File: changelog

package info (click to toggle)
tomcat11 11.0.6-1
links: PTS, VCS
area: main
in suites: forky, sid, trixie
size: 46,360 kB
sloc: java: 366,026; xml: 55,052; jsp: 4,700; sh: 1,304; perl: 314; makefile: 25; ansic: 15
file content (1248 lines) | stat: -rw-r--r-- 44,441 bytes
tomcat11 (11.0.6-1) unstable; urgency=medium

  * New upstream release
    - Refreshed the patches

 -- Emmanuel Bourg <ebourg@apache.org>  Thu, 03 Apr 2025 22:30:12 +0200

tomcat11 (11.0.5-1) unstable; urgency=medium

  * New upstream release
    - Refreshed the patches
  * Standards-Version updated to 4.7.2

 -- Emmanuel Bourg <ebourg@apache.org>  Mon, 17 Mar 2025 08:30:29 +0100

tomcat11 (11.0.3-1) unstable; urgency=medium

  * New upstream release
    - Refreshed the patches
    - No longer support the security manager
    - Require Java 17 or higher

 -- Emmanuel Bourg <ebourg@apache.org>  Thu, 13 Feb 2025 23:33:22 +0100

tomcat10 (10.1.35-1) unstable; urgency=medium

  * New upstream version 10.1.35.
  * Refresh the patches.

 -- Markus Koschany <apo@debian.org>  Sun, 09 Feb 2025 00:19:28 +0100

tomcat10 (10.1.34-1) unstable; urgency=medium

  * New upstream release
    - Refreshed the patches

 -- Emmanuel Bourg <ebourg@apache.org>  Tue, 17 Dec 2024 08:16:03 +0100

tomcat10 (10.1.33-1) unstable; urgency=medium

  * New upstream release
    - Refreshed the patches

 -- Emmanuel Bourg <ebourg@apache.org>  Sat, 23 Nov 2024 19:37:37 +0100

tomcat10 (10.1.31-1) unstable; urgency=medium

  * New upstream release
    - Refreshed the patches

 -- Emmanuel Bourg <ebourg@apache.org>  Wed, 23 Oct 2024 18:33:07 +0200

tomcat10 (10.1.30-1) unstable; urgency=medium

  * New upstream release
    - Refreshed the patches
    - Depend on libbyte-buddy-java instead of libcglib-nodep-java
  * Fixed the taglibs tests
  * Fixed the database tests
  * No longer attempt to run the non compiled TestJNDIRealmIntegration test

 -- Emmanuel Bourg <ebourg@apache.org>  Mon, 16 Sep 2024 18:47:28 +0200

tomcat10 (10.1.25-2) unstable; urgency=medium

  * Add the missing dependency on libeclipse-jdt-core-compiler-batch-java
    (Closes: #1078372)

 -- Emmanuel Bourg <ebourg@apache.org>  Tue, 20 Aug 2024 17:47:28 +0200

tomcat10 (10.1.25-1) unstable; urgency=medium

  * New upstream release
    - Refreshed the patches

 -- Emmanuel Bourg <ebourg@apache.org>  Wed, 03 Jul 2024 23:57:31 +0200

tomcat10 (10.1.23-1) unstable; urgency=medium

  * New upstream version 10.1.23
  * Refresh the patches.
  * Declare compliance with Debian Policy 4.7.0.

 -- Markus Koschany <apo@debian.org>  Thu, 18 Apr 2024 22:34:59 +0200

tomcat10 (10.1.20-1) unstable; urgency=high

  * New upstream version 10.1.20.
    - Fix CVE-2024-24549: Denial of Service due to improper input validation
      vulnerability. (Closes: #1066878)
    - Fix CVE-2024-23672: Denial of Service via incomplete cleanup
      vulnerability. (Closes: #1066877)
  * Remove obsolete dependency on lsb-base from tomcat10 binary package.

 -- Markus Koschany <apo@debian.org>  Sat, 06 Apr 2024 13:43:19 +0200

tomcat10 (10.1.16-1) unstable; urgency=medium

  * New upstream version 10.1.16.
    - Fix CVE-2023-46589: potential request smuggling. (Closes: #1057082)

 -- Markus Koschany <apo@debian.org>  Sun, 03 Dec 2023 13:31:22 +0100

tomcat10 (10.1.15-1) unstable; urgency=medium

  [ Emmanuel Bourg ]
  * Build depend on the versionless tomcat-jakartaee-migration jar.
    (Closes: #1054705)

  [ Markus Koschany ]
  * New upstream version 10.1.15.

 -- Markus Koschany <apo@debian.org>  Fri, 27 Oct 2023 22:40:52 +0200

tomcat10 (10.1.14-1) unstable; urgency=medium

  * New upstream release
    - Refreshed the patches

 -- Emmanuel Bourg <ebourg@apache.org>  Tue, 10 Oct 2023 09:44:59 +0200

tomcat10 (10.1.13-1) unstable; urgency=medium

  * New upstream version 10.1.13.
  * Refresh the patches.

 -- Markus Koschany <apo@debian.org>  Fri, 01 Sep 2023 13:47:35 +0200

tomcat10 (10.1.10-1) unstable; urgency=medium

  * New upstream version 10.1.10.

 -- Markus Koschany <apo@debian.org>  Sun, 18 Jun 2023 18:16:33 +0200

tomcat10 (10.1.9-1) experimental; urgency=medium

  * New upstream version 10.1.9.

 -- Markus Koschany <apo@debian.org>  Tue, 16 May 2023 11:32:58 +0200

tomcat10 (10.1.8-1) experimental; urgency=medium

  * New upstream version 10.1.8.

 -- Markus Koschany <apo@debian.org>  Tue, 25 Apr 2023 21:54:20 +0200

tomcat10 (10.1.7-1) experimental; urgency=medium

  * New upstream version 10.1.7.

 -- Markus Koschany <apo@debian.org>  Wed, 12 Apr 2023 00:27:16 +0200

tomcat10 (10.1.6-1) unstable; urgency=medium

  * New upstream version 10.1.6
  * Tighten dependency on libtcnative-1.
  * Refresh the patches.

 -- Markus Koschany <apo@debian.org>  Thu, 23 Feb 2023 12:49:47 +0100

tomcat10 (10.1.5-2) unstable; urgency=medium

  * Install and link to websocket-client-api.jar. Fixes ClassNotFoundException.
    Thanks to Jorge Moraleda for the report. (Closes: #1030869)

 -- Markus Koschany <apo@debian.org>  Sun, 12 Feb 2023 19:27:47 +0100

tomcat10 (10.1.5-1) unstable; urgency=medium

  * New upstream version.
  * Drop tomcat-jakartaee-migration.patch. Fixed upstream.
  * Refresh the patches.

 -- Markus Koschany <apo@debian.org>  Wed, 01 Feb 2023 00:13:09 +0100

tomcat10 (10.0.27-1) unstable; urgency=medium

  * New upstream version.
  * Release to unstable.
  * Make tomcat9 and tomcat10 co-installable. (Closes: #965006)
  * Tomcat 10 can be built from source again. (Closes: #1028632)
  * Add myself to Uploaders.
  * Declare compliance with Debian Policy 4.6.2.

 -- Markus Koschany <apo@debian.org>  Mon, 16 Jan 2023 22:51:22 +0100

tomcat10 (10.0.0~M7-1) experimental; urgency=medium

  * New upstream release
    - Refreshed the patches
    - Fixed the compatibility with the version of bnd in Debian
  * Set the generic version of the Maven artifacts to 10.x (Fixes: #965006)
  * Grant write access on /var/log/tomcat10 to the adm group

 -- Emmanuel Bourg <ebourg@apache.org>  Tue, 14 Jul 2020 20:14:44 +0200

tomcat10 (10.0.0~M6-1) experimental; urgency=medium

  * New upstream release
    - Refreshed the patches
    - Renamed the package to tomcat10
    - Migrate the taglibs-standard libraries to the Jakarta EE namespace

 -- Emmanuel Bourg <ebourg@apache.org>  Mon, 15 Jun 2020 09:51:05 +0200

tomcat9 (9.0.70-1) unstable; urgency=medium

  * New upstream release
    - Refreshed the patches

 -- Emmanuel Bourg <ebourg@apache.org>  Mon, 05 Dec 2022 18:50:40 +0100

tomcat9 (9.0.68-1) unstable; urgency=medium

  * New upstream release
  * Look for OpenJDK 17 and up to 21 when starting the server (Closes: #1020948)
  * Simplified the Maven rules

 -- Emmanuel Bourg <ebourg@apache.org>  Sat, 08 Oct 2022 13:53:36 +0200

tomcat9 (9.0.67-1) unstable; urgency=medium

  * Team upload.

  [ Thorsten Glaser ]
  * Fix a Policy violation in the Depends of bin:tomcat9

  [ Emmanuel Bourg ]
  * New upstream release
    - Refreshed the patches

 -- Emmanuel Bourg <ebourg@apache.org>  Tue, 27 Sep 2022 00:49:00 +0200

tomcat9 (9.0.65-1) unstable; urgency=medium

  * Team upload.
  * New upstream version 9.0.65.

 -- Markus Koschany <apo@debian.org>  Fri, 12 Aug 2022 12:56:06 +0200

tomcat9 (9.0.64-2) unstable; urgency=medium

  * Fallback to the default log formatter when systemd isn't used
  * Depend on systemd-sysusers and systemd-tmpfiles instead of systemd
  * Depend on libeclipse-jdt-core-java (>= 3.26.0)

 -- Emmanuel Bourg <ebourg@apache.org>  Tue, 21 Jun 2022 14:59:03 +0200

tomcat9 (9.0.64-1) unstable; urgency=medium

  * New upstream release
    - Refreshed the patches
  * Standards-Version updated to 4.6.1

 -- Emmanuel Bourg <ebourg@apache.org>  Mon, 20 Jun 2022 15:17:59 +0200

tomcat9 (9.0.63-1) unstable; urgency=medium

  * Team upload.
  * New upstream version 9.0.63.
    - Fix CVE-2022-29885: Improve documentation for the EncryptInterceptor and
      do not claim it protects against all risks associated with running over
      any untrusted network.

 -- Markus Koschany <apo@debian.org>  Fri, 13 May 2022 14:04:35 +0200

tomcat9 (9.0.62-1) unstable; urgency=medium

  * