tomcat8 (8.0.14-1+deb8u11) jessie-security; urgency=high

  * Fix CVE-2017-7674:
    The CORS Filter did not add an HTTP Vary header indicating that the
    response varies depending on Origin. This permitted client and server side
    cache poisoning in some circumstances.

 -- Sebastien Delafond <seb@debian.org>  Fri, 15 Sep 2017 13:18:33 +0200

tomcat8 (8.0.14-1+deb8u10) jessie-security; urgency=high

  * Team upload.
  * Fix CVE-2017-5664.
    The error page mechanism of the Java Servlet Specification requires that,
    when an error occurs and an error page is configured for the error that
    occurred, the original request and response are forwarded to the error
    page. This means that the request is presented to the error page with the
    original HTTP method. If the error page is a static file, expected
    behaviour is to serve content of the file as if processing a GET request,
    regardless of the actual HTTP method. The Default Servlet in Apache Tomcat
    did not do this. Depending on the original request this could lead to
    unexpected and undesirable results for static error pages including, if the
    DefaultServlet is configured to permit writes, the replacement or removal
    of the custom error page. (Closes: #864447)

 -- Markus Koschany <apo@debian.org>  Tue, 20 Jun 2017 20:26:44 +0200

tomcat8 (8.0.14-1+deb8u9) jessie-security; urgency=high

  * Team upload.
  * Fix the following security vulnerabilities:
   - CVE-2017-5647:
     A bug in the handling of the pipelined requests when send file was used
     resulted in the pipelined request being lost when send file processing of
     the previous request completed. This could result in responses appearing
     to be sent for the wrong request. For example, a user agent that sent
     requests A, B and C could see the correct response for request A, the
     response for request C for request B and no response for request C.
   - CVE-2017-5648:
     It was noticed that some calls to application listeners did not use the
     appropriate facade object. When running an untrusted application under a
     SecurityManager, it was therefore possible for that untrusted application
     to retain a reference to the request or response object and thereby access
     and/or modify information associated with another web application.

 -- Markus Koschany <apo@debian.org>  Sun, 30 Apr 2017 21:38:43 +0200

tomcat8 (8.0.14-1+deb8u8) jessie-security; urgency=high

  * Team upload.
  * Add BZ57544-infinite-loop-part2.patch.
    Fix regression (400 HTTP errors) due to an incomplete fix for
    CVE-2017-6056. See #854551 for further information.

 -- Markus Koschany <apo@debian.org>  Sat, 18 Feb 2017 18:44:25 +0100

tomcat8 (8.0.14-1+deb8u7) jessie-security; urgency=high

  * Team upload.
  * Add BZ57544-infinite-loop.patch: It was found that https GET requests could
    trigger an infinite loop and thus cause a denial-of-service.
    (Closes: #851304)

 -- Markus Koschany <apo@debian.org>  Mon, 13 Feb 2017 10:34:43 +0100

tomcat8 (8.0.14-1+deb8u6) jessie-security; urgency=high

  * Fixed CVE-2016-8745: A bug in the error handling of the send file code for
    the NIO HTTP connector resulted in the current Processor object being added
    to the Processor cache multiple times. This in turn meant that the same
    Processor could be used for concurrent requests. Sharing a Processor can
    result in information leakage between requests including, not not limited
    to, session ID and the response body.

