conf/server.xml | 1 1 + 0 - 0 !
1 file changed, 1 insertion(+)

 [patch] set utf-8 as default character encoding

conf/server.xml | 2 2 + 0 - 0 !
1 file changed, 2 insertions(+)

 [patch] do not load ajp13 connector by default

conf/server.xml | 2 2 + 0 - 0 !
1 file changed, 2 insertions(+)

 [patch] disable apr library loading

    ... until we properly provide it.

build.xml | 6 5 + 1 - 0 !
1 file changed, 5 insertions(+), 1 deletion(-)

 [patch] split deploy-webapps target from deploy target

java/org/apache/naming/factory/Constants.java | 2 1 + 1 - 0 !
webapps/docs/jndi-resources-howto.xml | 4 2 + 2 - 0 !
2 files changed, 3 insertions(+), 3 deletions(-)

 [patch] change default dbcp factory class

... to org.apache.commons.dbcp.BasicDataSourceFactory

conf/catalina.properties | 6 3 + 3 - 0 !
1 file changed, 3 insertions(+), 3 deletions(-)

 [patch] add jars below /var to class loader

bin/catalina.sh | 6 3 + 3 - 0 !
1 file changed, 3 insertions(+), 3 deletions(-)

 [patch] use java.security.policy file in catalina.sh

Make sure catalina.sh uses the Debian/Ubuntu java.security.policy
file location when Tomcat is started with a security manager.

Bug-Ubuntu: https://bugs.launchpad.net/bugs/591802
Bug-Debian: http://bugs.debian.org/585379

build.xml | 4 3 + 1 - 0 !
1 file changed, 3 insertions(+), 1 deletion(-)

 disable usage of embedded library copies

build.xml | 18 8 + 10 - 0 !
res/META-INF/jasper.jar.manifest | 10 10 + 0 - 0 !
2 files changed, 18 insertions(+), 10 deletions(-)

 fix codeless-jar and missing-classpath lintian warnings

modules/jdbc-pool/src/main/java/org/apache/tomcat/jdbc/pool/DataSource.java | 6 5 + 1 - 0 !
1 file changed, 5 insertions(+), 1 deletion(-)

 compatibility patch to support compilation of tomcat7
 using openjdk-7

build.xml | 1 0 + 1 - 0 !
1 file changed, 1 deletion(-)

 0013-dont-look-for-build-properties-in-user-home

java/org/apache/catalina/authenticator/DigestAuthenticator.java | 145 84 + 61 - 0 !
java/org/apache/catalina/util/ConcurrentMessageDigest.java | 91 91 + 0 - 0 !
2 files changed, 175 insertions(+), 61 deletions(-)

---

test/org/apache/catalina/authenticator/TesterDigestAuthenticatorPerformance.java | 40 22 + 18 - 0 !
1 file changed, 22 insertions(+), 18 deletions(-)

---

java/org/apache/catalina/filters/CsrfPreventionFilter.java | 19 13 + 6 - 0 !
1 file changed, 13 insertions(+), 6 deletions(-)

 improve session management in csrfpreventionfilter
 It is a fix for CVE-2012-4431.

java/org/apache/catalina/realm/RealmBase.java | 26 0 + 26 - 0 !
1 file changed, 26 deletions(-)

 remove unneeded handling of form authentication in realmbase.
 The login and error pages are handled via forward, so processing completes
 before this code is ever reached.  The action page is handled elsewhere.
 It is a fix for CVE-2012-3546.

java/org/apache/tomcat/util/http/fileupload/FileUploadBase.java | 14 12 + 2 - 0 !
java/org/apache/tomcat/util/http/fileupload/MultipartStream.java | 6 5 + 1 - 0 !
2 files changed, 17 insertions(+), 3 deletions(-)

 fixes an infinite loop caused by invalid mime boundaries

java/org/apache/catalina/authenticator/FormAuthenticator.java | 10 10 + 0 - 0 !
1 file changed, 10 insertions(+)

 fix for cve-2013-2067: form authentication associates the most
 recent request requiring authentication with the current session. By repeatedly
 sending a request for an authenticated resource while the victim is completing
 the login form, an attacker could inject a request that would be executed using
 the victim's credentials.

java/org/apache/catalina/core/AsyncContextImpl.java | 25 17 + 8 - 0 !
test/org/apache/catalina/core/TestAsyncContextImpl.java | 124 108 + 16 - 0 !
test/org/apache/catalina/tribes/group/TestGroupChannelMemberArrival.java | 2 1 + 1 - 0 !
3 files changed, 126 insertions(+), 25 deletions(-)

 fix for cve-2013-2071: a runtime exception in asynclistener.oncomplete()
 prevents the request from being recycled. This may expose elements of a previous
 request to a current request.

