tomcat8 (8.5.30-1ubuntu1) bionic; urgency=medium * control: Break/replace tomcat8.0 binaries. (LP: #1717998) -- Timo Aaltonen Thu, 19 Apr 2018 14:53:19 +0300 tomcat8 (8.5.30-1) unstable; urgency=medium * Team upload. * New upstream release - Refreshed the patches * Standards-Version updated to 4.1.4 -- Emmanuel Bourg Thu, 12 Apr 2018 09:49:28 +0200 tomcat8 (8.5.29-1) unstable; urgency=medium * Team upload. * New upstream release - Refreshed the patches -- Emmanuel Bourg Mon, 12 Mar 2018 16:43:57 +0100 tomcat8 (8.5.28-1) unstable; urgency=medium * New upstream release - Refreshed the patches - Disabled the tests checking the ARIA cipher since it isn't enabled by default in OpenSSL * Standards-Version updated to 4.1.3 * Switch to debhelper level 11 * Use a secure URL for checking and downloading the new releases * No longer parse dpkg-parsechangelog in debian/rules -- Emmanuel Bourg Fri, 16 Feb 2018 13:43:01 +0100 tomcat8 (8.5.24-2) unstable; urgency=medium * Team upload. * Removed the setDefaultAsyncSendTimeout method mistakenly added to javax.websocket.WebSocketContainer in the version 8.5.24 (Closes: #884046) -- Emmanuel Bourg Thu, 14 Dec 2017 12:35:33 +0100 tomcat8 (8.5.24-1) unstable; urgency=medium * Team upload. * New upstream release - Refreshed the patches * Standards-Version updated to 4.1.2 -- Emmanuel Bourg Fri, 01 Dec 2017 09:20:18 +0100 tomcat8 (8.5.23-1) unstable; urgency=medium * Team upload. * New upstream release * Standards-Version updated to 4.1.1 -- Emmanuel Bourg Fri, 13 Oct 2017 00:01:48 +0200 tomcat8 (8.5.21-1) unstable; urgency=medium * Team upload. [ Emmanuel Bourg ] * New upstream release - Refreshed the patches - Disabled Checkstyle * Changed the Class-Path manifest entry of tomcat8-jasper.jar to use the specification jars from libtomcat8-java instead of libservlet3.1-java (Closes: #867247) [ Miguel Landaeta ] * Remove myself from uploaders. (Closes: #871892) * Update copyright info. -- Emmanuel Bourg Wed, 20 Sep 2017 10:06:56 +0200 tomcat8 (8.5.16-1) unstable; urgency=medium * Team upload. * New upstream release - Refreshed the patches * Standards-Version updated to 4.0.0 -- Emmanuel Bourg Mon, 26 Jun 2017 16:03:53 +0200 tomcat8 (8.5.15-1) unstable; urgency=medium * Team upload. * New upstream release - Refreshed the patches -- Emmanuel Bourg Wed, 21 Jun 2017 13:00:44 +0200 tomcat8 (8.5.14-2) unstable; urgency=high * Team upload. * Fixed CVE-2017-5664: Static error pages can be overwritten if the DefaultServlet is configured to permit writes (Closes: #864447) -- Emmanuel Bourg Thu, 08 Jun 2017 12:28:34 +0200 tomcat8 (8.5.14-1) unstable; urgency=medium * Team upload. * New upstream release - Removed the CVE patches (fixed in this release) -- Emmanuel Bourg Mon, 08 May 2017 00:17:52 +0200 tomcat8 (8.5.12-1) unstable; urgency=medium * Team upload. * New upstream release - Refreshed the patches -- Emmanuel Bourg Tue, 18 Apr 2017 09:53:23 +0200 tomcat8 (8.5.11-2) unstable; urgency=medium * Team upload. * Fix the following security vulnerabilities (Closes: #860068): Thanks to Salvatore Bonaccorso for the report. - CVE-2017-5647: A bug in the handling of the pipelined requests when send file was used resulted in the pipelined request being lost when send file processing of the previous request completed. This could result in responses appearing to be sent for the wrong request. For example, a user agent that sent requests A, B and C could see the correct response for request A, the response for request C for request B and no response for request C. - CVE-2017-5648: It was noticed that some calls to application listeners did not use the appropriate facade object. When running an