready
+      * to parse the next HTTP request.
+      */
+@@ -325,7 +313,7 @@ public class InternalInputBuffer extends AbstractInputBuffer {
+ 
+     /**
+      * End request (consumes leftover bytes).
+-     * 
++     *
+      * @throws IOException an undelying I/O error occured
+      */
+     public void endRequest()
+@@ -340,8 +328,8 @@ public class InternalInputBuffer extends AbstractInputBuffer {
+ 
+ 
+     /**
+-     * Read the request line. This function is meant to be used during the 
+-     * HTTP request header parsing. Do NOT attempt to read the request body 
++     * Read the request line. This function is meant to be used during the
++     * HTTP request header parsing. Do NOT attempt to read the request body
+      * using it.
+      *
+      * @throws IOException If an exception occurs during the underlying socket
+@@ -390,17 +378,16 @@ public class InternalInputBuffer extends AbstractInputBuffer {
+                     throw new EOFException(sm.getString("iib.eof.error"));
+             }
+ 
+-            // Spec says no CR or LF in method name
+-            if (buf[pos] == Constants.CR || buf[pos] == Constants.LF) {
+-                throw new IllegalArgumentException(
+-                        sm.getString("iib.invalidmethod"));
+-            }
+-            // Spec says single SP but it also says be tolerant of HT
++            // Spec says method name is a token followed by a single SP but
++            // also be tolerant of multiple SP and/or HT.
+             if (buf[pos] == Constants.SP || buf[pos] == Constants.HT) {
+                 space = true;
+                 request.method().setBytes(buf, start, pos - start);
++            } else if (!HttpParser.isToken(buf[pos])) {
++                throw new IllegalArgumentException(sm.getString("iib.invalidmethod"));
+             }
+ 
++
+             pos++;
+ 
+         }
+@@ -443,15 +430,17 @@ public class InternalInputBuffer extends AbstractInputBuffer {
+             if (buf[pos] == Constants.SP || buf[pos] == Constants.HT) {
+                 space = true;
+                 end = pos;
+-            } else if ((buf[pos] == Constants.CR) 
++            } else if ((buf[pos] == Constants.CR)
+                        || (buf[pos] == Constants.LF)) {
+                 // HTTP/0.9 style request
+                 eol = true;
+                 space = true;
+                 end = pos;
+-            } else if ((buf[pos] == Constants.QUESTION) 
++            } else if ((buf[pos] == Constants.QUESTION)
+                        && (questionPos == -1)) {
+                 questionPos = pos;
++            } else if (HttpParser.isNotRequestTarget(buf[pos])) {
++                throw new IllegalArgumentException(sm.getString("iib.invalidRequestTarget"));
+             }
+ 
+             pos++;
+@@ -460,7 +449,7 @@ public class InternalInputBuffer extends AbstractInputBuffer {
+ 
+         request.unparsedURI().setBytes(buf, start, end - start);
+         if (questionPos >= 0) {
+-            request.queryString().setBytes(buf, questionPos + 1, 
++            request.queryString().setBytes(buf, questionPos + 1,
+                                            end - questionPos - 1);
+             request.requestURI().setBytes(buf, start, questionPos - start);
+         } else {
+@@ -487,7 +476,7 @@ public class InternalInputBuffer extends AbstractInputBuffer {
+ 
+         //
+         // Reading the protocol
+-        // Protocol is always US-ASCII
++        // Protocol is always "HTTP/" DIGIT "." DIGIT
+         //
+ 
+         while (!eol) {
+@@ -504,6 +493,8 @@ public class InternalInputBuffer extends AbstractInputBuffer {
+                 if (end == 0)
+                     end = pos;
+                 eol = true;
++            } else if (!HttpParser.isHttpProtocol(buf[pos])) {
++                throw new IllegalArgumentException(sm.getString("iib.invalidHttpProtocol"));
+             }
+ 
+             pos++;
+@@ -536,7 +527,7 @@ public class InternalInputBuffer extends AbstractInputBuffer {
+ 
+     /**
+      * Parse an HTTP header.
+-     * 
++     *
+      * @return false after reading a blank line (which indicates that the
+      * HTTP header parsing is done
+      */
+@@ -594,7 +585,7 @@ public class InternalInputBuffer extends AbstractInputBuffer {
+             if (buf[pos] == Constants.COLON) {
+                 colon = true;
+                 headerValue = headers.addValue(buf, start, pos - start);
+-            } else if (!HTTP_TOKEN_CHAR[buf[pos]]) {
++            } else if (!HttpParser.isToken(buf[pos])) {
+                 // If a non-token header is detected, skip the line and
+                 // ignore the header
+                 skipLine(start);
+@@ -708,7 +699,7 @@ public class InternalInputBuffer extends AbstractInputBuffer {
+     /**
+      * Read some bytes.