java/org/apache/coyote/http11/filters/ChunkedInputFilter.java | 75 41 + 34 - 0 !
1 file changed, 41 insertions(+), 34 deletions(-)

 fix for cve-2012-3544: when processing a request submitted using
 the chunked transfer encoding, Tomcat ignored but did not limit any extensions
 that were included. This allows a client to perform a limited DOS by streaming
 an unlimited amount of data to the server.

test/org/apache/tomcat/util/net/TestCustomSsl.java | 2 1 + 1 - 0 !
test/org/apache/tomcat/util/net/TesterSupport.java | 12 6 + 6 - 0 !
2 files changed, 7 insertions(+), 7 deletions(-)

 uses updated test certificates to avoid a build failure when the tests are enabled.
 The updated keystores were taken from Tomcat 7.0.39 (http://svn.apache.org/r1451105)

java/org/apache/coyote/ajp/AbstractAjpProcessor.java | 15 12 + 3 - 0 !
java/org/apache/coyote/http11/AbstractHttp11Processor.java | 18 14 + 4 - 0 !
test/org/apache/coyote/http11/TestAbstractHttp11Processor.java | 48 48 + 0 - 0 !
3 files changed, 74 insertions(+), 7 deletions(-)

 fix for cve-2013-4286: reject requests with multiple
 content-length headers or with a content-length header when chunked
 encoding is being used.

java/org/apache/coyote/http11/AbstractHttp11Processor.java | 5 3 + 2 - 0 !
java/org/apache/coyote/http11/AbstractHttp11Protocol.java | 10 10 + 0 - 0 !
java/org/apache/coyote/http11/Http11AprProcessor.java | 4 2 + 2 - 0 !
java/org/apache/coyote/http11/Http11AprProtocol.java | 2 1 + 1 - 0 !
java/org/apache/coyote/http11/Http11NioProcessor.java | 4 2 + 2 - 0 !
java/org/apache/coyote/http11/Http11NioProtocol.java | 2 1 + 1 - 0 !
java/org/apache/coyote/http11/Http11Processor.java | 4 2 + 2 - 0 !
java/org/apache/coyote/http11/Http11Protocol.java | 2 1 + 1 - 0 !
java/org/apache/coyote/http11/filters/ChunkedInputFilter.java | 51 46 + 5 - 0 !
test/org/apache/coyote/http11/filters/TestChunkedInputFilter.java | 72 72 + 0 - 0 !
webapps/docs/changelog.xml | 4 4 + 0 - 0 !
webapps/docs/config/http.xml | 6 6 + 0 - 0 !
12 files changed, 150 insertions(+), 16 deletions(-)

 fix for cve-2013-4322: add support for limiting the size of chunk
 extensions when using chunked encoding

test/org/apache/tomcat/util/net/TesterSupport.java | 10 5 + 5 - 0 !
1 file changed, 5 insertions(+), 5 deletions(-)

 use tls in ssl unit tests

java/javax/el/BeanELResolver.java | 30 27 + 3 - 0 !
java/org/apache/jasper/runtime/PageContextImpl.java | 32 5 + 27 - 0 !
java/org/apache/jasper/security/SecurityClassLoad.java | 2 0 + 2 - 0 !
3 files changed, 32 insertions(+), 32 deletions(-)

 cve-2014-7810: fix potential issue with beanelresolver when running under a security manager.
 Some classes may not be accessible but may have accessible interfaces.

java/org/apache/tomcat/util/buf/Ascii.java | 18 6 + 12 - 0 !
test/org/apache/tomcat/util/buf/TestAscii.java | 65 65 + 0 - 0 !
2 files changed, 71 insertions(+), 12 deletions(-)

 cve-2014-0099: check for overflow when parsing the request content length header.

java/org/apache/tomcat/util/http/fileupload/FileItem.java | 3 1 + 2 - 0 !
java/org/apache/tomcat/util/http/fileupload/disk/DiskFileItem.java | 62 0 + 62 - 0 !
2 files changed, 1 insertion(+), 64 deletions(-)

 cve-2013-4444: remove serialization support from fileitem to prevent
 a remote code execution vulnerablity in very limited circumstances.

java/org/apache/coyote/http11/filters/ChunkedInputFilter.java | 12 6 + 6 - 0 !
1 file changed, 6 insertions(+), 6 deletions(-)

 cve-2014-0075: improve processing of chuck size from chunked headers.
 Avoid overflow and use a bit shift instead of a multiplication as it is marginally faster.

java/org/apache/coyote/http11/filters/ChunkedInputFilter.java | 58 45 + 13 - 0 !
java/org/apache/coyote/http11/filters/LocalStrings.properties | 25 25 + 0 - 0 !
2 files changed, 70 insertions(+), 13 deletions(-)

 cve-2014-0227: add an error flag in chunkedinputfilter to allow subsequent
 attempts at reading after an error to fail fast. This prevents remote attackers from
 conducting HTTP request smuggling attacks or causing a denial of service by streaming
 data with malformed chunked requests.

