File: changelog

package info (click to toggle)
jetty9 9.4.16-0%2Bdeb10u1
links: PTS, VCS
area: main
in suites: buster
size: 62,092 kB
sloc: java: 379,695; xml: 23,723; javascript: 1,040; sh: 937; jsp: 318; sql: 38; makefile: 16
file content (954 lines) | stat: -rw-r--r-- 35,763 bytes
jetty9 (9.4.16-0+deb10u1) buster-security; urgency=high

  * Team upload.
  * New upstream version 9.4.16.
    - Fix CVE-2019-10241:
      The server is vulnerable to XSS conditions if a remote client USES a
      specially formatted URL against the DefaultServlet or ResourceHandler that
      is configured for showing a Listing of directory contents.
    - Fix CVE-2019-10247:
      The server running on any OS and Jetty version combination will reveal
      the configured fully qualified directory base resource location on the
      output of the 404 error for not finding a Context that matches the
      requested path. The default server behavior on jetty-distribution and
      jetty-home will include at the end of the Handler tree a DefaultHandler,
      which is responsible for reporting this 404 error, it presents the
      various configured contexts as HTML for users to click through to. This
      produced HTML includes output that contains the configured fully
      qualified directory base resource location for each context.
  * Fix CVE-2020-27216:
    On Unix like systems, the system's temporary directory is shared between
    all users on that system. A collocated user can observe the process of
    creating a temporary sub directory in the shared temporary directory and
    race to complete the creation of the temporary subdirectory. If the
    attacker wins the race then they will have read and write permission to the
    subdirectory used to unpack web applications, including their WEB-INF/lib
    jar files and JSP files. If any code is ever executed out of this temporary
    directory, this can lead to a local privilege escalation vulnerability.
  * Fix CVE-2020-27223:
    Jetty handles a request containing multiple Accept headers with a large
    number of “quality” (i.e. q) parameters, the server may enter a denial of
    service (DoS) state due to high CPU usage processing those quality values,
    resulting in minutes of CPU time exhausted processing those quality values.
  * Fix CVE-2020-28165:
    CPU usage can reach 100% upon receiving a large invalid TLS frame.
  * Fix CVE-2020-28169:
    It is possible for requests to the ConcatServlet with a doubly encoded path
    to access protected resources within the WEB-INF directory. For example a
    request to `/concat?/%2557EB-INF/web.xml` can retrieve the web.xml file.
    This can reveal sensitive information regarding the implementation of a web
    application.
  * Fix CVE-2021-34428:
    If an exception is thrown from the SessionListener#sessionDestroyed()
    method, then the session ID is not invalidated in the session ID manager.
    On deployments with clustered sessions and multiple contexts this can
    result in a session not being invalidated. This can result in an
    application used on a shared computer being left logged in.

 -- Markus Koschany <apo@debian.org>  Sun, 01 Aug 2021 13:52:06 +0200

jetty9 (9.4.15-1) unstable; urgency=medium

  * New upstream release
    - Refreshed the patches
    - New build dependency on libjboss-logging-java
    - Ignore the new jetty-websocket-tests module
  * Standards-Version updated to 4.3.0

 -- Emmanuel Bourg <ebourg@apache.org>  Mon, 25 Feb 2019 01:33:58 +0100

jetty9 (9.4.14-1) unstable; urgency=medium

  * New upstream release
    - Refreshed the patches
    - Ignore the new test dependencies
    - Build the new modules: jetty-alpn-java-*, jetty-alpn-openjdk8-*,
      jetty-http2-*, jetty-cdi-* and jetty-unixsocket
    - Ignore the new optional modules: jetty-alpn-conscrypt-*, jetty-memcached,
      jetty-cdi-servlet, jetty-gcloud, jetty-hazelcast and jetty-infinispan
    - No longer build the removed modules: jetty-monitor and jetty-rhttp-*
    - Updated the Maven rules
    - Derive the content of the jetty9 package from the output
      of the jetty-distribution module
    - Require Java 8 or higher to run
    - Depend on libasm-java (>= 7.0)
    - Updated the links in /usr/share/jetty9/lib/
    - Added jetty-util.jar to the classpath of jetty-start.jar
  * Added a systemd service file
  * Removed the default 256M heap limit
  * Removed the NO_START option from the service configuration
  * Depend on libtomcat9-java instead of libtomcat8-java
  * Don't follow the symlinks when setting the owner of the /var/cache/jetty9,
    /var/log/jetty9 and /var/lib/jetty9 directories in the postinst script
  * Updated the README file (Closes: #906770)
  * Exclude the documentation directory from the upstream tarball

 -- Emmanuel Bourg <ebourg@apache.org>  Mon, 10 Dec 2018 15:44:30 +0100

jetty9 (9.2.26-1) unstable; urgency=medium

  * Team upload.
  * New upstream release
  * Fixed the Maven rule for tomcat-jaspic-api (Closes: #907147)
  * Standards-Version updated to 4.2.1