 -- Emmanuel Bourg <ebourg@apache.org>  Thu, 05 Jan 2017 17:10:29 +0100

tomcat8 (8.0.14-1+deb8u5) jessie-security; urgency=high

  * Fixed CVE-2016-9774: Potential privilege escalation when the tomcat8
    package is upgraded. Thanks to Paul Szabo for the report (Closes: #845393)
  * Fixed CVE-2016-9775: Potential privilege escalation when the tomcat8
    package is purged. Thanks to Paul Szabo for the report (Closes: #845385)
  * Fixed CVE-2016-6816: The code that parsed the HTTP request line permitted
    invalid characters. This could be exploited, in conjunction with a proxy
    that also permitted the invalid characters but with a different
    interpretation, to inject data into the HTTP response. By manipulating the
    HTTP response the attacker could poison a web-cache, perform an XSS attack
    and/or obtain sensitive information from requests other then their own.
  * Fixed CVE-2016-8735: The JmxRemoteLifecycleListener was not updated to take
    account of Oracle's fix for CVE-2016-3427. Therefore, Tomcat installations
    using this listener remained vulnerable to a similar remote code execution
    vulnerability. This issue has been rated as important rather than critical
    due to the small number of installations using this listener and that it
    would be highly unusual for the JMX ports to be accessible to an attacker
    even when the listener is used.
  * Backported the fix for upstream bug 57377: Remove the restriction that
    prevented the use of SSL when specifying a bind address for the JMX/RMI
    server. Enable SSL to be configured for the registry as well as the server.
  * CVE-2016-5018 follow-up: Applied a missing modification fixing
    a ClassNotFoundException when the security manager is enabled (see #846298)
  * CVE-2016-6797 follow-up: Fixed a regression preventing some applications
    from accessing the global resources (see #845425)
  * CVE-2015-5345 follow-up: Applied a missing modification to DefaultServlet
  * Backported a fix for a test failure in Test*NonLoginAndBasicAuthenticator
    with recent JREs
  * Backported a fix disabling the broken SSLv3 tests
  * Refreshed the expired SSL certificates used by the tests
  * Set the locale when running the tests to prevent locale sensitive tests
    from failing
  * Added asm-all.jar to the test classpath to fix TestWebappServiceLoader
  * Fixed a test failure in the new TestNamingContext test added with the fix
    for CVE-2016-6797
  * Test failures are no longer ignored and now stop the build

 -- Emmanuel Bourg <ebourg@apache.org>  Sat, 17 Dec 2016 09:19:36 +0100

tomcat8 (8.0.14-1+deb8u4) jessie-security; urgency=medium

  * Fixed CVE-2016-0762: The Realm implementations did not process the supplied
    password if the supplied user name did not exist. This made a timing attack
    possible to determine valid user names.
  * Fixed CVE-2016-5018: A malicious web application was able to bypass
    a configured SecurityManager via a Tomcat utility method that was
    accessible to web applications.
  * Fixed CVE-2016-6794: When a SecurityManager is configured, a web
    application's ability to read system properties should be controlled by
    the SecurityManager. Tomcat's system property replacement feature for
    configuration files could be used by a malicious web application to bypass
    the SecurityManager and read system properties that should not be visible.
  * Fixed CVE-2016-6796: A malicious web application was able to bypass
    a configured SecurityManager via manipulation of the configuration
    parameters for the JSP Servlet.
  * Fixed CVE-2016-6797: The ResourceLinkFactory did not limit web application
    access to global JNDI resources to those resources explicitly linked to the
    web application. Therefore, it was possible for a web application to access
    any global JNDI resource whether an explicit ResourceLink had been
    configured or not.
  * CVE-2016-1240 follow-up:
    - The previous init.d fix was vulnerable to a race condition that could
      be exploited to make any existing file writable by the tomcat user.
      Thanks to Paul Szabo for the report and the fix.
    - The catalina.policy file generated on startup was affected by a similar
      vulnerability that could be exploited to overwrite any file on the system.
      Thanks to Paul Szabo for the report.
  * Hardened the init.d script, thanks to Paul Szabo (Closes: #840685)

 -- Emmanuel Bourg <ebourg@apache.org>  Thu, 17 Nov 2016 09:00:15 +0100

tomcat8 (8.0.14-1+deb8u3) jessie-security; urgency=high

  * Team upload.
  * Fix CVE-2016-1240:
    tomcat8.init: Protect /var/lib/tomcat8/catalina.out against a symlink
    attack and possible root privilege escalation.
  * Do not unconditionally overwrite files in /etc/tomcat8 anymore.
    (Closes: #825786)
  * Change file permissions to 640 for Debian files in /etc/tomcat8.

 -- Markus Koschany <apo@debian.org>  Mon, 15 Aug 2016 17:38:02 +0200

tomcat8 (8.0.14-1+deb8u2) jessie-security; urgency=high

  * Team upload.

