[Bug 179491] Re: please merge tomcat5.5 (5.5.25-4) from Debian unstable (main)

mlind matti.lindell at gmail.com
Mon Dec 31 02:17:50 GMT 2007 

** Attachment added: "Proposed merge of tomcat5.5 (5.5.25-4)"
   http://launchpadlibrarian.net/11100730/debdiff.txt

** Description changed:

  Binary package hint: tomcat5.5
  
  Please consider merging tomcat5.5 from Debian unstable as it contains
  fixes for several CVE's and important packaging fixes.
  
  Ubuntu changes that can be dropped:
    - Build-depends on xsltproc: tomcat5.5 package used to build documentation using xsltproc, but is now using Xalan-Java (libxalan2-java). I reckon the build dependency was unnecessarily carried around during merges as Debian stopped using it since 5.5.20-2 (related patches were dropped as well). It's not used in build process and the documentation looks the same with or without it. (http://www.mail-archive.com/debian-java@lists.debian.org/msg11269.html and Debian 5.5.20-2 changelog entry).
  
  New Ubuntu changes are bugfixes, forwarded as:
  * Opened http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=458411
  * Reopened http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=452366
  
  
- New Debian version also fixes #173692 and #161882.
+ New Debian version also fixes Bug #173692 and Bug #161882.

** Description changed:

  Binary package hint: tomcat5.5
  
  Please consider merging tomcat5.5 from Debian unstable as it contains
  fixes for several CVE's and important packaging fixes.
  
  Ubuntu changes that can be dropped:
    - Build-depends on xsltproc: tomcat5.5 package used to build documentation using xsltproc, but is now using Xalan-Java (libxalan2-java). I reckon the build dependency was unnecessarily carried around during merges as Debian stopped using it since 5.5.20-2 (related patches were dropped as well). It's not used in build process and the documentation looks the same with or without it. (http://www.mail-archive.com/debian-java@lists.debian.org/msg11269.html and Debian 5.5.20-2 changelog entry).
  
  New Ubuntu changes are bugfixes, forwarded as:
  * Opened http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=458411
  * Reopened http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=452366
  
  
  New Debian version also fixes Bug #173692 and Bug #161882.
+ 
+ New Debian changes:
+ 
+ tomcat5.5 (5.5.25-4) unstable; urgency=high
+ 
+   * CVE-2007-5342: Fix unauthorized modification of data because of
+     too open permissions. Closes: #458237.
+   * Always clean temporary directory on startup. Closes: #456608.
+ 
+  -- Michael Koch <konqueror at gmx.de>  Sat, 29 Dec 2007 20:15:40 +0100
+ 
+ tomcat5.5 (5.5.25-3) unstable; urgency=low
+ 
+   * debian/libtomcat5.5-java.links: Removed links for xml-apis.jar and
+     xercesImpl.jar. Closes: #443382, #455495.
+   * Added libgnumail-java to Build-Depends. Closes: #454312.
+   * Updated Standards-Version to 3.7.3.
+ 
+  -- Michael Koch <konqueror at gmx.de>  Thu, 13 Dec 2007 22:15:18 +0100
+ 
+ tomcat5.5 (5.5.25-2) unstable; urgency=high
+ 
+   [ Michael Koch ]
+   CVE-2007-5461:
+   * Fix absolute path traversal vulnerability. Closes: #448664.
+ 
+   [ Marcus Better ]
+   * Add required commons-io symlink to the admin webapp, which fixes WAR
+     file uploads. (Closes: #452366)
+   * debian/control: Use the new Homepage and Vcs-* fields.
+   * debian/NEWS: Remove outdated entry.
+ 
+  -- Michael Koch <konqueror at gmx.de>  Fri, 30 Nov 2007 10:46:33 +0100

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2007-5342

** CVE added: http://www.cve.mitre.org/cgi-
bin/cvename.cgi?name=2007-5461

-- 
please merge tomcat5.5 (5.5.25-4) from Debian unstable (main)
https://bugs.launchpad.net/bugs/179491
You received this bug notification because you are a member of Ubuntu
Sponsors for universe, which is a direct subscriber.

More information about the Ubuntu-universe-sponsors mailing list