conf/server.xml | 1 1 + 0 - 0 !
1 file changed, 1 insertion(+)

 [patch] set utf-8 as default character encoding

conf/server.xml | 2 2 + 0 - 0 !
1 file changed, 2 insertions(+)

 [patch] do not load ajp13 connector by default

conf/server.xml | 2 2 + 0 - 0 !
1 file changed, 2 insertions(+)

 [patch] disable apr library loading

    ... until we properly provide it.

build.xml | 6 5 + 1 - 0 !
1 file changed, 5 insertions(+), 1 deletion(-)

 [patch] split deploy-webapps target from deploy target

build.xml | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

 print only the summary of the tests

conf/catalina.properties | 6 3 + 3 - 0 !
1 file changed, 3 insertions(+), 3 deletions(-)

 [patch] add jars below /var to class loader

bin/catalina.sh | 6 3 + 3 - 0 !
1 file changed, 3 insertions(+), 3 deletions(-)

 [patch] use java.security.policy file in catalina.sh

Make sure catalina.sh uses the Debian/Ubuntu java.security.policy
file location when Tomcat is started with a security manager.

Bug-Ubuntu: https://bugs.launchpad.net/bugs/591802
Bug-Debian: http://bugs.debian.org/585379

build.xml | 4 3 + 1 - 0 !
1 file changed, 3 insertions(+), 1 deletion(-)

 disable usage of embedded library copies

build.xml | 18 8 + 10 - 0 !
res/META-INF/jasper.jar.manifest | 10 10 + 0 - 0 !
2 files changed, 18 insertions(+), 10 deletions(-)

 fix codeless-jar and missing-classpath lintian warnings

modules/jdbc-pool/src/main/java/org/apache/tomcat/jdbc/pool/DataSource.java | 6 5 + 1 - 0 !
1 file changed, 5 insertions(+), 1 deletion(-)

 compatibility patch to support compilation of tomcat7
 using openjdk-7

build.xml | 1 0 + 1 - 0 !
1 file changed, 1 deletion(-)

 0013-dont-look-for-build-properties-in-user-home

java/org/apache/jasper/compiler/JDTCompiler.java | 2 1 + 1 - 0 !
1 file changed, 1 insertion(+), 1 deletion(-)

---

test/org/apache/catalina/comet/TestCometProcessor.java | 3 2 + 1 - 0 !
1 file changed, 2 insertions(+), 1 deletion(-)

---

java/org/apache/naming/factory/Constants.java | 2 1 + 1 - 0 !
webapps/docs/config/systemprops.xml | 2 1 + 1 - 0 !
webapps/docs/jndi-resources-howto.xml | 2 1 + 1 - 0 !
3 files changed, 3 insertions(+), 3 deletions(-)

 make jdbc-pool module default
 Tomcat upstream ships a patched version of Commons DBCP. This is
 not shipped in the Debian packages.
 .
 It also provides an alternative, lightweight pool implementation
 which is shipped.
 .
 This patch makes this implementation the default pool.

conf/catalina.policy | 4 2 + 2 - 0 !
webapps/docs/manager-howto.xml | 2 1 + 1 - 0 !
webapps/host-manager/manager.xml | 2 1 + 1 - 0 !
3 files changed, 4 insertions(+), 4 deletions(-)

 this patch changes the manager path from webapps/manager to
../tomcat7-admin/manager

build.xml | 1 1 + 0 - 0 !
java/org/apache/catalina/util/ServerInfo.properties | 4 2 + 2 - 0 !
2 files changed, 3 insertions(+), 2 deletions(-)