+      */
+-    public int doRead(ByteChunk chunk, Request req) 
++    public int doRead(ByteChunk chunk, Request req)
+         throws IOException {
+ 
+         if (lastActiveFilter == -1)
+@@ -727,7 +718,7 @@ public class InternalInputBuffer extends AbstractInputBuffer {
+         if (pos - 1 > start) {
+             lastRealByte = pos - 1;
+         }
+-        
++
+         while (!eol) {
+ 
+             // Read new bytes if needed
+@@ -752,10 +743,10 @@ public class InternalInputBuffer extends AbstractInputBuffer {
+         }
+     }
+ 
+-    
++
+     /**
+      * Fill the internal buffer using data from the undelying input stream.
+-     * 
++     *
+      * @return false if at end of stream
+      */
+     protected boolean fill()
+@@ -778,7 +769,7 @@ public class InternalInputBuffer extends AbstractInputBuffer {
+         } else {
+ 
+             if (buf.length - end < 4500) {
+-                // In this case, the request header was really large, so we allocate a 
++                // In this case, the request header was really large, so we allocate a
+                 // brand new one; the old one will get GCed when subsequent requests
+                 // clear all references
+                 buf = new byte[buf.length];
+@@ -805,14 +796,14 @@ public class InternalInputBuffer extends AbstractInputBuffer {
+      * This class is an input buffer which will read its data from an input
+      * stream.
+      */
+-    protected class InputStreamInputBuffer 
++    protected class InputStreamInputBuffer
+         implements InputBuffer {
+ 
+ 
+         /**
+          * Read bytes into the specified chunk.
+          */
+-        public int doRead(ByteChunk chunk, Request req ) 
++        public int doRead(ByteChunk chunk, Request req )
+             throws IOException {
+ 
+             if (pos >= lastValid) {
+diff --git a/java/org/apache/coyote/http11/InternalNioInputBuffer.java b/java/org/apache/coyote/http11/InternalNioInputBuffer.java
+index 7289201..c050a16 100644
+--- a/java/org/apache/coyote/http11/InternalNioInputBuffer.java
++++ b/java/org/apache/coyote/http11/InternalNioInputBuffer.java
+@@ -25,9 +25,9 @@ import org.apache.coyote.Request;
+ import org.apache.tomcat.util.buf.ByteChunk;
+ import org.apache.tomcat.util.buf.MessageBytes;
+ import org.apache.tomcat.util.http.MimeHeaders;
++import org.apache.tomcat.util.http.parser.HttpParser;
+ import org.apache.tomcat.util.net.NioChannel;
+ import org.apache.tomcat.util.net.NioSelectorPool;
+-import org.apache.tomcat.util.res.StringManager;
+ import org.apache.tomcat.util.net.NioEndpoint;
+ 
+ /**
+@@ -88,7 +88,7 @@ public class InternalNioInputBuffer extends AbstractInputBuffer {
+     }
+ 
+     // ----------------------------------------------------------- Constructors
+-    
++
+ 
+     /**
+      * Alternate constructor.
+@@ -119,19 +119,8 @@ public class InternalNioInputBuffer extends AbstractInputBuffer {
+     }
+ 
+ 
+-    // -------------------------------------------------------------- Variables
+-
+-
+-    /**
+-     * The string manager for this package.
+-     */
+-    protected static StringManager sm =
+-        StringManager.getManager(Constants.Package);
+-
+-
+     // ----------------------------------------------------- Instance Variables
+ 
+-
+     /**
+      * Associated Coyote request.
+      */
+@@ -193,12 +182,12 @@ public class InternalNioInputBuffer extends AbstractInputBuffer {
+      * Underlying socket.
+      */
+     protected NioChannel socket;
+-    
++
+     /**
+      * Selector pool, for blocking reads and blocking writes
+      */
+     protected NioSelectorPool pool;
+-    
++
+ 
+     /**
+      * Underlying input buffer.
+@@ -263,7 +252,7 @@ public class InternalNioInputBuffer extends AbstractInputBuffer {
+             buf = new byte[bufLength];
+         }
+     }
+-    
++
+     /**
+      * Get the underlying socket input stream.
+      */
+@@ -271,10 +260,10 @@ public class InternalNioInputBuffer extends AbstractInputBuffer {
+         return socket;
+     }
+ 
+-    public void setSelectorPool(NioSelectorPool pool) { 
++    public void setSelectorPool(NioSelectorPool pool) {
+         this.pool = pool;
+     }
+-    
++
+     public NioSelectorPool getSelectorPool() {
+         return pool;
+     }
+@@ -285,7 +274,7 @@ public class InternalNioInputBuffer extends AbstractInputBuffer {
+      */
+     public void addFilter(InputFilter filter) {
+ 
+-        InputFilter[] newFilterLibrary = 
++        InputFilter[] newFilterLibrary =
+             new InputFilter[filterLibrary.length + 1];
+         for (int i = 0; i < filterLibrary.length; i++) {
+             newFilterLibrary[i] = filterLibrary[i];
+@@ -357,7 +346,7 @@ public class InternalNioInputBuffer extends AbstractInputBuffer {
+     public boolean isReadable() throws IOException {
+         return (pos < lastValid) || (nbRead()>0);
+     }
+-    
++
+     /**
+      * Issues a non blocking read
+      * @return int
+@@ -368,7 +357,7 @@ public class InternalNioInputBuffer extends AbstractInputBuffer {
+     }
+ 
+     /**
+-     * Recycle the input buffer. This should be called when closing the 
++     * Recycle the input buffer. This should be called when closing the
+      * connection.
+      */
+     public void recycle() {
+@@ -399,7 +388,7 @@ public class InternalNioInputBuffer extends AbstractInputBuffer {
+ 
+     /**
+      * End processing of current HTTP request.
+-     * Note: All bytes of the current request should have been already 
++     * Note: All bytes of the current request should have been already
+      * consumed. This method only resets all the pointers so that we are ready
+      * to parse the next HTTP request.
+      */
+@@ -437,7 +426,7 @@ public class InternalNioInputBuffer extends AbstractInputBuffer {
+ 
+     /**
+      * End request (consumes leftover bytes).
+-     * 
++     *
+      * @throws IOException an undelying I/O error occured
+      */
+     public void endRequest()
+@@ -452,14 +441,14 @@ public class InternalNioInputBuffer extends AbstractInputBuffer {
+ 
+ 
+     /**
+-     * Read the request line. This function is meant to be used during the 
+-     * HTTP request header parsing. Do NOT attempt to read the request body 
++     * Read the request line. This function is meant to be used during the
++     * HTTP request header parsing. Do NOT attempt to read the request body
+      * using it.
+      *
+      * @throws IOException If an exception occurs during the underlying socket
+      * read operations, or if the given buffer is not big enough to accommodate
+      * the whole line.
+-     * @return true if data is properly fed; false if no data is available 
++     * @return true if data is properly fed; false if no data is available
+      * immediately and thread should be freed
+      */
+     public boolean parseRequestLine(boolean useAvailableDataOnly)
+@@ -473,7 +462,7 @@ public class InternalNioInputBuffer extends AbstractInputBuffer {
+         if ( parsingRequestLinePhase == 0 ) {
+             byte chr = 0;
+             do {
+-                
++
+                 // Read new bytes if needed
+                 if (pos >= lastValid) {
+                     if (useAvailableDataOnly) {
+@@ -510,14 +499,13 @@ public class InternalNioInputBuffer extends AbstractInputBuffer {
+                     if (!fill(true, false)) //request line parsing
+                         return false;
+                 }
+-                // Spec says no CR or LF in method name
+-                if (buf[pos] == Constants.CR || buf[pos] == Constants.LF) {
+-                    throw new IllegalArgumentException(
+-                            sm.getString("iib.invalidmethod"));
+-                }
++                // Spec says method name is a token followed by a single SP but
++                // also be tolerant of multiple SP and/or HT.
+                 if (buf[pos] == Constants.SP || buf[pos] == Constants.HT) {
+                     space = true;
+                     request.method().setBytes(buf, parsingRequestLineStart, pos - parsingRequestLineStart);
++                } else if (!HttpParser.isToken(buf[pos])) {
++                    throw new IllegalArgumentException(sm.getString("iib.invalidmethod"));
+                 }
+                 pos++;
+             }
+@@ -543,7 +531,7 @@ public class InternalNioInputBuffer extends AbstractInputBuffer {
+         }
+         if (parsingRequestLinePhase == 4) {
+             // Mark the current buffer position
+-            
++
+             int end = 0;
+             //
+             // Reading the URI
+@@ -558,21 +546,23 @@ public class InternalNioInputBuffer extends AbstractInputBuffer {
+                 if (buf[pos] == Constants.SP || buf[pos] == Constants.HT) {
+                     space = true;
+                     end = pos;
+-                } else if ((buf[pos] == Constants.CR) 
++                } else if ((buf[pos] == Constants.CR)
+                            || (buf[pos] == Constants.LF)) {
+                     // HTTP/0.9 style request
+                     parsingRequestLineEol = true;
+                     space = true;
+                     end = pos;
+-                } else if ((buf[pos] == Constants.QUESTION) 
++                } else if ((buf[pos] == Constants.QUESTION)
+                            && (parsingRequestLineQPos == -1)) {
+                     parsingRequestLineQPos = pos;
++                } else if (HttpParser.isNotRequestTarget(buf[pos])) {
++                    throw new IllegalArgumentException(sm.getString("iib.invalidRequestTarget"));
+                 }
+                 pos++;
+             }
+             request.unparsedURI().setBytes(buf, parsingRequestLineStart, end - parsingRequestLineStart);
+             if (parsingRequestLineQPos >= 0) {
+-                request.queryString().setBytes(buf, parsingRequestLineQPos + 1, 
++                request.queryString().setBytes(buf, parsingRequestLineQPos + 1,
+                                                end - parsingRequestLineQPos - 1);
+                 request.requestURI().setBytes(buf, parsingRequestLineStart, parsingRequestLineQPos - parsingRequestLineStart);
+             } else {
+@@ -601,10 +591,10 @@ public class InternalNioInputBuffer extends AbstractInputBuffer {
+             // Mark the current buffer position
+             end = 0;
+         }
+-        if (parsingRequestLinePhase == 6) { 
++        if (parsingRequestLinePhase == 6) {
+             //
+             // Reading the protocol
+-            // Protocol is always US-ASCII
++            // Protocol is always "HTTP/" DIGIT "." DIGIT
+             //
+             while (!parsingRequestLineEol) {
+                 // Read new bytes if needed
+@@ -612,17 +602,19 @@ public class InternalNioInputBuffer extends AbstractInputBuffer {
+                     if (!fill(true, false)) //request line parsing
+                         return false;
+                 }
+-        
++
+                 if (buf[pos] == Constants.CR) {
+                     end = pos;
+                 } else if (buf[pos] == Constants.LF) {
+                     if (end == 0)
+                         end = pos;
+                     parsingRequestLineEol = true;
++                } else if (!HttpParser.isHttpProtocol(buf[pos])) {
++                    throw new IllegalArgumentException(sm.getString("iib.invalidHttpProtocol"));
+                 }
+                 pos++;
+             }
+-        
++
+             if ( (end - parsingRequestLineStart) > 0) {
+                 request.protocol().setBytes(buf, parsingRequestLineStart, end - parsingRequestLineStart);
+             } else {
+@@ -636,7 +628,7 @@ public class InternalNioInputBuffer extends AbstractInputBuffer {
+         }
+         throw new IllegalStateException("Invalid request line parse phase:"+parsingRequestLinePhase);
+     }
+-    
++
+     private void expand(int newsize) {
+         if ( newsize > buf.length ) {
+             if (parsingHeader) {
+@@ -652,7 +644,7 @@ public class InternalNioInputBuffer extends AbstractInputBuffer {
+             tmp = null;
+         }
+     }
+-    
++
+     /**
+      * Perform blocking read with a timeout if desired
+      * @param timeout boolean - if we want to use the timeout data
+@@ -673,7 +665,7 @@ public class InternalNioInputBuffer extends AbstractInputBuffer {
+                 nRead = getSelectorPool().read(socket.getBufHandler().getReadBuffer(),socket,selector,att.getTimeout());
+             } catch ( EOFException eof ) {
+                 nRead = -1;
+-            } finally { 
++            } finally {
+                 if ( selector != null ) getSelectorPool().put(selector);
+             }
+         } else {
+@@ -700,7 +692,7 @@ public class InternalNioInputBuffer extends AbstractInputBuffer {
+     public boolean parseHeaders()
+         throws IOException {
+         HeaderParseStatus status = HeaderParseStatus.HAVE_MORE_HEADERS;
+-        
++
+         do {
+             status = parseHeader();
+             // Checking that
+@@ -729,7 +721,7 @@ public class InternalNioInputBuffer extends AbstractInputBuffer {
+ 
+     /**
+      * Parse an HTTP header.
+-     * 
++     *
+      * @return false after reading a blank line (which indicates that the
+      * HTTP header parsing is done
+      */
+@@ -745,7 +737,7 @@ public class InternalNioInputBuffer extends AbstractInputBuffer {
+ 
+             // Read new bytes if needed
+             if (pos >= lastValid) {
+-                if (!fill(true,false)) {//parse header 
++                if (!fill(true,false)) {//parse header
+                     headerParsePos = HeaderParsePosition.HEADER_START;
+                     return HeaderParseStatus.NEED_MORE_DATA;
+                 }
+@@ -770,18 +762,18 @@ public class InternalNioInputBuffer extends AbstractInputBuffer {
+             // Mark the current buffer position
+             headerData.start = pos;
+             headerParsePos = HeaderParsePosition.HEADER_NAME;
+-        }    
++        }
+ 
+         //
+         // Reading the header name
+         // Header name is always US-ASCII
+         //
+-        
++
+         while (headerParsePos == HeaderParsePosition.HEADER_NAME) {
+ 
+             // Read new bytes if needed
+             if (pos >= lastValid) {
+-                if (!fill(true,false)) { //parse header 
++                if (!fill(true,false)) { //parse header
+                     return HeaderParseStatus.NEED_MORE_DATA;
+                 }
+             }
+@@ -796,7 +788,7 @@ public class InternalNioInputBuffer extends AbstractInputBuffer {
+                 headerData.realPos = pos;
+                 headerData.lastSignificantChar = pos;
+                 break;
+-            } else if (!HTTP_TOKEN_CHAR[chr]) {
++            } else if (!HttpParser.isToken(chr)) {
+                 // If a non-token header is detected, skip the line and
+                 // ignore the header
+                 headerData.lastSignificantChar = pos;
+@@ -828,7 +820,7 @@ public class InternalNioInputBuffer extends AbstractInputBuffer {
+                 while (true) {