untrusted application under a SecurityManager, it was therefore possible for that untrusted application to retain a reference to the request or response object and thereby access and/or modify information associated with another web application. - CVE-2017-5650: The handling of an HTTP/2 GOAWAY frame for a connection did not close streams associated with that connection that were currently waiting for a WINDOW_UPDATE before allowing the application to write more data. These waiting streams each consumed a thread. A malicious client could therefore construct a series of HTTP/2 requests that would consume all available processing threads. - CVE-2017-5651: The refactoring of the HTTP connectors for 8.5.x onwards, introduced a regression in the send file processing. If the send file processing completed quickly, it was possible for the Processor to be added to the processor cache twice. This could result in the same Processor being used for multiple requests which in turn could lead to unexpected errors and/or response mix-up. * debian/control: tomcat8: Fix Lintian error and depend on lsb-base. -- Markus Koschany Wed, 12 Apr 2017 09:58:46 +0200 tomcat8 (8.5.11-1) unstable; urgency=medium * Team upload. * New upstream release - Refreshed the patches * Recommend Java 8 in /etc/default/tomcat8 -- Emmanuel Bourg Tue, 17 Jan 2017 15:09:30 +0100 tomcat8 (8.5.9-2) unstable; urgency=medium * Team upload. * Require Java 8 or higher (Closes: #848612) -- Emmanuel Bourg Mon, 19 Dec 2016 15:35:19 +0100 tomcat8 (8.5.9-1) unstable; urgency=medium * Team upload. * New upstream release - Refreshed the patches * Restored the classloading from the common, server and shared directories under CATALINA_BASE (Closes: #847137) * Fixed the installation error when JAVA_OPTS in /etc/default/tomcat8 contains the '%' character (Closes: #770911) -- Emmanuel Bourg Thu, 08 Dec 2016 22:26:36 +0100 tomcat8 (8.5.8-2) unstable; urgency=medium * Team upload. * Upload to unstable. * No longer make /etc/tomcat8/Catalina/localhost writable by the tomcat8 user in the postinst script (Closes: #845393) * The tomcat8 user is no longer removed when the package is purged (Closes: #845385) * Compress and remove the access log files with a .txt extension (Closes: #845661) * Added the delaycompress option to the logrotate configuration of catalina.out (Closes: #843135) * Changed the home directory for the tomcat8 user from /usr/share/tomcat8 to /var/lib/tomcat8 (Closes: #833261) * Aligned the logging configuration with the upstream one * Set the proper permissions for /etc/tomcat8/jaspic-providers.xml * Install the new library jaspic-api.jar * Install the Maven artifacts for tomcat-storeconfig * Simplified debian/rules -- Emmanuel Bourg Thu, 01 Dec 2016 18:41:14 +0100 tomcat8 (8.5.8-1) experimental; urgency=medium * Team upload. * New upstream release - Refreshed the patches - Tomcat no longer builds tomcat-embed-logging-juli.jar - Updated the policy files - Added a NEWS file detailing the major changes in Tomcat 8.5.x * Enabled the APR library loading by default (required for HTTP/2 support) * Promoted libtcnative-1 from suggested to recommended dependency * Enabled the APR tests * Fixed the test failure with TestStandardContextAliases * Added a link to the Tomcat 8.5 migration guide in README.Debian * Adapted debian/orig-tar.sh to download the 8.5.x releases -- Emmanuel Bourg Thu, 17 Nov 2016 23:54:35 +0100 tomcat8 (8.0.39-1) unstable; urgency=medium * Team upload. * New upstream release - Refreshed the patches -- Emmanuel Bourg Tue, 15 Nov 2016 15:37:48 +0100 tomcat8 (8.0.38-2) unstable; urgency=high * Team upload. * CVE-2016-1240 follow-up: - The