---

java/org/apache/jasper/compiler/JDTCompiler.java | 8 0 + 8 - 0 !
1 file changed, 8 deletions(-)

 drop java 8 support in jsp files until the eclipse compiler is updated

java/org/apache/tomcat/SimpleInstanceManager.java | 68 68 + 0 - 0 !
1 file changed, 68 insertions(+)

 add the simpleinstancemanager class from tomcat 8 to help integrating the jsp compiler into jetty 8

test/org/apache/tomcat/util/net/TesterSupport.java | 10 5 + 5 - 0 !
1 file changed, 5 insertions(+), 5 deletions(-)

 use tls in ssl unit tests

test/org/apache/tomcat/util/net/TestCustomSsl.java | 2 1 + 1 - 0 !
test/org/apache/tomcat/util/net/TesterSupport.java | 23 17 + 6 - 0 !
2 files changed, 18 insertions(+), 7 deletions(-)

 uses updated test certificates to avoid a build failure when the tests are enabled.
 The updated keystores were taken from Tomcat 7.0.39 (http://svn.apache.org/r1451105)

test/org/apache/catalina/session/TestStandardSession.java | 3 2 + 1 - 0 !
test/org/apache/catalina/tribes/group/TestGroupChannelMemberArrival.java | 183 0 + 183 - 0 !
test/org/apache/catalina/tribes/group/TestGroupChannelStartStop.java | 7 4 + 3 - 0 !
test/org/apache/catalina/tribes/group/interceptors/TestDomainFilterInterceptor.java | 129 0 + 129 - 0 !
test/org/apache/catalina/tribes/group/interceptors/TestOrderInterceptor.java | 197 0 + 197 - 0 !
test/org/apache/catalina/tribes/group/interceptors/TestTcpFailureDetector.java | 177 0 + 177 - 0 !
test/org/apache/catalina/tribes/test/TribesTestSuite.java | 14 7 + 7 - 0 !
7 files changed, 13 insertions(+), 697 deletions(-)

 disable unit tests that depends on network access
 After fixing a FTBFS bug (#789519), I noticed this package kept
 failing to build due to some failing test when is built in an
 environment without network access.
 tomcat7 (7.0.56-2) unstable; urgency=medium

test/org/apache/catalina/authenticator/TestNonLoginAndBasicAuthenticator.java | 6 3 + 3 - 0 !
test/org/apache/catalina/authenticator/TestSSOnonLoginAndBasicAuthenticator.java | 8 4 + 4 - 0 !
test/org/apache/catalina/authenticator/TestSSOnonLoginAndDigestAuthenticator.java | 4 2 + 2 - 0 !
3 files changed, 9 insertions(+), 9 deletions(-)

 don't add ":" to cookie name. it is illegal in newer jres

java/javax/el/BeanELResolver.java | 30 27 + 3 - 0 !
java/org/apache/jasper/runtime/PageContextImpl.java | 34 4 + 30 - 0 !
java/org/apache/jasper/security/SecurityClassLoad.java | 2 0 + 2 - 0 !
3 files changed, 31 insertions(+), 35 deletions(-)

 cve-2014-7810: fix potential issue with beanelresolver when running under a security manager.
 Some classes may not be accessible but may have accessible interfaces.

java/org/apache/tomcat/util/http/RequestUtil.java | 45 29 + 16 - 0 !
test/org/apache/tomcat/util/http/TestRequestUtil.java | 100 95 + 5 - 0 !
webapps/docs/changelog.xml | 11 11 + 0 - 0 !
3 files changed, 135 insertions(+), 21 deletions(-)

 cve-2015-5174

Directory traversal vulnerability in RequestUtil.java in Apache Tomcat 6.x
before 6.0.45, 7.x before 7.0.65, and 8.x before 8.0.27 allows remote
authenticated users to bypass intended SecurityManager restrictions and list a
parent directory via a /.. (slash dot dot) in a pathname used by a web
application in a getResource, getResourceAsStream, or getResourcePaths call, as
demonstrated by the $CATALINA_BASE/webapps directory.

java/org/apache/catalina/connector/CoyoteAdapter.java | 1 1 + 0 - 0 !
java/org/apache/catalina/connector/Request.java | 36 19 + 17 - 0 !
webapps/docs/changelog.xml | 4 4 + 0 - 0 !
3 files changed, 24 insertions(+), 17 deletions(-)