+                     // Read new bytes if needed
+                     if (pos >= lastValid) {
+-                        if (!fill(true,false)) {//parse header 
++                        if (!fill(true,false)) {//parse header
+                             //HEADER_VALUE_START
+                             return HeaderParseStatus.NEED_MORE_DATA;
+                         }
+@@ -851,7 +843,7 @@ public class InternalNioInputBuffer extends AbstractInputBuffer {
+ 
+                     // Read new bytes if needed
+                     if (pos >= lastValid) {
+-                        if (!fill(true,false)) {//parse header 
++                        if (!fill(true,false)) {//parse header
+                             //HEADER_VALUE
+                             return HeaderParseStatus.NEED_MORE_DATA;
+                         }
+@@ -884,7 +876,7 @@ public class InternalNioInputBuffer extends AbstractInputBuffer {
+             // Read new bytes if needed
+             if (pos >= lastValid) {
+                 if (!fill(true,false)) {//parse header
+-                    
++
+                     //HEADER_MULTI_LINE
+                     return HeaderParseStatus.NEED_MORE_DATA;
+                 }
+@@ -910,7 +902,7 @@ public class InternalNioInputBuffer extends AbstractInputBuffer {
+         headerData.recycle();
+         return HeaderParseStatus.HAVE_MORE_HEADERS;
+     }
+-    
++
+     private HeaderParseStatus skipLine() throws IOException {
+         headerParsePos = HeaderParsePosition.HEADER_SKIPLINE;
+         boolean eol = false;
+@@ -945,7 +937,7 @@ public class InternalNioInputBuffer extends AbstractInputBuffer {
+         headerParsePos = HeaderParsePosition.HEADER_START;
+         return HeaderParseStatus.HAVE_MORE_HEADERS;
+     }
+-    
++
+     private HeaderParseData headerData = new HeaderParseData();
+     public static class HeaderParseData {
+         /**
+@@ -1004,7 +996,7 @@ public class InternalNioInputBuffer extends AbstractInputBuffer {
+     /**
+      * Read some bytes.
+      */
+-    public int doRead(ByteChunk chunk, Request req) 
++    public int doRead(ByteChunk chunk, Request req)
+         throws IOException {
+ 
+         if (lastActiveFilter == -1)
+@@ -1019,7 +1011,7 @@ public class InternalNioInputBuffer extends AbstractInputBuffer {
+ 
+     /**
+      * Fill the internal buffer using data from the undelying input stream.
+-     * 
++     *
+      * @return false if at end of stream
+      */
+     protected boolean fill(boolean timeout, boolean block)
+@@ -1052,14 +1044,14 @@ public class InternalNioInputBuffer extends AbstractInputBuffer {
+      * This class is an input buffer which will read its data from an input
+      * stream.
+      */
+-    protected class SocketInputBuffer 
++    protected class SocketInputBuffer
+         implements InputBuffer {
+ 
+ 
+         /**
+          * Read bytes into the specified chunk.
+          */
+-        public int doRead(ByteChunk chunk, Request req ) 
++        public int doRead(ByteChunk chunk, Request req )
+             throws IOException {
+ 
+             if (pos >= lastValid) {
+diff --git a/java/org/apache/coyote/http11/LocalStrings.properties b/java/org/apache/coyote/http11/LocalStrings.properties
+index 542eedd..0fb5d0c 100644
+--- a/java/org/apache/coyote/http11/LocalStrings.properties
++++ b/java/org/apache/coyote/http11/LocalStrings.properties
+@@ -62,5 +62,8 @@ http11processor.sendfile.error=Error sending data using sendfile. May be caused
+ 
+ iib.eof.error=Unexpected EOF read on the socket
+ iib.requestheadertoolarge.error=Request header is too large
++iib.invalidheader=The HTTP header line [{0}] does not conform to RFC 7230 and has been ignored.
++iib.invalidRequestTarget=Invalid character found in the request target. The valid characters are defined in RFC 7230 and RFC 3986
++iib.invalidHttpProtocol=Invalid character found in the HTTP protocol
+ iib.invalidmethod=Invalid character (CR or LF) found in method name
+ 
+diff --git a/java/org/apache/tomcat/util/http/parser/HttpParser.java b/java/org/apache/tomcat/util/http/parser/HttpParser.java
+index b828f71..b92d687 100644
+--- a/java/org/apache/tomcat/util/http/parser/HttpParser.java
++++ b/java/org/apache/tomcat/util/http/parser/HttpParser.java
+@@ -54,8 +54,11 @@ public class HttpParser {
+             new HashMap<String, Integer>();
+ 
+     // Arrays used by isToken(), isHex()
++    private static final boolean[] IS_CONTROL = new boolean[128];
+     private static final boolean isToken[] = new boolean[128];
+     private static final boolean isHex[] = new boolean[128];
++    private static final boolean[] IS_NOT_REQUEST_TARGET = new boolean[128];
++    private static final boolean[] IS_HTTP_PROTOCOL = new boolean[128];
+ 
+     static {
+         // Digest field types.
+@@ -96,6 +99,21 @@ public class HttpParser {
+             } else {
+                 isHex[i] = false;
+             }
++
++            // Not valid for request target.