 -- Emmanuel Bourg <ebourg@apache.org>  Wed, 05 Sep 2018 13:11:13 +0200

jetty9 (9.2.25-1) unstable; urgency=medium

  * Team upload.
  * New upstream release
    - Fixes CVE-2017-7656: A remote user can submit a specially crafted HTTP/0.9
      request containing invalid request headers to cause Jetty and an upstream
      HTTP agent (such as an origin server or another proxy) to interpret the
      boundary of the HTTP request differently. As a result, a malicious request
      may be embedded within another request as processed by the subsequent
      system. This allows a remote user to potentially poison the cache.
    - Fixes CVE-2017-7657: A remote user can submit a specially crafted HTTP
      request containing invalid Chunked Transfer-Encoding headers to cause
      Jetty and an upstream HTTP agent (such as an origin server or another
      proxy) to interpret the boundary of the HTTP request differently.
      As a result, a malicious request may be embedded within another request
      as processed by the subsequent system. This allows a remote user to
      potentially poison the cache.
    - Fixes CVE-2017-7658: A remote user can submit a specially crafted HTTP
      request containing more than one Content-Length header to cause Jetty
      and an upstream HTTP agent (such as an origin server or another proxy)
      to interpret the boundary of the HTTP request differently. As a result,
      a malicious request may be embedded within another request as processed
      by the subsequent system. This allows a remote user to potentially poison
      the cache.
  * Compile with the --release parameter to preserve the compatibility
    with older JREs

 -- Emmanuel Bourg <ebourg@apache.org>  Tue, 03 Jul 2018 14:31:51 +0200

jetty9 (9.2.24-1) unstable; urgency=medium

  * Team upload.
  * New upstream release
  * Standards-Version updated to 4.1.4
  * Switch to debhelper level 11
  * Use salsa.debian.org Vcs-* URLs

 -- Emmanuel Bourg <ebourg@apache.org>  Fri, 18 May 2018 00:14:54 +0200

jetty9 (9.2.23-1) unstable; urgency=medium

  * Team upload.
  * New upstream release
  * Fixed the broken symlinks indirectly caused by the new pom patching
    sequence in maven-debian-helper 2.2.8 (Closes: #884771)
  * Added the missing dependency on lsb-base
  * Standards-Version updated to 4.1.3

 -- Emmanuel Bourg <ebourg@apache.org>  Fri, 05 Jan 2018 18:03:14 +0100

jetty9 (9.2.22-3) unstable; urgency=medium

  * Team upload.
  * Depend on libgeronimo-jta-1.2-spec-java instead of glassfish-javaee
  * Standards-Version updated to 4.1.2

 -- Emmanuel Bourg <ebourg@apache.org>  Thu, 14 Dec 2017 16:53:25 +0100

jetty9 (9.2.22-2) unstable; urgency=medium

  * Team upload.
  * No longer depend on glassfish-jmac-api and use the jaspic API
    from libtomcat8-java instead
  * Standards-Version updated to 4.0.0

 -- Emmanuel Bourg <ebourg@apache.org>  Tue, 04 Jul 2017 12:06:15 +0200

jetty9 (9.2.22-1) unstable; urgency=medium

  * Team upload.
  * New upstream release
    - Fixes CVE-2017-9735: Timing attack in Password.java (Closes: #864898)
  * No longer create a link to jetty-overlay-deployer (Closes: #857217)

 -- Emmanuel Bourg <ebourg@apache.org>  Mon, 19 Jun 2017 15:56:11 +0200

jetty9 (9.2.21-1) unstable; urgency=medium

  * Team upload.
  * New upstream release
    - Refreshed the patches

 -- Emmanuel Bourg <ebourg@apache.org>  Wed, 25 Jan 2017 09:30:54 +0100

jetty9 (9.2.20-1) unstable; urgency=medium

  * Team upload.
  * New upstream release
    - Refreshed the patches
    - Ignore the Jacoco Maven plugin
  * Switch to debhelper level 10

 -- Emmanuel Bourg <ebourg@apache.org>  Sun, 08 Jan 2017 01:29:03 +0100

jetty9 (9.2.19-2) unstable; urgency=medium

  * Removed the Require-Capability and Bundle-RequiredExecutionEnvironment
    fields from the OSGi metadata to avoid a build failure with Eclipse 3.8

 -- Emmanuel Bourg <ebourg@apache.org>  Mon, 24 Oct 2016 18:18:50 +0200

jetty9 (9.2.19-1) unstable; urgency=medium

  * New upstream release
  * Track the tags from the Git repository

 -- Emmanuel Bourg <ebourg@apache.org>  Sun, 09 Oct 2016 16:26:33 +0200

jetty9 (9.2.18-1) unstable; urgency=medium

  * New upstream release
  * Depend on taglibs-standard instead of jakarta-taglibs-standard
  * Track the release tags on GitHub

 -- Emmanuel Bourg <ebourg@apache.org>  Thu, 28 Jul 2016 13:37:30 +0200

jetty9 (9.2.16-1) unstable; urgency=medium

  * New upstream release
  * Standards-Version updated to 3.9.8 (no changes)

 -- Emmanuel Bourg <ebourg@apache.org>  Sat, 23 Apr 2016 15:11:28 +0200

jetty9 (9.2.15-1) unstable; urgency=medium

  * New upstream release
  * Standards-Version updated to 3.9.7 (no changes)
  * Use a secure Vcs-Git URL
  * Depend on libasm-java (>= 5.0) instead of libasm4-java