 cve-2015-5346

java/org/apache/catalina/Context.java | 40 40 + 0 - 0 !
java/org/apache/catalina/authenticator/FormAuthenticator.java | 14 14 + 0 - 0 !
java/org/apache/catalina/connector/MapperListener.java | 3 2 + 1 - 0 !
java/org/apache/catalina/core/StandardContext.java | 37 35 + 2 - 0 !
java/org/apache/catalina/core/mbeans-descriptors.xml | 8 8 + 0 - 0 !
java/org/apache/catalina/servlets/DefaultServlet.java | 72 46 + 26 - 0 !
java/org/apache/catalina/servlets/WebdavServlet.java | 32 19 + 13 - 0 !
java/org/apache/catalina/startup/FailedContext.java | 18 17 + 1 - 0 !
java/org/apache/tomcat/util/http/mapper/Mapper.java | 53 40 + 13 - 0 !
test/org/apache/catalina/core/TesterContext.java | 16 16 + 0 - 0 !
test/org/apache/catalina/startup/TomcatBaseTest.java | 3 1 + 2 - 0 !
test/org/apache/tomcat/util/http/mapper/TestMapperWebapps.java | 64 64 + 0 - 0 !
webapps/docs/changelog.xml | 10 10 + 0 - 0 !
webapps/docs/config/context.xml | 16 16 + 0 - 0 !
14 files changed, 328 insertions(+), 58 deletions(-)

 cve-2015-5345

The Mapper component in Apache Tomcat processes redirects before considering
security constraints and Filters, which allows remote attackers to determine
the existence of a directory via a URL that lacks a trailing / (slash)
character.

http://svn.apache.org/viewvc?view=revision&revision=1715213
http://svn.apache.org/viewvc?view=revision&revision=1716860
http://svn.apache.org/viewvc?view=revision&revision=1717210
http://svn.apache.org/viewvc?view=revision&revision=1717212

webapps/docs/changelog.xml | 7 7 + 0 - 0 !
webapps/host-manager/WEB-INF/jsp/401.jsp | 1 1 + 0 - 0 !
webapps/host-manager/WEB-INF/jsp/403.jsp | 1 1 + 0 - 0 !
webapps/host-manager/WEB-INF/jsp/404.jsp | 3 2 + 1 - 0 !
webapps/host-manager/index.jsp | 4 2 + 2 - 0 !
webapps/manager/WEB-INF/web.xml | 1 0 + 1 - 0 !
webapps/manager/index.jsp | 4 2 + 2 - 0 !
7 files changed, 15 insertions(+), 6 deletions(-)

 cve-2015-5351

The Manager and Host Manager applications in Apache Tomcat establish
sessions and send CSRF tokens for arbitrary new requests, which allows remote
attackers to bypass a CSRF protection mechanism by using a token.

java/org/apache/catalina/core/RestrictedServlets.properties | 1 1 + 0 - 0 !
webapps/docs/changelog.xml | 4 4 + 0 - 0 !
2 files changed, 5 insertions(+)

 cve-2016-0706

Apache Tomcat does not place org.apache.catalina.manager.StatusManagerServlet
on the org/apache/catalina/core/RestrictedServlets.properties list, which
allows remote authenticated users to bypass intended SecurityManager
restrictions and read arbitrary HTTP requests, and consequently discover
session ID values, via a crafted web application.

java/org/apache/catalina/ha/session/ClusterManagerBase.java | 2 2 + 0 - 0 !
java/org/apache/catalina/ha/session/mbeans-descriptors.xml | 16 16 + 0 - 0 !
java/org/apache/catalina/session/LocalStrings.properties | 2 2 + 0 - 0 !
java/org/apache/catalina/session/ManagerBase.java | 156 153 + 3 - 0 !
java/org/apache/catalina/session/StandardManager.java | 7 5 + 2 - 0 !
java/org/apache/catalina/session/mbeans-descriptors.xml | 12 12 + 0 - 0 !
java/org/apache/catalina/util/CustomObjectInputStream.java | 69 67 + 2 - 0 !
java/org/apache/catalina/util/LocalStrings.properties | 2 2 + 0 - 0 !
webapps/docs/changelog.xml | 8 8 + 0 - 0 !
webapps/docs/config/cluster-manager.xml | 53 53 + 0 - 0 !
10 files changed, 320 insertions(+), 7 deletions(-)

 cve-2016-0714

The session-persistence implementation in Apache Tomcat mishandles session
attributes, which allows remote authenticated users to bypass intended
SecurityManager restrictions and execute arbitrary code in a privileged context
via a web application that places a crafted object in a session.