previous init.d fix was vulnerable to a race condition that could be exploited to make any existing file writable by the tomcat user. Thanks to Paul Szabo for the report and the fix. - The catalina.policy file generated on startup was affected by a similar vulnerability that could be exploited to overwrite any file on the system. Thanks to Paul Szabo for the report. * Install the extra jar catalina-jmx-remote.jar (Closes: #762916) * Added the new libtomcat8-embed-java package containing the libraries for embedding Tomcat into other applications. * Switch to debhelper level 10 -- Emmanuel Bourg Fri, 28 Oct 2016 01:17:23 +0200 tomcat8 (8.0.38-1) unstable; urgency=medium * Team upload. * New upstream release - Refreshed the patches * Hardened the init.d script, thanks to Paul Szabo (Closes: #840685) * Fixed the OSGi metadata for tomcat8-jasper.jar and tomcat8-jasper-el.jar * Depend on libcglib-nodep-java instead of libcglib3-java * Removed the unused Lintian overrides -- Emmanuel Bourg Wed, 19 Oct 2016 11:01:03 +0200 tomcat8 (8.0.37-1) unstable; urgency=medium * Team upload. * New upstream release * Removed 0001-set-UTF-8-as-default-character-encoding.patch (fixed upstream) -- Emmanuel Bourg Mon, 19 Sep 2016 09:37:33 +0200 tomcat8 (8.0.36-3) unstable; urgency=high * Team upload. * Fixed CVE-2016-1240: A flaw in the init.d startup script allows local attackers who have gained access to the server in the context of the tomcat user through a vulnerability in a web application to replace the catalina.out file with a symlink to an arbitrary file on the system, potentially leading to a root privilege escalation. Thanks to Dawid Golunski for the report. * Removed the default 128M heap limit (LP: #568823) * Depend on taglibs-standard instead of jakarta-taglibs-standard -- Emmanuel Bourg Wed, 14 Sep 2016 10:20:28 +0200 tomcat8 (8.0.36-2) unstable; urgency=medium * Team upload. * Do not unconditionally overwrite files in /etc/tomcat8 anymore. (Closes: #825786) * Change file permissions to 640 for Debian files in /etc/tomcat8. -- Markus Koschany Tue, 02 Aug 2016 10:50:42 +0200 tomcat8 (8.0.36-1) unstable; urgency=medium * Team upload. * New upstream release - Refreshed the patches - Depend on libecj-java (>= 3.11.0) * Standards-Version updated to 3.9.8 (no changes) * Use a secure Vcs-Git URL -- Emmanuel Bourg Tue, 14 Jun 2016 14:34:46 +0200 tomcat8 (8.0.32-1) unstable; urgency=medium * Team upload. * New upstream release * Fixed a warning in catalina.out caused by an incorrect path for the root context (Closes: #808378) * Standards-Version updated to 3.9.7 (no changes) -- Emmanuel Bourg Mon, 21 Dec 2015 11:20:10 +0100 tomcat8 (8.0.30-1) unstable; urgency=medium * Team upload. * New upstream release - Refreshed the patches * Use LC_ALL instead of LANG to format the date and make the documentation reproducible on the builders -- Emmanuel Bourg Fri, 18 Dec 2015 11:44:06 +0100 tomcat8 (8.0.28-1) unstable; urgency=medium * Team upload. * New upstream release - Refreshed the patches * Fixed a localized date in the documentation to improve the reproducibility -- Emmanuel Bourg Mon, 19 Oct 2015 11:12:07 +0200 tomcat8 (8.0.26-1) unstable; urgency=medium * Team upload. * New upstream release - Refreshed the patches * Changed the authbind configuration to allow IPv6 connections (LP: #1443041) * Fixed an upgrade error when /etc/tomcat8/tomcat-users.xml is removed (LP: #1010791) * Fixed a minor HTML error in the default index.html file (LP: #1236132) -- Emmanuel Bourg Mon, 24 Aug 2015 00:30:40 +0200 tomcat8 (8.0.24-1) unstable; urgency=medium * Team upload. * New upstream release - Refreshed the patches * debian/rules: Use