 -- Emmanuel Bourg <ebourg@apache.org>  Fri, 01 Apr 2016 22:22:36 +0200

jetty9 (9.2.14-1) unstable; urgency=medium

  * New upstream release (Closes: #795416)

 -- Emmanuel Bourg <ebourg@apache.org>  Thu, 17 Dec 2015 15:44:57 +0100

jetty8 (8.1.18-3) unstable; urgency=medium

  * No longer install the default page on updates in /var/lib/jetty8/webapps/root
    if another root application is installed (Closes: #767612)
  * Support the JVMs installed by the older versions of java-package (<< 0.52)
    and the oracle-java{n > 7}-installer packages from webupd8.
  * Updated the error message displayed when the JAVA_HOME variable defined
    in /etc/default/jetty8 doesn't point to a JRE.
  * Removed the unused commons-daemon.jar and tools.jar from the start classpath
  * Invoke Jetty with 'java -jar start.jar' instead of
    'java -cp start.jar org.eclipse.jetty.start.Main'
  * Removed the JDK_DIRS and JSP_COMPILER variables from /etc/default/jetty8
  * Added a VERSION variable in jetty8.init and replaced 'jetty8'
    with 'jetty$VERSION'
  * Added the version in the description of the service
  * Fixed the formatting of the message displayed when starting and stopping
    the service

 -- Emmanuel Bourg <ebourg@apache.org>  Fri, 04 Dec 2015 10:06:41 +0100

jetty8 (8.1.18-2) unstable; urgency=medium

  * Changed the default value of NO_START to 0 in /etc/default/jetty8
    and let Jetty start automatically on installing (LP #1194755)
  * Fixed a build failure with maven-debian-helper 2.0
  * Added the missing build dependency on asm
  * Replaced the dependency on libasm3-java with libasm4-java and fixed
    the compatibility with servlets containing Java 8 lambda expressions.
  * Build with the DH sequencer instead of CDBS
  * Ignore the modules with a --ignore parameter in debian/libjetty8-java.poms
    instead of a patch

 -- Emmanuel Bourg <ebourg@apache.org>  Wed, 25 Nov 2015 19:01:06 +0100

jetty8 (8.1.18-1) unstable; urgency=medium

  * New upstream release
    - Refreshed the patches

 -- Emmanuel Bourg <ebourg@apache.org>  Thu, 08 Oct 2015 21:49:05 +0200

jetty8 (8.1.17-2) unstable; urgency=medium

  * Added the missing build dependency on libjetty-java (Closes: #796441)

 -- Emmanuel Bourg <ebourg@apache.org>  Sun, 23 Aug 2015 23:14:06 +0200

jetty8 (8.1.17-1) unstable; urgency=medium

  * New upstream release
    - Refreshed the patches

 -- Emmanuel Bourg <ebourg@apache.org>  Mon, 11 May 2015 12:43:18 +0200

jetty8 (8.1.16-4) unstable; urgency=medium

  * Fixed an error on purging jetty8 when authbind is not installed
    (Closes: #767337)
  * Added the missing link to tomcat-util.jar in /usr/share/jetty8/lib/jsp/
    (Closes: #740596)
  * Enable IPv6 by default (Closes: #767369)

 -- Emmanuel Bourg <ebourg@apache.org>  Fri, 31 Oct 2014 18:54:25 +0100

jetty8 (8.1.16-3) unstable; urgency=medium

  * Configure Jetty to write the jetty.state file in the /var/lib/jetty8
    directory (Closes: #764454)
  * Standards-Version updated to 3.9.6 (no changes)

 -- Emmanuel Bourg <ebourg@apache.org>  Wed, 08 Oct 2014 12:37:56 +0200

jetty8 (8.1.16-2) unstable; urgency=medium

  * Fixed an integration issue with the JSP compiler from Tomcat 7 causing an
    AccessControlException when requesting a JSP.

 -- Emmanuel Bourg <ebourg@apache.org>  Mon, 06 Oct 2014 14:33:54 +0200

jetty8 (8.1.16-1) unstable; urgency=medium

  * Team upload.
  * New upstream release
    - Refreshed the patches
    - Ignore the Maven dependency on the Mycila maven-license-plugin
  * Added authbind support to run Jetty on privileged ports
  * Updated the init.d script to detect the recent JDKs and ignore the old ones
    (Closes: #756310)
  * Fixed the version of the Servlet API in the poms (3.0 instead of 'debian')
  * debian/control:
    - Removed java5-runtime-headless from the acceptable runtime dependencies
      (Jetty 8 requires Java 6)
    - Use distinct descriptions for the jetty8 and libjetty8-java packages
    - jetty8 now depends on libjetty8-extra-java
    - libjetty8-java-doc depends on libservlet3.0-java-doc instead of
      libservlet2.5-java-doc
    - libjetty8-java-doc suggests libjetty8-java instead of libjetty-java
    - Depend on libmail-java instead of libgnumail-java
    - Updated the Homepage field
  * debian/rules: Install the upstream changelog
  * debian/watch: Watch the tags from the Git repository
  * debian/jetty8.init: Added the missing JETTY_CONF variable
  * debian/jetty8.init: Paths relative to JETTY_HOME are now recognized
    in /etc/jetty8/jetty.conf
  * Install the missing Jasper dependencies in /usr/share/jetty8/lib/jsp
  * Reuse and patch the configuration files from the upstream distribution
    instead of installing Debian specific files (Closes: #728380)
  * debian/copyright: Updated the missing file paths reported by Lintian
  * Switch to debhelper level 9