++            // Combination of multiple rules from RFC7230 and RFC 3986. Must be
++            // ASCII, no controls plus a few additional characters excluded
++            if (IS_CONTROL[i] || i > 127 ||
++                    i == ' ' || i == '\"' || i == '#' || i == '<' || i == '>' || i == '\\' ||
++                    i == '^' || i == '`'  || i == '{' || i == '|' || i == '}') {
++                IS_NOT_REQUEST_TARGET[i] = true;
++            }
++
++            // Not valid for HTTP protocol
++            // "HTTP/" DIGIT "." DIGIT
++            if (i == 'H' || i == 'T' || i == 'P' || i == '/' || i == '.' || (i >= '0' && i <= '9')) {
++                IS_HTTP_PROTOCOL[i] = true;
++            }
+         }
+     }
+ 
+@@ -246,7 +264,7 @@ public class HttpParser {
+         return result.toString();
+     }
+ 
+-    private static boolean isToken(int c) {
++    public static boolean isToken(int c) {
+         // Fast for correct values, slower for incorrect ones
+         try {
+             return isToken[c];
+@@ -255,7 +273,7 @@ public class HttpParser {
+         }
+     }
+ 
+-    private static boolean isHex(int c) {
++    public static boolean isHex(int c) {
+         // Fast for correct values, slower for incorrect ones
+         try {
+             return isHex[c];
+@@ -264,6 +282,29 @@ public class HttpParser {
+         }
+     }
+ 
++
++    public static boolean isNotRequestTarget(int c) {
++        // Fast for valid request target characters, slower for some incorrect
++        // ones
++        try {
++            return IS_NOT_REQUEST_TARGET[c];
++        } catch (ArrayIndexOutOfBoundsException ex) {
++            return true;
++        }
++    }
++
++
++    public static boolean isHttpProtocol(int c) {
++        // Fast for valid HTTP protocol characters, slower for some incorrect
++        // ones
++        try {
++            return IS_HTTP_PROTOCOL[c];
++        } catch (ArrayIndexOutOfBoundsException ex) {
++            return false;
++        }
++    }
++
++
+     // Skip any LWS and return the next char
+     private static int skipLws(StringReader input, boolean withReset)
+             throws IOException {
+diff --git a/java/org/apache/tomcat/util/res/StringManager.java b/java/org/apache/tomcat/util/res/StringManager.java
+index 67c56f0..bd0a84c 100644
+--- a/java/org/apache/tomcat/util/res/StringManager.java
++++ b/java/org/apache/tomcat/util/res/StringManager.java
+@@ -179,6 +179,9 @@ public class StringManager {
+     private static final Map<String,Map<Locale,StringManager>> managers =
+             new Hashtable<String,Map<Locale,StringManager>>();
+ 
++    public static final StringManager getManager(Class<?> clazz) {
++        return getManager(clazz.getPackage().getName());
++    }
+     /**
+      * Get the StringManager for a particular package. If a manager for
+      * a package already exists, it will be reused, else a new
diff --git a/debian/patches/CVE-2016-8735.patch b/debian/patches/CVE-2016-8735.patch
new file mode 100644
index 0000000..0d3a851
--- /dev/null
+++ b/debian/patches/CVE-2016-8735.patch
@@ -0,0 +1,24 @@
+From: Markus Koschany <apo at debian.org>
+Date: Fri, 25 Nov 2016 20:11:08 +0100
+Subject: CVE-2016-8735
+
+Origin: http://svn.apache.org/r1767684
+---
+ java/org/apache/catalina/mbeans/JmxRemoteLifecycleListener.java | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+diff --git a/java/org/apache/catalina/mbeans/JmxRemoteLifecycleListener.java b/java/org/apache/catalina/mbeans/JmxRemoteLifecycleListener.java
+index 7d04955..7f8ff01 100644
+--- a/java/org/apache/catalina/mbeans/JmxRemoteLifecycleListener.java
++++ b/java/org/apache/catalina/mbeans/JmxRemoteLifecycleListener.java
+@@ -198,6 +198,10 @@ public class JmxRemoteLifecycleListener implements LifecycleListener {
+                 csf = new RmiClientLocalhostSocketFactory(csf);
+             }
+ 
++            env.put("jmx.remote.rmi.server.credential.types", new String[] {
++                    String[].class.getName(),
++                    String.class.getName() });
++
+             // Populate the env properties used to create the server
+             if (csf != null) {
+                 env.put(RMIConnectorServer.RMI_CLIENT_SOCKET_FACTORY_ATTRIBUTE,
diff --git a/debian/patches/series b/debian/patches/series
index f4fb4ad..e2c4068 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -7,3 +7,10 @@
 0007-add-OSGi-headers-to-servlet-api.patch
 0008-add-OSGI-headers-to-jsp-api.patch
 0010-Use-java.security.policy-file-in-catalina.sh.patch
+CVE-2016-0762.patch
+CVE-2016-6794.patch
+CVE-2016-6797.patch
+CVE-2016-5018.patch
+CVE-2016-6796.patch
+CVE-2016-6816.patch
+CVE-2016-8735.patch
diff --git a/debian/rules b/debian/rules
index 864c3a4..8162d37 100755
--- a/debian/rules
+++ b/debian/rules
@@ -54,7 +54,7 @@ build-stamp:
 	$(ANT_INVOKE) deploy-webapps
 	$(ANT_INVOKE) -buildfile extras.xml jmx-remote
 	javadoc -subpackages "javax.servlet" -d "output/api" \
-		-sourcepath "java" -author -version -breakiterator -notimestamp \
+		-sourcepath "java" -author -version -breakiterator \
 		-windowtitle "Tomcat API Documentation" -doctitle "Tomcat API" \
 		-bottom "Copyright © 2000-2008 Apache Software Foundation. All Rights Reserved."