java/org/apache/catalina/realm/MemoryRealm.java | 3 3 + 0 - 0 !
java/org/apache/catalina/realm/RealmBase.java | 3 3 + 0 - 0 !
2 files changed, 6 insertions(+)

 fixes cve-2016-0762: the realm implementations did not process
 the supplied password if the supplied user name did not exist. This made
 a timing attack possible to determine valid user names.

java/org/apache/naming/factory/ResourceLinkFactory.java | 5 5 + 0 - 0 !
webapps/docs/changelog.xml | 4 4 + 0 - 0 !
2 files changed, 9 insertions(+)

 cve-2016-0763

The setGlobalContext method in
org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat does not
consider whether ResourceLinkFactory.setGlobalContext callers are authorized,
which allows remote authenticated users to bypass intended SecurityManager
restrictions and read or write to arbitrary application data, or cause a denial
of service (application disruption), via a web application that sets a crafted
global context.

java/org/apache/tomcat/util/http/fileupload/MultipartStream.java | 11 6 + 5 - 0 !
1 file changed, 6 insertions(+), 5 deletions(-)

 fixes cve-2016-3092: denial-of-service vulnerability

java/org/apache/jasper/compiler/JspRuntimeContext.java | 2 0 + 2 - 0 !
java/org/apache/jasper/runtime/JspRuntimeLibrary.java | 59 1 + 58 - 0 !
java/org/apache/jasper/security/SecurityClassLoad.java | 2 0 + 2 - 0 !
3 files changed, 1 insertion(+), 62 deletions(-)

 fixes cve-2016-5018: a malicious web application was able to bypass
 a configured SecurityManager via a Tomcat utility method that was accessible to
 web applications.

java/org/apache/catalina/loader/WebappClassLoader.java | 24 23 + 1 - 0 !
java/org/apache/tomcat/util/digester/Digester.java | 10 10 + 0 - 0 !
java/org/apache/tomcat/util/security/PermissionCheck.java | 43 43 + 0 - 0 !
3 files changed, 76 insertions(+), 1 deletion(-)

 fixes cve-2016-6794: when a securitymanager is configured, a web
 application's ability to read system properties should be controlled by the
 SecurityManager. Tomcat's system property replacement feature for configuration
 files could be used by a malicious web application to bypass the SecurityManager
 and read system properties that should not be visible.

conf/web.xml | 4 4 + 0 - 0 !
java/org/apache/jasper/EmbeddedServletOptions.java | 4 4 + 0 - 0 !
java/org/apache/jasper/resources/LocalStrings.properties | 1 1 + 0 - 0 !
java/org/apache/jasper/servlet/JspServlet.java | 9 7 + 2 - 0 !
webapps/docs/jasper-howto.xml | 4 2 + 2 - 0 !
5 files changed, 18 insertions(+), 4 deletions(-)

 fixes cve-2016-6796: a malicious web application was able to bypass
 a configured SecurityManager via manipulation of the configuration parameters
 for the JSP Servlet.

java/org/apache/catalina/core/NamingContextListener.java | 19 19 + 0 - 0 !
java/org/apache/naming/factory/ResourceLinkFactory.java | 64 64 + 0 - 0 !
test/org/apache/naming/TestNamingContext.java | 87 87 + 0 - 0 !
3 files changed, 170 insertions(+)

 fixes cve-2016-6797: the resourcelinkfactory did not limit web
 application access to global JNDI resources to those resources explicitly
 linked to the web application. Therefore, it was possible for a web
 application to access any global JNDI resource whether an explicit
 ResourceLink had been configured or not.

java/org/apache/coyote/http11/AbstractInputBuffer.java | 53 0 + 53 - 0 !
java/org/apache/coyote/http11/InternalAprInputBuffer.java | 19 11 + 8 - 0 !
java/org/apache/coyote/http11/InternalInputBuffer.java | 19 11 + 8 - 0 !
java/org/apache/coyote/http11/InternalNioInputBuffer.java | 18 11 + 7 - 0 !
java/org/apache/coyote/http11/LocalStrings.properties | 4 3 + 1 - 0 !
java/org/apache/tomcat/util/http/parser/HttpParser.java | 94 70 + 24 - 0 !
6 files changed, 106 insertions(+), 101 deletions(-)

 fixes cve-2016-6816: the code that parsed the http request line
 permitted invalid characters. This could be exploited, in conjunction with

java/org/apache/catalina/mbeans/JmxRemoteLifecycleListener.java | 227 160 + 67 - 0 !
java/org/apache/catalina/mbeans/LocalStrings.properties | 1 0 + 1 - 0 !
webapps/docs/config/listeners.xml | 5 1 + 4 - 0 !
3 files changed, 161 insertions(+), 72 deletions(-)

 remove the restriction that prevented the use of ssl when
 specifying a bind address for the JMX/RMI server. Enable SSL to be
 configured for the registry as well as the server.

java/org/apache/catalina/mbeans/JmxRemoteLifecycleListener.java | 6 5 + 1 - 0 !
1 file changed, 5 insertions(+), 1 deletion(-)

 fixes cve-2016-8735: the jmxremotelifecyclelistener was not updated
 to take account of Oracle's fix for CVE-2016-3427. Therefore, Tomcat installations
 using this listener remained vulnerable to a similar remote code execution
 vulnerability. This issue has been rated as important rather than critical due
 to the small number of installations using this listener and that it would be
 highly unusual for the JMX ports to be accessible to an attacker even when the
 listener is used.

java/org/apache/tomcat/util/net/NioEndpoint.java | 7 6 + 1 - 0 !
1 file changed, 6 insertions(+), 1 deletion(-)

 fixes: cve-2016-8745: when unable to complete sendfile request,
 ensure the Processor will be added to the cache only once.
 This bug in the error handling of the send file code for the NIO HTTP connector
 resulted in the current Processor object being added to the Processor cache
 multiple times. This in turn meant that the same Processor could be used for
 concurrent requests. Sharing a Processor can result in information leakage
 between requests including, not not limited to, session ID and the response
 body.

java/org/apache/coyote/http11/AbstractInputBuffer.java | 16 4 + 12 - 0 !
1 file changed, 4 insertions(+), 12 deletions(-)

 bz57544 infinite loop

Bug-Upstream: https://bz.apache.org/bugzilla/show_bug.cgi?id=60578
Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=854551

java/org/apache/coyote/http11/AbstractInputBuffer.java | 5 3 + 2 - 0 !
1 file changed, 3 insertions(+), 2 deletions(-)

 bz57544-infinite-loop-part2

Fix 400 HTTP errors due to an incomplete fix for CVE-2017-6056.

Bug-Debian: https://bugs.debian.org/854551

java/org/apache/coyote/AbstractProtocol.java | 7 3 + 4 - 0 !
java/org/apache/coyote/http11/Http11AprProcessor.java | 39 25 + 14 - 0 !
java/org/apache/coyote/http11/Http11NioProcessor.java | 28 22 + 6 - 0 !
java/org/apache/tomcat/util/net/AprEndpoint.java | 48 31 + 17 - 0 !
java/org/apache/tomcat/util/net/NioEndpoint.java | 70 36 + 34 - 0 !
java/org/apache/tomcat/util/net/SendfileKeepAliveState.java | 39 39 + 0 - 0 !
java/org/apache/tomcat/util/net/SendfileState.java | 37 37 + 0 - 0 !
7 files changed, 193 insertions(+), 75 deletions(-)

 cve-2017-5647

Bug-Debian: https://bugs.debian.org/860068

java/org/apache/catalina/authenticator/FormAuthenticator.java | 11 5 + 6 - 0 !
java/org/apache/catalina/core/StandardHostValve.java | 14 7 + 7 - 0 !
2 files changed, 12 insertions(+), 13 deletions(-)

 cve-2017-5648

Bug-Debian: https://bugs.debian.org/860068

java/org/apache/catalina/servlets/DefaultServlet.java | 28 21 + 7 - 0 !
java/org/apache/catalina/servlets/WebdavServlet.java | 6 6 + 0 - 0 !
2 files changed, 27 insertions(+), 7 deletions(-)

 cve-2017-5664