 -- Emmanuel Bourg <ebourg@apache.org>  Thu, 11 Sep 2014 19:55:16 +0200

jetty8 (8.1.3-9) unstable; urgency=low

  [ Emmanuel Bourg ]
  * Team upload.
  * Use the Tomcat 7 jars from /usr/share/tomcat7/lib
  * Updated Standards-Version to 3.9.5 (no changes)
  * debian/copyright: Updated the Format URI

  [ Ludovico Cavedon ]
  * Added jars in libjetty8-java for: jetty-jaspi, jetty-jsp, jetty-nested,
    jetty-websocket (Closes: #724973).

 -- Ludovico Cavedon <cavedon@debian.org>  Thu, 05 Dec 2013 22:20:15 -0800

jetty8 (8.1.3-8) unstable; urgency=low

  * Don't build jetty-spdy module with Java 7 (Closes: #717119).
  * Updated d/watch.

 -- Jakub Adam <jakub.adam@ktknet.cz>  Fri, 26 Jul 2013 19:45:24 +0200

jetty8 (8.1.3-7) unstable; urgency=low

  * Removed dependencies on libgnujaf-java.
  * Build-Depends on libservlet3.0-java (>= 7.0.40-2).
    - Previous versions had a problem with maven-repo deployment.

 -- Jakub Adam <jakub.adam@ktknet.cz>  Thu, 16 May 2013 16:34:13 +0200

jetty8 (8.1.3-6) unstable; urgency=low

  [ Emmanuel Bourg ]
  * Team upload.
  * Fixed the watch file
 
  [ tony mancill ]
  * Upload to unstable for the jessie release cycle.

 -- tony mancill <tmancill@debian.org>  Mon, 06 May 2013 07:19:07 -0700

jetty8 (8.1.3-5) experimental; urgency=low

  * Add test-jetty-servlet jar into libjetty8-extra-java.
  * Bump Standards-Version to 3.9.4.

 -- Jakub Adam <jakub.adam@ktknet.cz>  Fri, 05 Apr 2013 09:38:08 +0200

jetty8 (8.1.3-4) unstable; urgency=low

  * Team upload
  * Switch to use of javax.* and standard jar names for Servlet, JSP and
    EL API's (Closes: #678766):
    - d/maven.rules: Fix mapping to javax.* artifacts as published by the 
      latest version of the tomcat7 package. 
    - d/{libjetty8-java,libjetty8-extra-java}.links: Switch use from
      deprecated tomcat-* jar files for Servlet, JSP and EL API's.
    - d/control: Bump minimum version of libtomcat7-java to ensure that
      the correct API jars/artifacts are provided.

 -- James Page <james.page@ubuntu.com>  Mon, 25 Jun 2012 16:02:46 +0200

jetty8 (8.1.3-3) unstable; urgency=low

  * Team upload.
  * Allow co-installation of libjetty-java-doc with libjetty8-java-doc.
    (Closes: #674204).

 -- Miguel Landaeta <miguel@miguel.cc>  Tue, 29 May 2012 21:45:21 +0200

jetty8 (8.1.3-2) unstable; urgency=low

  * Fix server startup when jsvc is not installed.
  * Fix a typo in binary package dependencies (jstl1.1-java to
    libjstl1.1-java)

 -- Jakub Adam <jakub.adam@ktknet.cz>  Wed, 23 May 2012 07:49:07 +0200

jetty8 (8.1.3-1) unstable; urgency=low

  * New upstream release.
  * Bump Standards-Version to 3.9.3.

 -- Jakub Adam <jakub.adam@ktknet.cz>  Sun, 13 May 2012 14:54:06 +0200

jetty (6.1.24-6) unstable; urgency=medium

  * Removed Depends on JREs for library packages, no longer required
    by the policy.
  * Added missing depends on JREs for the jetty package.
  * Made init script ignore weird exit statuses from logrotate.
    (Closes: 589681, LP: #607202)
  * Fixed broken restart command in jetty init script. Was missing a
    negation.

 -- Niels Thykier <niels@thykier.net>  Mon, 05 Jul 2010 22:28:14 +0200

jetty (6.1.24-5) unstable; urgency=low

  * Ignore test failures. (Closes: #586635)
  * Remove debian/.mh in clean target.

 -- Torsten Werner <twerner@debian.org>  Tue, 29 Jun 2010 20:53:42 +0200

jetty (6.1.24-4) unstable; urgency=low

  * Updated the versions in the Manifests to match the actual version
    of jetty.
  * Remove all use of sudo in jetty.init. (Closes: #580639)
  * Fixed some formatting issues in the NEWS file.
  * Bumped debhelper compat to 7.
  * Made the javadoc link against system javadocs. This includes adding
    Recommends on various java-doc packages.

 -- Niels Thykier <niels@thykier.net>  Sun, 20 Jun 2010 14:49:32 +0200

jetty (6.1.24-3) unstable; urgency=low

  [ Torsten Werner ]
  * Merge changes from Ubuntu version 6.1.22-1ubuntu1:
    - debian/build.xml, debian/module.xml: Enable tests in the jetty module
    - debian/rules: Adding slf4j-simple to the DEB_JARS since it's used in
      tests
    - debian/rules, debian/control: Added junit and ant-optional needed for
      tests

  [ Miguel Landaeta ]
  * Enable jetty-plus and jetty-annotations modules. (Closes: #585387).

 -- Torsten Werner <twerner@debian.org>  Thu, 10 Jun 2010 14:07:51 -0430

jetty (6.1.24-2) unstable; urgency=low

  * Set JAVA_HOME in d/rules to /usr/lib/jvm/default-java. (Closes: #578618,
    #579469)
  * Fix the installation of jetty-util5.jar. (Closes: #569328)

 -- Torsten Werner <twerner@debian.org>  Thu, 29 Apr 2010 07:36:43 +0200

jetty (6.1.24-1) unstable; urgency=low

  [ Niels Thykier ]
  * Reduced Depends on libjetty-java-doc to a Suggests. (Closes: #569293)
  * Clarified what JETTY_HOST should be set to in order to accept all
    connections. (Closes: #554874)
  * Bumped Standards-Version to 3.8.4 - no changes required.

  [ Torsten Werner ]
  * New upstream release.
  * Change Build-Depends: default-jdk. (Closes: #578618)
  * Switch to source format 3.0.

 -- Torsten Werner <twerner@debian.org>  Fri, 23 Apr 2010 23:55:35 +0200

jetty (6.1.22-1ubuntu1) lucid; urgency=low

  * debian/build.xml, debian/module.xml: Enable tests in the jetty module
  * debian/rules: Adding slf4j-simple to the DEB_JARS since it's used in tests
  * debian/rules, debian/control: Added junit and ant-optional needed for tests
  * debian/control, debian/rules: Build with default-jdk.

 -- Thierry Carrez <thierry.carrez@ubuntu.com>  Tue, 26 Jan 2010 09:52:06 +0100

jetty (6.1.22-1) unstable; urgency=medium

  * New upstream release. (Closes: #553644)
  * Added OSGi bundle metadata (by upstream). (Closes: #558187)
  * Corrected path to jetty web-apps (by Niels Thykier). (Closes: #554877)

 -- Pablo Duboue <pablo.duboue@gmail.com>  Sun, 13 Dec 2009 1:55:00 -0400
  
jetty (6.1.21-1) unstable; urgency=medium

  * New upstream release.
  * Stopped using /tmp/jetty-temp in /etc/init.d/jetty for security
    reasons.
    - JVM_TMP is now /var/cache/jetty/tmp
    - JETTY_TMP is now /var/cache/jetty/data
  * The postrm script no longer deletes files in /tmp/jetty-temp.
  * Removed Philipp Meier from Uploaders (last upload was 2006-06-07).
    Thanks for your work on this package.
  * Corrected javadoc symlink in binary package jetty.

 -- Niels Thykier <niels@thykier.net>  Fri, 23 Oct 2009 20:45:43 +0200

jetty (6.1.20-2) unstable; urgency=low

  * Move documentation to /usr/share/doc/libjetty-java
  * Better postinst and postrm scripts, aligned with tomcat6 scripts:
     - postinst: user jetty is created with its own group
     - postrm: better cleanup of temporary data,
       thourough remove and purge of data
  * debian/changelog:
    - fix suggest for package libjetty-java-doc, add libjetty-java-doc
      to the list of Suggests for libjetty-java
    - add libjetty-extra to the list of Suggests for package jetty.

 -- Ludovic Claude <ludovic.claude@laposte.net>  Mon, 07 Sep 2009 00:22:20 +0100

jetty (6.1.20-1) unstable; urgency=medium

  [ Niels Thykier ]
  * New upstream release.
  * Stop using Build-Depends-Indep, since the policy and the build
    daemons disagree on when it should be used (Closes: #540861).
  * Corrected jetty.install to reflect the move of some license files
    in the source tree.
  * Bumped to Standard-Versions 3.8.3 - no changes required.
  * Updated jetty.post{install,rm} scripts to use "set -e" instead of
    passing it to sh.
  * Installed "VERSION.txt" as upstream changelog.
  * A previous version (6.1.18-1) fixed the following security problems, which
    were not mentioned in the changelog: CVE-2007-5613, CVE-2007-5614,
    CVE-2007-5615, CVE-2009-1523, and CVE-2009-1524 (see below for more
    information).

  [ Torsten Werner ]
  * Set urgency to medium because this version fixes a FTBFS.

 -- Torsten Werner <twerner@debian.org>  Sun, 06 Sep 2009 23:06:45 +0200

jetty (6.1.19-2) unstable; urgency=low

  * Upload to unstable.