 	touch build-stamp
@@ -79,7 +79,7 @@ binary-indep: build install
 	dh_testroot
 	dh_installchangelogs
 	dh_installdocs
-	#dh_installman -ptomcat6-user debian/tomcat6-instance-create.1
+	dh_installman -ptomcat6-user debian/tomcat6-instance-create.1
 	dh_installexamples
 	dh_installinit --error-handler=true -- defaults 92 08
 	dh_installdebconf
@@ -90,30 +90,30 @@ binary-indep: build install
 	perl -p -i -e 's/\@MAVEN.DEPLOY.VERSION\@/2.1/' debian/poms/el-api.pom
 	perl -p -i -e 's/\@MAVEN.DEPLOY.VERSION\@/2.1/' debian/poms/jsp-api.pom
 	perl -p -i -e 's/\@MAVEN.DEPLOY.VERSION\@/$(T_VER)/' debian/poms/*.pom
-	#mh_installpoms -plibtomcat6-java
-	#for i in $(T_MAVENIZED_JARS); do \
-	#	mh_installjar -plibtomcat6-java -l debian/poms/$$i.pom $(BLDLIB)/$$i.jar usr/share/tomcat6/lib/$$i.jar; done
-	#mh_installjar -plibtomcat6-java -l --usj-name=catalina-tribes debian/poms/tribes.pom \
-	#	$(BLDLIB)/catalina-tribes.jar usr/share/tomcat6/lib/catalina-tribes.jar
-	#mh_installjar -plibtomcat6-java -l --usj-name=tomcat-coyote debian/poms/coyote.pom \
-	#	$(BLDLIB)/tomcat-coyote.jar usr/share/tomcat6/lib/tomcat-coyote.jar
-	#mh_installjar -plibtomcat6-java -l --usj-name=tomcat-juli debian/poms/juli.pom $(BLDBIN)/tomcat-juli.jar
-	#for i in $(T_JARS); do \
-	#	mv $(BLDLIB)/$$i.jar $(BLDLIB)/$$i-$(T_VER).jar && \
-	#	dh_install -plibtomcat6-java \
-	#		$(BLDLIB)/$$i-$(T_VER).jar usr/share/java && \
-	#	dh_link -plibtomcat6-java usr/share/java/$$i-$(T_VER).jar \
-	#		usr/share/java/$$i.jar && \
-	#	dh_link -ptomcat6-common usr/share/java/$$i-$(T_VER).jar \
-	#		usr/share/tomcat6/lib/$$i.jar; done
-	#for i in $(T_EXTRAS_JARS); do \
-	#	mv output/extras/$$i.jar output/extras/$$i-$(T_VER).jar && \
-	#	dh_install -plibtomcat6-java \
-	#		output/extras/$$i-$(T_VER).jar usr/share/java && \
-	#	dh_link -plibtomcat6-java usr/share/java/$$i-$(T_VER).jar \
-	#		usr/share/java/$$i.jar && \
-	#	dh_link -ptomcat6-extras usr/share/java/$$i-$(T_VER).jar \
-	#		usr/share/tomcat6/lib/$$i.jar; done
+	mh_installpoms -plibtomcat6-java
+	for i in $(T_MAVENIZED_JARS); do \
+		mh_installjar -plibtomcat6-java -l debian/poms/$$i.pom $(BLDLIB)/$$i.jar usr/share/tomcat6/lib/$$i.jar; done
+	mh_installjar -plibtomcat6-java -l --usj-name=catalina-tribes debian/poms/tribes.pom \
+		$(BLDLIB)/catalina-tribes.jar usr/share/tomcat6/lib/catalina-tribes.jar
+	mh_installjar -plibtomcat6-java -l --usj-name=tomcat-coyote debian/poms/coyote.pom \
+		$(BLDLIB)/tomcat-coyote.jar usr/share/tomcat6/lib/tomcat-coyote.jar
+	mh_installjar -plibtomcat6-java -l --usj-name=tomcat-juli debian/poms/juli.pom $(BLDBIN)/tomcat-juli.jar
+	for i in $(T_JARS); do \
+		mv $(BLDLIB)/$$i.jar $(BLDLIB)/$$i-$(T_VER).jar && \
+		dh_install -plibtomcat6-java \
+			$(BLDLIB)/$$i-$(T_VER).jar usr/share/java && \
+		dh_link -plibtomcat6-java usr/share/java/$$i-$(T_VER).jar \
+			usr/share/java/$$i.jar && \
+		dh_link -ptomcat6-common usr/share/java/$$i-$(T_VER).jar \
+			usr/share/tomcat6/lib/$$i.jar; done
+	for i in $(T_EXTRAS_JARS); do \
+		mv output/extras/$$i.jar output/extras/$$i-$(T_VER).jar && \
+		dh_install -plibtomcat6-java \
+			output/extras/$$i-$(T_VER).jar usr/share/java && \