  [ Emmanuel Bourg ]
  * Fix CVE-2016-3092: Denial-of-Service vulnerability with file uploads

  [ Markus Koschany ]
  * Fix CVE-2015-5174:
    Directory traversal vulnerability in RequestUtil.java allows remote
    authenticated users to bypass intended SecurityManager restrictions and
    list a parent directory via a /.. (slash dot dot) in a pathname used by a
    web application in a getResource, getResourceAsStream, or getResourcePaths
    call, as demonstrated by the $CATALINA_BASE/webapps directory.
  * Fix CVE-2015-5345:
    The Mapper component in Apache Tomcat processes redirects before
    considering security constraints and Filters, which allows remote attackers
    to determine the existence of a directory via a URL that lacks a trailing /
    (slash) character.
  * Fix CVE-2015-5346:
    Session fixation vulnerability in Apache Tomcat when different session
    settings are used for deployments of multiple versions of the same web
    application, might allow remote attackers to hijack web sessions by
    leveraging use of a requestedSessionSSL field for an unintended request,
    related to CoyoteAdapter.java and Request.java.
  * Fix CVE-2015-5351:
    The Manager and Host Manager applications in Apache Tomcat establish
    sessions and send CSRF tokens for arbitrary new requests, which allows
    remote attackers to bypass a CSRF protection mechanism by using a token.
  * Fix CVE-2016-0706:
    Apache Tomcat does not place
    org.apache.catalina.manager.StatusManagerServlet on the
    org/apache/catalina/core/RestrictedServlets.properties list, which allows
    remote authenticated users to bypass intended SecurityManager restrictions
    and read arbitrary HTTP requests, and consequently discover session ID
    values, via a crafted web application.
  * Fix CVE-2016-0714:
    The session-persistence implementation in Apache Tomcat mishandles session
    attributes, which allows remote authenticated users to bypass intended
    SecurityManager restrictions and execute arbitrary code in a privileged
    context via a web application that places a crafted object in a session.
  * Fix CVE-2016-0763:
    The setGlobalContext method in
    org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat does
    not consider whether ResourceLinkFactory.setGlobalContext callers are
    authorized, which allows remote authenticated users to bypass intended
    SecurityManager restrictions and read or write to arbitrary application
    data, or cause a denial of service (application disruption), via a web
    application that sets a crafted global context.

 -- Emmanuel Bourg <ebourg@apache.org>  Thu, 23 Jun 2016 00:27:20 +0200

tomcat8 (8.0.14-1+deb8u1) jessie-security; urgency=medium

  * Fixed CVE-2014-7810: Malicious web applications could use expression
    language to bypass the protections of a Security Manager as expressions
    were evaluated within a privileged code section.

 -- Emmanuel Bourg <ebourg@apache.org>  Fri, 18 Dec 2015 10:20:56 +0100

tomcat8 (8.0.14-1) unstable; urgency=medium

  * New upstream release
    - Refreshed the patches
  * Build depend on libcglib3-java instead of libcglib-java
  * Standards-Version updated to 3.9.6 (no changes)

 -- Emmanuel Bourg <ebourg@apache.org>  Mon, 29 Sep 2014 13:23:43 +0200

tomcat8 (8.0.12-1) unstable; urgency=medium

  * New upstream release
    - Refreshed the patches
  * Fixed the tomcat8-examples configuration (Closes: #753372)
  * No longer create the common/server/shared directories under
    /var/lib/tomcat8, and use a unique lib directory as documented
    upstream since Tomcat 6. The old directories are still supported
    if inherited from a previous installation (Closes: #754386)
  * Depend on libecj-java >= 3.10.0 to support the new Java 8 syntax in JSPs
  * Install the missing tomcat-dbcp.jar in libtomcat8-java and use it as
    the default JDBC pool implementation instead of Commons DBCP.
  * Removed the obsolete patch 0012-java7-compat.patch
  * Tightened the build dependency on junit4 (>= 4.11)
  * Build the Javadoc with the JDK specified by the JAVA_HOME variable
    instead of the default JDK (this fixes a build failure when backporting
    to Wheezy)
  * Removed the note about the authbind IPv6 incompatibility
    in /etc/defaults/tomcat8

 -- Emmanuel Bourg <ebourg@apache.org>  Wed, 17 Sep 2014 16:23:52 +0200

tomcat8 (8.0.9-1) unstable; urgency=medium

  [ Emmanuel Bourg ]
  * New upstream release
    - Refreshed the patches
  * Search for OpenJDK 8 and Oracle JDKs when starting the server
  * Removed the dependency on the non existent java-7-runtime package
  * Fixed a link still pointing to the Tomcat 7 documentation in README.Debian
  * Updated the version required for libtcnative-1 (>= 1.1.30)

  [ tony mancill ]
  * Update README.Debian with information about migration guides.