 -- Torsten Werner <twerner@debian.org>  Sun, 09 Aug 2009 08:48:10 +0200

jetty (6.1.19-1) experimental; urgency=low

  [ Ludovic Claude ]
  * New upstream release fixing a security vulnerability
    (cookies are not secure if you are running behind a netscaler).
  * Remove the bootstrap patch as it has been added upstream and update
    the build to use the new start-daemon component.
  * Remove the Build-Depend on quilt as the patch is not needed anymore.
  * Add the Maven POM to the package.
  * Add a Build-Depends dependency on maven-repo-helper.
  * Use mh_installpom and mh_installjar to install the POM and the jar to the
    Maven repository.
  * Add optional support for web applications located in /usr/share/webapps.
  * Add a cron job that cleans up the old log files in /var/log/jetty.
  * Register the Javadoc into Debian documentation and put it in a
    separate package (libjetty-java-doc).
  * Use openjdk-6-jdk for the build; add a Build-Depends on this
    package. Required to build the javadoc.
  * Update debian/copyright (patch provided by Jan Pascal Vanbest
    <janpascal@vanbest.org>).

  [ Torsten Werner ]
  * Add myself to Uploaders.
  * Update Standards-Version: 3.8.2.
  * Move package libjetty-java-doc to Section: doc.
  * Fix init script: check for /etc/default/rcS before reading it.

 -- Torsten Werner <twerner@debian.org>  Tue, 14 Jul 2009 11:50:43 +0200

jetty (6.1.18-1) unstable; urgency=low

  [Ludovic Claude]
  * Add myself to Uploaders.
  * Change the build dependency on java-gcj to default-jdk.
  * Add init.d startup script.
  * Add dependencies on ant, libslf4j-java, libxerces2-java, libtomcat6-java
    for libjetty-extra-java, add links for the lib folder.
  * Add dependency on jsvc to run jetty as a daemon.
  * Add the package libjetty-setuid-java for the Setuid module (with native
    code).
  * Add an index page used when Jetty starts.
  * Use latest jasper from Tomcat to provide jsp 2.1 instead of
    Glassfish JSP implementation as in the standard distribution.
  * Add tools.jar to the classpath to be able to run JSP (Closes: #452586).
  * Fix Lintian warnings: add ${misc:Depends} to all Depends.
  * Move jetty to main as all its dependencies are in main,
    and jetty contains only code that complies with Debian guidelines,
    use java section like tomcat6
    (Closes: #498582).
  * Do not depend on tomcat 5.5 (Closes: #530720, #458399).
  * Remove empty prerm and preinst scripts.
  * Remove old patches that don't apply anymore.
  * Update copyright and remove full text of Apache license.
  * Bump up compat to 6 and Standards-Version to 3.8.1.

  [David Yu]
  * New upstream release for jetty
    (Closes: #528389, #527571, #454529, #425152).
  * Fixed jetty.links. Now delegates install of start.jar to libjetty-java.

  [ Torsten Werner ]
  * fixes several security issues:
    - CVE-2007-5613: Cross-site scripting (XSS) vulnerability in Dump Servlet.
    - CVE-2007-5614: Quote Sequence vulnerability.
    - CVE-2007-5615: CRLF injection vulnerability.
    - CVE-2009-1523: Directory traversal vulnerability in the HTTP server in
    Mort Bay Jetty.
    - CVE-2009-1524: Cross-site scripting (XSS) vulnerability in Mort
    Bay Jetty.
    (Closes: #454529, #528389, #527571, #543462).

 -- Ludovic Claude <ludovic.claude@laposte.net>  Fri, 12 Jun 2009 17:19:08 +0100

jetty (5.1.14-1) unstable; urgency=low

  * New upstream release.
    - Removed debian/patches/cve-2007-6969.patch. Applied upstream.
  * Added recognition of installed libcommons-el-java to debian/start.config.
    Closes: #352093.
  * Fixed short and long service description in debian/jetty.init.
    Closes: #446788.
  * Removed libapache2-mod-webapp from Suggests.
  * Added watch file.

 -- Michael Koch <konqueror@gmx.de>  Wed, 24 Oct 2007 14:14:45 +0200

jetty (5.1.10-4) unstable; urgency=low

  * Added patch to fix CVE-2006-6969. Thanks to Greg Wilkins for the patch.
    Closes: #445283.
  * Updated debian/patches/jdk-1.2-src-encoding.patch to make it work with
    current ecj.

 -- Michael Koch <konqueror@gmx.de>  Fri, 05 Oct 2007 07:34:55 +0200

jetty (5.1.10-3) unstable; urgency=low

  * Fix debian/jetty.init to permit removal without purge and offer a new
    NO_START option in /etc/default/jetty. Closes: #356067.
    Thanks to Loic Minier for the patch.
  * Added additional paths to JDK_DIRS in debian/jetty.init.
    Closes: #405851.
  * (Build-)Depends on java-gcj-compat.
  * Moved debhelper from Build-Depends-Indep to Build-Depends.
  * Removed Build-Depends on libtomcat5-java and replace Depends on
    libtomcat5-java by libtomcat5.5-java.
  * Added LSB section in debian/jetty.init.
  * Removed extra license file from /usr/share/doc/jetty.
  * Added myself to Uploaders.

 -- Michael Koch <konqueror@gmx.de>  Tue, 24 Jul 2007 20:40:27 +0200

jetty (5.1.10-2) unstable; urgency=low

  * Fix in init script for new version of su (closes #367491).
  * Create logfile if not existing. Aknolwedge NMU (closes #356066).

 -- Philipp Meier <meier@fnogol.de>  Tue, 30 May 2006 10:46:21 +0200

jetty (5.1.10-1) unstable; urgency=low

  * New upstream release.
  * Sercurity fixes for windows.
  * Fixed path aliasing with // on windows.
  * Fix for AJP13 with multiple headers.
  * Fix for AJP13 with encoded path.
  * Remove null dispatch attributes from getAttributeNames.
  * Put POST content default back to iso_8859_1. GET is UTF-8
    still.

 -- Philipp Meier <meier@fnogol.de>  Tue, 30 May 2006 10:40:18 +0200

jetty (5.1.8-3) unstable; urgency=low

  * Enhance dependencies.

 -- Philipp Meier <meier@fnogol.de>  Fri, 16 Dec 2005 10:53:48 +0100

jetty (5.1.8-2) unstable; urgency=low

  * Add dependeny on apache2-util for log rotation. Closes: #343177.

 -- Philipp Meier <meier@fnogol.de>  Tue, 13 Dec 2005 14:28:09 +0100

jetty (5.1.8-1) unstable; urgency=low

  * New upstream release.

  From 5.1.8:

  * Fixed space in URL issued created in 5.1.6.

  From 5.1.7:

  * improved server stats.
  * char encoding for MultiPartRequest.
  * fixed merging of POST params in dispatch query string.
  * protect from NPE in dispatcher getValues.
  * Updated to 2.6.2 xerces.
  * JSP file servlet mappings copy JspServlet init params.
  * Prefix servlet context logs with org.mortbay.jetty.context.
  * better support for URI character encodings.
  * use commons logging jar instead of api jar.

 -- Philipp Meier <meier@fnogol.de>  Wed,  7 Dec 2005 11:06:10 +0100

jetty (5.1.6-1) unstable; urgency=high

  * New upstream release.
  * Fixed JSP visibility security issue in upstream.
  * Fix location of jasper since upgrade to tomcat5. Closes: #333010.

 -- Philipp Meier <meier@fnogol.de>  Wed, 30 Nov 2005 15:20:47 +0100

jetty (5.1.5rc1-5) unstable; urgency=low

  Patch from Oyvind Harboe <oyvind.harboe@zylin.com>:

  * increased default amount of memory available to 256Mbyte.
    the advantage of having more heap available is that more
    applications will be able to run without modification to
    the standard Jetty configuration.
  * added -Djava.library.path=/usr/lib to VM arguments. This is
    requried to make e.g. the librxtx-java package work.
  * Closes: #32960.

 -- Philipp Meier <meier@fnogol.de>  Thu, 22 Sep 2005 16:13:16 +0200

jetty (5.1.5rc1-4) unstable; urgency=low

  Patch from Oyvind Harboe <oyvind.harboe@zylin.com>:

  * Fixed rc script /etc/init.d/jetty. "stop" could leave dangling
    /var/run/jetty.pid. Fixed this by adding "--oknodo" to
    "start-stop-daemon --stop" command.
  * Removed trailing "/" from LOGDIR which caused
    /var/log/out.log not to be created.
  * /etc/init.d/jetty start will now deal more gracefully with a
    dangling /var/run/jetty.pid. A dangling jetty.pid is detected
    and ignored.
  * Closes: #326176.

 -- Philipp Meier <meier@fnogol.de>  Fri,  2 Sep 2005 13:40:59 +0200

jetty (5.1.5rc1-3) unstable; urgency=low

  * Removed -v from ant opts during build.
  * Remove pid file on stop. Closes: #325667
  * Fix location of ant-1.6.jar in start.config. Closes: #324472.

 -- Philipp Meier <meier@fnogol.de>  Tue, 30 Aug 2005 13:37:15 +0200

jetty (5.1.5rc1-2) unstable; urgency=low

  * Builds with kaffe.
  * Adds patch to exclude Sun JSSE if not available.

 -- Philipp Meier <meier@fnogol.de>  Sat, 27 Aug 2005 14:21:12 +0200

jetty (5.1.5rc1-1) unstable; urgency=low

  * New upstream release.

 -- Philipp Meier <meier@fnogol.de>  Fri, 26 Aug 2005 12:53:50 +0200

jetty (5.1.4-1) unstable; urgency=low

  * New upstream release.
  * Added myself to Uploaders in control.
  * Standards-Version bumbed to 3.6.2.
  * Removed debian/watch which will not work with sourceforge.
  * Manage changes to upstream with cdbs simple-patchsys.
  * Fixed rc script /etc/init.d/jetty.
  * Adjusted new location of servlet.jar. Closes: #280139.

 -- Philipp Meier <meier@fnogol.de>  Fri, 12 Aug 2005 18:14:28 +0200

jetty (5.0.0-3) unstable; urgency=low

  * Package is now maintained by pkg-java. Maintainer was updated.
  * Disable validation of xml files in start.config by default.
    Closes: #298731.
  * Add /usr/lib/j2sdk1.5-sun to JAVA_HOME_DIRS in debian/rules.

 -- Philipp Meier <meier@fnogol.de>  Thu, 30 Jun 2005 14:32:31 +0200

jetty (5.0.0-2.1) unstable; urgency=low

  * Non-maintainer upload.
  * Transition to liblog4j1.2-java.  Closes: #306761.

