[ubuntu/maverick-security] tomcat6 6.0.28-2ubuntu1.5 (Accepted)
Marc Deslauriers
marc.deslauriers at ubuntu.com
Tue Nov 8 13:03:47 UTC 2011
tomcat6 (6.0.28-2ubuntu1.5) maverick-security; urgency=low
* SECURITY UPDATE: information disclosure via log file
- debian/patches/0015-CVE-2011-2204.patch: fix logging in
java/org/apache/catalina/mbeans/MemoryUserDatabaseMBean.java,
java/org/apache/catalina/users/MemoryUserDatabase.java,
java/org/apache/catalina/users/MemoryUser.java.
- CVE-2011-2204
* SECURITY UPDATE: file restriction bypass or denial of service via
untrusted web application.
- debian/patches/0016-CVE-2011-2526.patch: check canonical name in
java/org/apache/catalina/connector/LocalStrings.properties,
java/org/apache/catalina/connector/Request.java,
java/org/apache/catalina/servlets/DefaultServlet.java,
java/org/apache/coyote/http11/Http11AprProcessor.java,
java/org/apache/coyote/http11/LocalStrings.properties,
java/org/apache/tomcat/util/net/AprEndpoint.java,
java/org/apache/tomcat/util/net/NioEndpoint.java.
- CVE-2011-2526
* SECURITY UPDATE: AJP request spoofing and authentication bypass
(LP: #843701)
- debian/patches/0017-CVE-2011-3190.patch: Properly handle request
bodies in java/org/apache/coyote/ajp/AjpAprProcessor.java,
java/org/apache/coyote/ajp/AjpProcessor.java.
- CVE-2011-3190
* SECURITY UPDATE: HTTP DIGEST authentication weaknesses
- debian/patches/0018-CVE-2011-1184.patch: add new nonce options in
java/org/apache/catalina/authenticator/DigestAuthenticator.java,
java/org/apache/catalina/authenticator/LocalStrings.properties,
java/org/apache/catalina/authenticator/mbeans-descriptors.xml,
java/org/apache/catalina/realm/RealmBase.java,
webapps/docs/config/valve.xml.
- CVE-2011-1184
* This package does _not_ contain the changes that were in
6.0.28-2ubuntu1.3 in -proposed.
Date: Mon, 26 Sep 2011 11:48:20 -0400
Changed-By: Marc Deslauriers <marc.deslauriers at ubuntu.com>
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
https://launchpad.net/ubuntu/maverick/+source/tomcat6/6.0.28-2ubuntu1.5
-------------- next part --------------
Format: 1.8
Date: Mon, 26 Sep 2011 11:48:20 -0400
Source: tomcat6
Binary: tomcat6-common tomcat6 tomcat6-user libtomcat6-java libservlet2.5-java libservlet2.5-java-doc tomcat6-admin tomcat6-examples tomcat6-docs
Architecture: source
Version: 6.0.28-2ubuntu1.5
Distribution: maverick-security
Urgency: low
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Changed-By: Marc Deslauriers <marc.deslauriers at ubuntu.com>
Description:
libservlet2.5-java - Servlet 2.5 and JSP 2.1 Java API classes
libservlet2.5-java-doc - Servlet 2.5 and JSP 2.1 Java API documentation
libtomcat6-java - Servlet and JSP engine -- core libraries
tomcat6 - Servlet and JSP engine
tomcat6-admin - Servlet and JSP engine -- admin web applications
tomcat6-common - Servlet and JSP engine -- common files
tomcat6-docs - Servlet and JSP engine -- documentation
tomcat6-examples - Servlet and JSP engine -- example web applications
tomcat6-user - Servlet and JSP engine -- tools to create user instances
Launchpad-Bugs-Fixed: 843701
Changes:
tomcat6 (6.0.28-2ubuntu1.5) maverick-security; urgency=low
.
* SECURITY UPDATE: information disclosure via log file
- debian/patches/0015-CVE-2011-2204.patch: fix logging in
java/org/apache/catalina/mbeans/MemoryUserDatabaseMBean.java,
java/org/apache/catalina/users/MemoryUserDatabase.java,
java/org/apache/catalina/users/MemoryUser.java.
- CVE-2011-2204
* SECURITY UPDATE: file restriction bypass or denial of service via
untrusted web application.
- debian/patches/0016-CVE-2011-2526.patch: check canonical name in
java/org/apache/catalina/connector/LocalStrings.properties,
java/org/apache/catalina/connector/Request.java,
java/org/apache/catalina/servlets/DefaultServlet.java,
java/org/apache/coyote/http11/Http11AprProcessor.java,
java/org/apache/coyote/http11/LocalStrings.properties,
java/org/apache/tomcat/util/net/AprEndpoint.java,
java/org/apache/tomcat/util/net/NioEndpoint.java.
- CVE-2011-2526
* SECURITY UPDATE: AJP request spoofing and authentication bypass
(LP: #843701)
- debian/patches/0017-CVE-2011-3190.patch: Properly handle request
bodies in java/org/apache/coyote/ajp/AjpAprProcessor.java,
java/org/apache/coyote/ajp/AjpProcessor.java.
- CVE-2011-3190
* SECURITY UPDATE: HTTP DIGEST authentication weaknesses
- debian/patches/0018-CVE-2011-1184.patch: add new nonce options in
java/org/apache/catalina/authenticator/DigestAuthenticator.java,
java/org/apache/catalina/authenticator/LocalStrings.properties,
java/org/apache/catalina/authenticator/mbeans-descriptors.xml,
java/org/apache/catalina/realm/RealmBase.java,
webapps/docs/config/valve.xml.
- CVE-2011-1184
* This package does _not_ contain the changes that were in
6.0.28-2ubuntu1.3 in -proposed.
Checksums-Sha1:
4860fb0cc96f13cf7e3a15048e29fae9aeb8b778 2360 tomcat6_6.0.28-2ubuntu1.5.dsc
0bd6ae955b08dc60190f283e800a8acc351dde25 49303 tomcat6_6.0.28-2ubuntu1.5.debian.tar.gz
Checksums-Sha256:
3c7d616679016cce425cd95f99a2ddeb2d06c33fd006401b57fa8b86ac6619fe 2360 tomcat6_6.0.28-2ubuntu1.5.dsc
e4ed217712568e905c84dfa02bc2cc1dcf1a32c7ab56d40a104e12101b23e8c2 49303 tomcat6_6.0.28-2ubuntu1.5.debian.tar.gz
Files:
0fca1b05d93a799091f2a610c62b4b64 2360 java optional tomcat6_6.0.28-2ubuntu1.5.dsc
2c2d38b58ffefb572626f4cc50da88af 49303 java optional tomcat6_6.0.28-2ubuntu1.5.debian.tar.gz
Original-Maintainer: Debian Java Maintainers <pkg-java-maintainers at lists.alioth.debian.org>
More information about the Maverick-changes
mailing list