 -- Emmanuel Bourg <ebourg@apache.org>  Tue, 24 Jun 2014 21:28:37 +0200

tomcat8 (8.0.8-1) unstable; urgency=medium

  * New upstream release
    - Refreshed the patches

 -- Emmanuel Bourg <ebourg@apache.org>  Thu, 22 May 2014 13:01:55 +0200

tomcat8 (8.0.5-1) unstable; urgency=medium

  * New upstream release
    - Refreshed the patches
    - Disabled Java 8 support in JSPs (requires an Eclipse compiler update)
  * Fixed the name of the doc-base file for libservlet3.1-java (Closes: #746338)
  * Update email addresses of maintainers.

 -- Emmanuel Bourg <ebourg@apache.org>  Tue, 29 Apr 2014 10:22:45 +0200

tomcat8 (8.0.3-1) unstable; urgency=medium

  [ Emmanuel Bourg ]
  * Team upload.
  * New upstream release (Closes: #722675)
    - Updated the version of the Servlet, JSP and EL APIs
    - Switched to Java 7
    - Updated the watch file to match the Tomcat 8 releases
    - Refreshed the patches
    - Updated debian/copyright, documented the xsd files licensed under the CDDL
    - Installed the new jars (spdy, jni, websocket, websocket-api, storeconfig)
    - Updated the artifactId of the specification jars to include
      the new javax prefix
    - Added the javax.websocket-api artifact to libservlet3.1-java
    - New build dependency on cglib, easymock and objenesis
  * Added a patch to include the name of the distribution on the error pages
  * Use XZ compression for the upstream tarball
  * debian/control:
    - Replaced Sun Microsystems with Oracle in the packages descriptions
    - Mentioned 'Apache Tomcat' in the packages descriptions
    - Standards-Version updated to 3.9.5 (no changes)
  * Deploy the Tomcat artifacts in the Maven repository with the 8.x version
    instead of 'debian' to avoid conflicts with other versions of Tomcat.
  * Hard coded the versions in the poms in debian/javaxpoms to fix the version
    of the dependencies for jsp-api
  * Renamed the jars in /usr/share/java to tomcat8-xxx to avoid conflicts
    with other versions of Tomcat
  * Added the missing descriptions to the patches
  * Added a patch to ignore the failing tests
  * Moved the tomcat-{servlet|jsp|el}-api artifacts from libservlet3.1-java
    to libtomcat8-java and changed their versions to the Tomcat version instead
    of the specification version.
  * Removed libservlet3.1-java.links defining the tomcat-* links
    in /usr/share/java with the specifications versions
  * The symlinks to /usr/share/tomcat8/lib are no longer split between the two
    packages libtomcat8-java and tomcat8-common. tomcat8-common assembles all
    the jars required by Tomcat (tomcat jars + dbcp + pool). libtomcat8-java
    deploys only the jars in /usr/share/java and the Maven artifacts in
    /usr/share/maven-repo.
  * Added the EL and WebSocket APIs to libservlet3.1-java-doc
  * Added a Lintian override for the incompatible-java-bytecode-format warning
    since Tomcat requires Java 7
  * Added a Lintian override to clear the codeless-jar warnings
    on the tomcat-i18n jars instead of a patch turning them into zip files.
  * Removed 0011-fix-classpath-lintian-warnings.patch and specified
    the classpath of jasper.jar in libtomcat8-java.manifest instead.
  
  [ tony mancill ]
  * Include tomcat-util-scan.jar in the libtomcat8-java package.
  * Remove debian/NEWS (inapplicable to this release).
  * Prune debian/changelog to only contain tomcat8 entries.

 -- Emmanuel Bourg <ebourg@apache.org>  Sat, 15 Mar 2014 23:23:14 +0100