an english locale when generating the documentation to improve the reproducibility -- Emmanuel Bourg Wed, 08 Jul 2015 17:42:14 +0200 tomcat8 (8.0.23-1) unstable; urgency=medium * New upstream release * debian/rules: Set the 'year' and 'today-iso-8601' build variables to improve the reproducibility -- Emmanuel Bourg Tue, 26 May 2015 16:04:01 +0200 tomcat8 (8.0.22-2) unstable; urgency=medium * Replaced the date in ServerInfo.properties with the latest date in debian/changelog to make the build reproducible * debian/rules: - Modified to use the dh sequencer - Simplified the ant invocation and moved some properties to debian/ant.properties - Do not set the version.* properties already defined in build.properties.default - Renamed T_VER to VERSION - Removed the RWFILES and RWLOC variables - Merged the ANT_ARGS and ANT_INVOKE variables - No longer remove the long gone .svn directories under /usr/share/tomcat8/webapps/default_root - Let dh_fixperms set the permissions instead of calling chmod +x - Use debian/tomcat8-user.manpages instead of calling dh_installman - Updated the copyright year in the Javadoc - Simplified the call to mh_install -- Emmanuel Bourg Thu, 07 May 2015 14:13:30 +0200 tomcat8 (8.0.22-1) unstable; urgency=medium * New upstream release - Refreshed the patches - No longer install tomcat-spdy.jar (removed upstream) * Removed the timestamp from the Javadoc of the Servlet API to make the build reproducible -- Emmanuel Bourg Wed, 06 May 2015 09:30:38 +0200 tomcat8 (8.0.21-2) unstable; urgency=medium * Upload to unstable. -- Miguel Landaeta Fri, 01 May 2015 12:41:13 -0300 tomcat8 (8.0.21-1) experimental; urgency=medium * New upstream release - Refreshed the patches * debian/orig-tar.sh: Exclude the taglibs-standard-*.jar files from the upstream tarball * Support the JVMs installed by the older versions of java-package (<< 0.52) and the oracle-java-installer packages from webupd8 (Closes: #769166) -- Emmanuel Bourg Mon, 30 Mar 2015 19:40:22 +0200 tomcat8 (8.0.18-1) experimental; urgency=medium * New upstream release - Refreshed the patches -- Emmanuel Bourg Tue, 27 Jan 2015 22:54:00 +0100 tomcat8 (8.0.17-1) experimental; urgency=medium * New upstream release - Refreshed the patches -- Emmanuel Bourg Mon, 19 Jan 2015 09:58:16 +0100 tomcat8 (8.0.15-1) experimental; urgency=medium * New upstream release - Refreshed the patches -- Emmanuel Bourg Mon, 08 Dec 2014 23:59:10 +0100 tomcat8 (8.0.14-1) unstable; urgency=medium * New upstream release - Refreshed the patches * Build depend on libcglib3-java instead of libcglib-java * Standards-Version updated to 3.9.6 (no changes) -- Emmanuel Bourg Mon, 29 Sep 2014 13:23:43 +0200 tomcat8 (8.0.12-1) unstable; urgency=medium * New upstream release - Refreshed the patches * Fixed the tomcat8-examples configuration (Closes: #753372) * No longer create the common/server/shared directories under /var/lib/tomcat8, and use a unique lib directory as documented upstream since Tomcat 6. The old directories are still supported if inherited from a previous installation (Closes: #754386) * Depend on libecj-java >= 3.10.0 to support the new Java 8 syntax in JSPs * Install the missing tomcat-dbcp.jar in libtomcat8-java and use it as the default JDBC pool implementation instead of Commons DBCP. * Removed the obsolete patch 0012-java7-compat.patch * Tightened the build dependency on junit4 (>= 4.11) * Build the Javadoc with the JDK specified by the JAVA_HOME variable instead of the default JDK (this fixes a build failure when backporting to Wheezy) * Removed the note about the authbind IPv6 incompatibility in /etc/defaults/tomcat8 -- Emmanuel Bourg Wed, 17 Sep 2014 16:23:52 +0200 tomcat8 (8.0.9-1) unstable; urgency=medium [ Emmanuel Bourg ] * New upstream release - Refreshed the patches * Search for OpenJDK 8 and Oracle JDKs when starting the server * Removed the dependency on the non existent java-7-runtime package * Fixed a link still pointing to the Tomcat 7 documentation in README.Debian * Updated the version required for libtcnative-1 (>= 1.1.30) [ tony mancill ] * Update README.Debian with information about migration guides. -- Emmanuel Bourg Tue, 24 Jun 2014 21:28:37 +0200 tomcat8 (8.0.8-1) unstable; urgency=medium * New upstream release - Refreshed the patches -- Emmanuel Bourg Thu, 22 May 2014 13:01:55 +0200 tomcat8 (8.0.5-1) unstable; urgency=medium * New upstream release - Refreshed the patches - Disabled Java 8 support in JSPs (requires an Eclipse compiler update) * Fixed the name of the doc-base file for libservlet3.1-java (Closes: #746338) * Update email addresses of maintainers. -- Emmanuel Bourg Tue, 29 Apr 2014 10:22:45 +0200 tomcat8 (8.0.3-1) unstable; urgency=medium [ Emmanuel Bourg ] * Team upload. * New upstream release (Closes: #722675) - Updated the version of the Servlet, JSP and EL APIs - Switched to Java 7 - Updated the watch file to match the Tomcat 8 releases - Refreshed the patches - Updated debian/copyright, documented the xsd files licensed under the CDDL - Installed the new jars (spdy, jni, websocket, websocket-api, storeconfig) - Updated the artifactId of the specification jars to include the new javax prefix - Added the javax.websocket-api artifact to libservlet3.1-java - New build dependency on cglib, easymock and objenesis * Added a patch to include the name of the distribution on the error pages * Use XZ compression for the upstream tarball * debian/control: - Replaced Sun Microsystems with Oracle in the packages descriptions - Mentioned 'Apache Tomcat' in the packages descriptions - Standards-Version updated to 3.9.5 (no changes) * Deploy the Tomcat artifacts in the Maven repository with the 8.x version instead of 'debian' to avoid conflicts with other versions of Tomcat. * Hard coded the versions in the poms in debian/javaxpoms to fix the version of the dependencies for jsp-api * Renamed the jars in /usr/share/java to tomcat8-xxx to avoid conflicts with other versions of Tomcat * Added the missing descriptions to the patches * Added a patch to ignore the failing tests * Moved the tomcat-{servlet|jsp|el}-api artifacts from libservlet3.1-java to libtomcat8-java and changed their versions to the Tomcat version instead of the specification version. * Removed libservlet3.1-java.links defining the tomcat-* links in /usr/share/java with the specifications versions * The symlinks to /usr/share/tomcat8/lib are no longer split between the two packages libtomcat8-java and tomcat8-common. tomcat8-common assembles all the jars required by Tomcat (tomcat jars + dbcp + pool). libtomcat8-java deploys only the jars in /usr/share/java and the Maven artifacts in /usr/share/maven-repo. * Added the EL and WebSocket APIs to libservlet3.1-java-doc * Added a Lintian override for the incompatible-java-bytecode-format warning since Tomcat requires Java 7 * Added a Lintian override to clear the codeless-jar warnings on the tomcat-i18n jars instead of a patch turning them into zip files. * Removed 0011-fix-classpath-lintian-warnings.patch and specified the classpath of jasper.jar in libtomcat8-java.manifest instead. [ tony mancill ] * Include tomcat-util-scan.jar in the libtomcat8-java package. * Remove debian/NEWS (inapplicable to this release). * Prune debian/changelog to only contain tomcat8 entries. -- Emmanuel Bourg Sat, 15 Mar 2014 23:23:14 +0100