[ubuntu/natty-security] tomcat6, tomcat6_6.0.28-10ubuntu2.2_i386_translations.tar.gz 6.0.28-10ubuntu2.2 (Accepted)

Marc Deslauriers marc.deslauriers at ubuntu.com
Tue Nov 8 13:03:36 UTC 2011 

tomcat6 (6.0.28-10ubuntu2.2) natty-security; urgency=low

  * SECURITY UPDATE: information disclosure via log file
    - debian/patches/0015-CVE-2011-2204.patch: fix logging in
      java/org/apache/catalina/mbeans/MemoryUserDatabaseMBean.java,
      java/org/apache/catalina/users/MemoryUserDatabase.java,
      java/org/apache/catalina/users/MemoryUser.java.
    - CVE-2011-2204
  * SECURITY UPDATE: file restriction bypass or denial of service via
    untrusted web application.
    - debian/patches/0016-CVE-2011-2526.patch: check canonical name in
      java/org/apache/catalina/connector/LocalStrings.properties,
      java/org/apache/catalina/connector/Request.java,
      java/org/apache/catalina/servlets/DefaultServlet.java,
      java/org/apache/coyote/http11/Http11AprProcessor.java,
      java/org/apache/coyote/http11/LocalStrings.properties,
      java/org/apache/tomcat/util/net/AprEndpoint.java,
      java/org/apache/tomcat/util/net/NioEndpoint.java.
    - CVE-2011-2526
  * SECURITY UPDATE: AJP request spoofing and authentication bypass
    (LP: #843701)
    - debian/patches/0017-CVE-2011-3190.patch: Properly handle request
      bodies in java/org/apache/coyote/ajp/AjpAprProcessor.java,
      java/org/apache/coyote/ajp/AjpProcessor.java.
    - CVE-2011-3190
  * SECURITY UPDATE: HTTP DIGEST authentication weaknesses
    - debian/patches/0018-CVE-2011-1184.patch: add new nonce options in
      java/org/apache/catalina/authenticator/DigestAuthenticator.java,
      java/org/apache/catalina/authenticator/LocalStrings.properties,
      java/org/apache/catalina/authenticator/mbeans-descriptors.xml,
      java/org/apache/catalina/realm/RealmBase.java,
      webapps/docs/config/valve.xml.
    - CVE-2011-1184

Date: Mon, 26 Sep 2011 11:27:14 -0400
Changed-By: Marc Deslauriers <marc.deslauriers at ubuntu.com>
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
https://launchpad.net/ubuntu/natty/+source/tomcat6/6.0.28-10ubuntu2.2
-------------- next part --------------
Format: 1.8
Date: Mon, 26 Sep 2011 11:27:14 -0400
Source: tomcat6
Binary: tomcat6-common tomcat6 tomcat6-user libtomcat6-java libservlet2.5-java libservlet2.5-java-doc tomcat6-admin tomcat6-examples tomcat6-docs
Architecture: source
Version: 6.0.28-10ubuntu2.2
Distribution: natty-security
Urgency: low
Maintainer: Ubuntu Developers <ubuntu-devel-discuss at lists.ubuntu.com>
Changed-By: Marc Deslauriers <marc.deslauriers at ubuntu.com>
Description: 
 libservlet2.5-java - Servlet 2.5 and JSP 2.1 Java API classes
 libservlet2.5-java-doc - Servlet 2.5 and JSP 2.1 Java API documentation
 libtomcat6-java - Servlet and JSP engine -- core libraries
 tomcat6    - Servlet and JSP engine
 tomcat6-admin - Servlet and JSP engine -- admin web applications
 tomcat6-common - Servlet and JSP engine -- common files
 tomcat6-docs - Servlet and JSP engine -- documentation
 tomcat6-examples - Servlet and JSP engine -- example web applications
 tomcat6-user - Servlet and JSP engine -- tools to create user instances
Launchpad-Bugs-Fixed: 843701
Changes: 
 tomcat6 (6.0.28-10ubuntu2.2) natty-security; urgency=low
 .
   * SECURITY UPDATE: information disclosure via log file
     - debian/patches/0015-CVE-2011-2204.patch: fix logging in
       java/org/apache/catalina/mbeans/MemoryUserDatabaseMBean.java,
       java/org/apache/catalina/users/MemoryUserDatabase.java,
       java/org/apache/catalina/users/MemoryUser.java.
     - CVE-2011-2204
   * SECURITY UPDATE: file restriction bypass or denial of service via
     untrusted web application.
     - debian/patches/0016-CVE-2011-2526.patch: check canonical name in
       java/org/apache/catalina/connector/LocalStrings.properties,
       java/org/apache/catalina/connector/Request.java,
       java/org/apache/catalina/servlets/DefaultServlet.java,
       java/org/apache/coyote/http11/Http11AprProcessor.java,
       java/org/apache/coyote/http11/LocalStrings.properties,
       java/org/apache/tomcat/util/net/AprEndpoint.java,
       java/org/apache/tomcat/util/net/NioEndpoint.java.
     - CVE-2011-2526
   * SECURITY UPDATE: AJP request spoofing and authentication bypass
     (LP: #843701)
     - debian/patches/0017-CVE-2011-3190.patch: Properly handle request
       bodies in java/org/apache/coyote/ajp/AjpAprProcessor.java,
       java/org/apache/coyote/ajp/AjpProcessor.java.
     - CVE-2011-3190
   * SECURITY UPDATE: HTTP DIGEST authentication weaknesses
     - debian/patches/0018-CVE-2011-1184.patch: add new nonce options in
       java/org/apache/catalina/authenticator/DigestAuthenticator.java,
       java/org/apache/catalina/authenticator/LocalStrings.properties,
       java/org/apache/catalina/authenticator/mbeans-descriptors.xml,
       java/org/apache/catalina/realm/RealmBase.java,
       webapps/docs/config/valve.xml.
     - CVE-2011-1184
Checksums-Sha1: 
 a8f3e1ae5b9717b79a8a97b805b6631fe257fa7a 2376 tomcat6_6.0.28-10ubuntu2.2.dsc
 de62ea013c1fe0ec7cc7b433a2702a78ca11b559 56446 tomcat6_6.0.28-10ubuntu2.2.debian.tar.gz
Checksums-Sha256: 
 d1f09d8ad4cc994f611ad9c781ceb32ce2f3a1a45b811e11929d1ab8d016089b 2376 tomcat6_6.0.28-10ubuntu2.2.dsc
 3c90ecb18fc647789d0ac0ad9b4c13ace982ff38995fe970e1b7d1979271c9f4 56446 tomcat6_6.0.28-10ubuntu2.2.debian.tar.gz
Files: 
 6572af1caa0be38740e26ddbf80aaa2d 2376 java optional tomcat6_6.0.28-10ubuntu2.2.dsc
 69f0f6040d0cc71e637fd1edf0fe7460 56446 java optional tomcat6_6.0.28-10ubuntu2.2.debian.tar.gz
Original-Maintainer: Debian Java Maintainers <pkg-java-maintainers at lists.alioth.debian.org>

More information about the Natty-changes mailing list