+		dh_link -plibtomcat6-java usr/share/java/$$i-$(T_VER).jar \
+			usr/share/java/$$i.jar && \
+		dh_link -ptomcat6-extras usr/share/java/$$i-$(T_VER).jar \
+			usr/share/tomcat6/lib/$$i.jar; done
 	dh_install --exclude=.bat --exclude=Thumbs.db
 	dh_link
 	mh_installpoms -plibservlet2.5-java
@@ -123,9 +123,9 @@ binary-indep: build install
 	rm -r debian/poms
 	rm -rf debian/tomcat6/usr/share/tomcat6/webapps/default_root/.svn \
 		debian/tomcat6/usr/share/tomcat6/webapps/default_root/META-INF/.svn
-	#chmod a+x debian/tomcat6-common/usr/share/tomcat6/bin/*.sh
-	#chmod a+x debian/tomcat6-user/usr/bin/tomcat6-instance-create
-	#chmod a+x debian/tomcat6-user/usr/share/tomcat6/skel/bin/*.sh
+	chmod a+x debian/tomcat6-common/usr/share/tomcat6/bin/*.sh
+	chmod a+x debian/tomcat6-user/usr/bin/tomcat6-instance-create
+	chmod a+x debian/tomcat6-user/usr/share/tomcat6/skel/bin/*.sh
 	dh_compress
 	dh_fixperms
 	dh_installdeb
diff --git a/debian/tomcat6.cron.daily b/debian/tomcat6.cron.daily
index a585050..016018c 100644
--- a/debian/tomcat6.cron.daily
+++ b/debian/tomcat6.cron.daily
@@ -2,14 +2,11 @@
 
 NAME=tomcat6
 DEFAULT=/etc/default/$NAME
-LOGEXT=log
 
 # The following variables can be overwritten in $DEFAULT
 
 # Default for number of days to keep old log files in /var/log/tomcatN/
 LOGFILE_DAYS=14
-# Whether to compress logfiles older than today's
-LOGFILE_COMPRESS=1
 
 # End of variables that can be overwritten in $DEFAULT
 
@@ -19,12 +16,6 @@ if [ -f "$DEFAULT" ]; then
 fi
 
 if [ -d /var/log/$NAME ]; then
-	if [ $LOGFILE_COMPRESS = 1 ]; then
-		find /var/log/$NAME/ -name \*.$LOGEXT -daystart -mtime +0 -print0 \
-			| xargs --no-run-if-empty -0 gzip -9
-		LOGEXT=log.gz
-	fi
-
-	find /var/log/$NAME/ -name \*.$LOGEXT -mtime +$LOGFILE_DAYS -print0 \
+	find /var/log/$NAME/ -name \*.log -mtime +$LOGFILE_DAYS -print0 \
 		| xargs --no-run-if-empty -0 rm --
 fi
diff --git a/debian/tomcat6.init b/debian/tomcat6.init
index c121552..bf06d18 100644
--- a/debian/tomcat6.init
+++ b/debian/tomcat6.init
@@ -170,8 +170,11 @@ catalina_sh() {
 
 	# Run the catalina.sh script as a daemon
 	set +e
-	touch "$CATALINA_PID" "$CATALINA_BASE"/logs/catalina.out
-	chown $TOMCAT6_USER "$CATALINA_PID" "$CATALINA_BASE"/logs/catalina.out
+	if [ ! -f "$CATALINA_BASE"/logs/catalina.out ]; then
+		install -o $TOMCAT6_USER -g adm -m 644 /dev/null "$CATALINA_BASE"/logs/catalina.out
+	fi
+	install -o $TOMCAT6_USER -g adm -m 644 /dev/null "$CATALINA_PID"
+
 	start-stop-daemon --start -b -u "$TOMCAT6_USER" -g "$TOMCAT6_GROUP" \
 		-c "$TOMCAT6_USER" -d "$CATALINA_TMPDIR" -p "$CATALINA_PID" \
 		-x /bin/bash -- -c "$AUTHBIND_COMMAND $TOMCAT_SH"
diff --git a/debian/watch b/debian/watch
index a9b6a7b..740c410 100644
--- a/debian/watch
+++ b/debian/watch
@@ -1,3 +1,3 @@
 version=3
-opts=dversionmangle=s/(\da?)[\+\.\-~](?:dfsg|debian|ds|repack|repacked)\.?\d*$/$1/,uversionmangle=s/_/./g \
+opts=uversionmangle=s/_/./g \
   http://svn.apache.org/repos/asf/tomcat/tc6.0.x/tags/ TOMCAT_([0-9_]*[0-9])/ debian debian/orig-tar.sh

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/tomcat6.git



More information about the pkg-java-commits mailing list