java/org/apache/catalina/connector/mbeans-descriptors.xml | 4 4 + 0 - 0 !
java/org/apache/coyote/http11/AbstractHttp11Processor.java | 7 4 + 3 - 0 !
java/org/apache/coyote/http11/AbstractHttp11Protocol.java | 10 10 + 0 - 0 !
java/org/apache/coyote/http11/Http11AprProcessor.java | 4 2 + 2 - 0 !
java/org/apache/coyote/http11/Http11AprProtocol.java | 3 2 + 1 - 0 !
java/org/apache/coyote/http11/Http11NioProcessor.java | 4 2 + 2 - 0 !
java/org/apache/coyote/http11/Http11NioProtocol.java | 3 2 + 1 - 0 !
java/org/apache/coyote/http11/Http11Processor.java | 4 2 + 2 - 0 !
java/org/apache/coyote/http11/Http11Protocol.java | 3 2 + 1 - 0 !
java/org/apache/coyote/http11/filters/ChunkedInputFilter.java | 15 12 + 3 - 0 !
java/org/apache/coyote/http11/filters/IdentityInputFilter.java | 22 22 + 0 - 0 !
java/org/apache/coyote/http11/filters/LocalStrings.properties | 4 3 + 1 - 0 !
test/org/apache/catalina/core/TestSwallowAbortedUploads.java | 82 81 + 1 - 0 !
webapps/docs/config/http.xml | 10 10 + 0 - 0 !
14 files changed, 158 insertions(+), 17 deletions(-)

 cve-2014-0230: add a new limit, defaulting to 2mb and configurable via jmx,
 for the amount of data Tomcat will swallow for an aborted upload. This prevents remote
 attackers from causing a denial of service (thread consumption) via a series of aborted
 upload attempts.

conf/web.xml | 10 6 + 4 - 0 !
java/org/apache/catalina/servlets/DefaultServlet.java | 202 170 + 32 - 0 !
java/org/apache/catalina/servlets/LocalStrings.properties | 3 3 + 0 - 0 !
webapps/docs/default-servlet.xml | 31 17 + 14 - 0 !
4 files changed, 196 insertions(+), 50 deletions(-)

 cve-2014-0096

java/org/apache/catalina/servlets/DefaultServlet.java in the default servlet in
Apache Tomcat before 6.0.40, 7.x before 7.0.53, and 8.x before 8.0.4 does not
properly restrict XSLT stylesheets, which allows remote attackers to bypass
security-manager restrictions and read arbitrary files via a crafted web
application that provides an XML external entity declaration in conjunction
with an entity reference, related to an XML External Entity (XXE) issue.

java/org/apache/catalina/security/SecurityClassLoad.java | 13 13 + 0 - 0 !
java/org/apache/catalina/servlets/DefaultServlet.java | 45 38 + 7 - 0 !
java/org/apache/jasper/compiler/JspDocumentParser.java | 72 54 + 18 - 0 !
java/org/apache/jasper/xmlparser/ParserUtils.java | 26 26 + 0 - 0 !
java/org/apache/tomcat/util/security/PrivilegedGetTccl.java | 28 28 + 0 - 0 !
java/org/apache/tomcat/util/security/PrivilegedSetTccl.java | 34 34 + 0 - 0 !
webapps/docs/changelog.xml | 13 13 + 0 - 0 !
7 files changed, 206 insertions(+), 25 deletions(-)

 cve-2014-0119

It was found that in limited circumstances it was possible for a malicious web
application to replace the XML parsers used by Tomcat to process XSLTs for the
default servlet, JSP documents, tag library descriptors (TLDs) and tag plugin
configuration files. The injected XML parser(s) could then bypass the limits
imposed on XML external entities and/or have visibility of the XML files
processed for other web applications deployed on the same Tomcat instance.

java/org/apache/tomcat/util/http/RequestUtil.java | 45 29 + 16 - 0 !
test/org/apache/tomcat/util/http/TestRequestUtil.java | 100 95 + 5 - 0 !
webapps/docs/changelog.xml | 11 11 + 0 - 0 !
3 files changed, 135 insertions(+), 21 deletions(-)

 cve-2015-5174

Directory traversal vulnerability in RequestUtil.java in Apache Tomcat 6.x
before 6.0.45, 7.x before 7.0.65, and 8.x before 8.0.27 allows remote
authenticated users to bypass intended SecurityManager restrictions and list a
parent directory via a /.. (slash dot dot) in a pathname used by a web
application in a getResource, getResourceAsStream, or getResourcePaths call, as
demonstrated by the $CATALINA_BASE/webapps directory.