 -- Matej Vela <vela@debian.org>  Mon,  2 May 2005 12:12:12 +0200

jetty (5.0.0-2) unstable; urgency=low

  * Shipping working default configuration in /etc/jetty/jetty.xml.
    Closes: #278134

 -- Philipp Meier <meier@fnogol.de>  Mon, 25 Oct 2004 11:52:25 +0200

jetty (5.0.0-1) unstable; urgency=low

  * New upstream release.

 -- Philipp Meier <meier@fnogol.de>  Thu, 16 Sep 2004 00:40:41 +0200

jetty (4.2.22-2) unstable; urgency=low

  * New upstream release.
  * Changed mantainer email.

 -- Philipp Meier <meier@fnogol.de>  Wed, 25 Aug 2004 18:14:56 +0200

jetty (4.2.21-1) unstable; urgency=low

  * New upstream release.

 -- Philipp Meier <meier@meisterbohne.de>  Mon, 23 Aug 2004 15:23:25 +0200

jetty (4.2.19-1) unstable; urgency=high

  * New upstream release.
  * Fixed DOS attack problem.

 -- Philipp Meier <meier@meisterbohne.de>  Fri, 19 Mar 2004 17:55:45 +0100

jetty (4.2.18-1) unstable; urgency=low

  * New upstream release.
  * Package description of jetty-extra lists the
    extensions provided. Closes: #232824

 -- Philipp Meier <meier@meisterbohne.de>  Mon,  1 Mar 2004 13:54:01 +0100

jetty (4.2.15-1) unstable; urgency=low

  * Adds missing javadoc to /usr/share/doc/
  * Removes invalid libxdoclet-java from Build-Depends.
  * Fixed clean target in upstreams extra build file. Building
    jetty twice from the debianized source should work now.

 -- Philipp Meier <meier@meisterbohne.de>  Thu, 15 Jan 2004 14:00:13 +0100

jetty (4.2.15) unstable; urgency=low

  * New upstream release.
  * New additional package jetty-extra.
  * Updated standards version from 3.5.10 to 3.6.0
  * Build target directory are no longer in debian because
    the customization of the build process does not really pay off.

 -- Philipp Meier <meier@meisterbohne.de>  Wed, 14 Jan 2004 14:00:01 +0100

jetty (4.2.12-2) unstable; urgency=low

  * Fixes start.config to make jetty run with kaffe.
  * Updated standards version from 3.5.8 to 3.5.10.

 -- Philipp Meier <meier@meisterbohne.de>  Fri, 29 Aug 2003 14:43:40 +0200

jetty (4.2.12-1) unstable; urgency=low

  * New upstream release.

 -- Philipp Meier <meier@meisterbohne.de>  Tue, 12 Aug 2003 14:07:56 +0200

jetty (4.2.11-7) unstable; urgency=low

  * Adds alternative dependency on j2sdk1.4.
  * Fixes typos in debian/TODO.
  * Adds ant to classpath because jasper needs it.

 -- Philipp Meier <meier@meisterbohne.de>  Thu,  7 Aug 2003 20:34:19 +0200

jetty (4.2.11-6) unstable; urgency=low

  * Removes DH_VERBOSE from debian/rules.
  * /etc/jetty will be removed on purge.
  * Add build-dependency on j2sdk1.4.

 -- Philipp Meier <meier@meisterbohne.de>  Wed, 23 Jul 2003 15:38:05 +0200

jetty (4.2.11-5) unstable; urgency=low

  * Fix for /etc/default/jetty which was misplaced.
  * Fixes messed-up corrections for javadoc tags. Introduced before.

 -- Philipp Meier <meier@meisterbohne.de>  Wed, 23 Jul 2003 01:11:42 +0200

jetty (4.2.11-4) unstable; urgency=low

  * Jetty depends on j2re1.4 until build process of jetty
    with java < 1.4 works.
  * Fixes in build process.

 -- Philipp Meier <meier@meisterbohne.de>  Thu, 17 Jul 2003 12:56:14 +0200

jetty (4.2.11-3) unstable; urgency=low

  * Creates /usr/share/java/webapps if necessary.
  * Not longer uses symlinks in ext but a debianized start.config.
  * Changed to multiline logging.
  * Removed demo webapps and provides a preliminary debian jetty root.
  * Fixes /etc/defaults/jetty to be /etc/default/jetty.

 -- Philipp Meier <meier@meisterbohne.de>  Thu, 17 Jul 2003 12:56:03 +0200

jetty (4.2.11-2) unstable; urgency=low

  * Adds build dependencies on libmx4j-java and iblog4j-java.
  * Removes comment about "Tomcat 4" from /etc/jetty.init.
  * Renamed debian/{pre,post}{inst,rm} to debian/jetty.*
  * Enables javac.debug to provide useful stackstraces.

 -- Philipp Meier <meier@meisterbohne.de>  Tue, 15 Jul 2003 21:50:36 +0200

jetty (4.2.11-1) unstable; urgency=low

  * Initial Release.

 -- Philipp Meier <meier@meisterbohne.de>  Mon, 14 Jul 2003 13:21:36 +0200