java/org/apache/catalina/Context.java | 40 40 + 0 - 0 !
java/org/apache/catalina/authenticator/FormAuthenticator.java | 14 14 + 0 - 0 !
java/org/apache/catalina/core/StandardContext.java | 41 39 + 2 - 0 !
java/org/apache/catalina/core/mbeans-descriptors.xml | 8 8 + 0 - 0 !
java/org/apache/catalina/servlets/DefaultServlet.java | 28 27 + 1 - 0 !
java/org/apache/catalina/servlets/WebdavServlet.java | 5 5 + 0 - 0 !
java/org/apache/catalina/startup/FailedContext.java | 19 18 + 1 - 0 !
java/org/apache/tomcat/util/http/mapper/Mapper.java | 21 10 + 11 - 0 !
test/org/apache/catalina/startup/TomcatBaseTest.java | 3 1 + 2 - 0 !
webapps/docs/changelog.xml | 10 10 + 0 - 0 !
webapps/docs/config/context.xml | 16 16 + 0 - 0 !
11 files changed, 188 insertions(+), 17 deletions(-)

 cve-2015-5345

The Mapper component in Apache Tomcat processes redirects before considering
security constraints and Filters, which allows remote attackers to determine
the existence of a directory via a URL that lacks a trailing / (slash)
character.

java/org/apache/catalina/connector/CoyoteAdapter.java | 14 8 + 6 - 0 !
java/org/apache/catalina/connector/Request.java | 36 19 + 17 - 0 !
webapps/docs/changelog.xml | 4 4 + 0 - 0 !
3 files changed, 31 insertions(+), 23 deletions(-)

 cve-2015-5346

webapps/docs/changelog.xml | 7 7 + 0 - 0 !
webapps/host-manager/WEB-INF/jsp/401.jsp | 1 1 + 0 - 0 !
webapps/host-manager/WEB-INF/jsp/403.jsp | 1 1 + 0 - 0 !
webapps/host-manager/WEB-INF/jsp/404.jsp | 3 2 + 1 - 0 !
webapps/host-manager/index.jsp | 4 2 + 2 - 0 !
webapps/manager/WEB-INF/web.xml | 1 0 + 1 - 0 !
webapps/manager/index.jsp | 4 2 + 2 - 0 !
7 files changed, 15 insertions(+), 6 deletions(-)

 cve-2015-5351

The Manager and Host Manager applications in Apache Tomcat establish
sessions and send CSRF tokens for arbitrary new requests, which allows remote
attackers to bypass a CSRF protection mechanism by using a token.

java/org/apache/catalina/core/RestrictedServlets.properties | 1 1 + 0 - 0 !
webapps/docs/changelog.xml | 4 4 + 0 - 0 !
2 files changed, 5 insertions(+)

 cve-2016-0706

Apache Tomcat does not place org.apache.catalina.manager.StatusManagerServlet
on the org/apache/catalina/core/RestrictedServlets.properties list, which
allows remote authenticated users to bypass intended SecurityManager
restrictions and read arbitrary HTTP requests, and consequently discover
session ID values, via a crafted web application.

java/org/apache/catalina/ha/session/ClusterManagerBase.java | 2 2 + 0 - 0 !
java/org/apache/catalina/ha/session/mbeans-descriptors.xml | 16 16 + 0 - 0 !
java/org/apache/catalina/session/LocalStrings.properties | 2 2 + 0 - 0 !
java/org/apache/catalina/session/ManagerBase.java | 156 153 + 3 - 0 !
java/org/apache/catalina/session/StandardManager.java | 7 5 + 2 - 0 !
java/org/apache/catalina/session/mbeans-descriptors.xml | 12 12 + 0 - 0 !
java/org/apache/catalina/util/CustomObjectInputStream.java | 69 67 + 2 - 0 !
java/org/apache/catalina/util/LocalStrings.properties | 2 2 + 0 - 0 !
webapps/docs/changelog.xml | 8 8 + 0 - 0 !
webapps/docs/config/cluster-manager.xml | 53 53 + 0 - 0 !
10 files changed, 320 insertions(+), 7 deletions(-)

 cve-2016-0714

The session-persistence implementation in Apache Tomcat mishandles session
attributes, which allows remote authenticated users to bypass intended
SecurityManager restrictions and execute arbitrary code in a privileged context
via a web application that places a crafted object in a session.

java/org/apache/naming/factory/ResourceLinkFactory.java | 5 5 + 0 - 0 !
webapps/docs/changelog.xml | 4 4 + 0 - 0 !
2 files changed, 9 insertions(+)

 cve-2016-0763

The setGlobalContext method in
org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat does not
consider whether ResourceLinkFactory.setGlobalContext callers are authorized,
which allows remote authenticated users to bypass intended SecurityManager
restrictions and read or write to arbitrary application data, or cause a denial
of service (application disruption), via a web application that sets a crafted
global context.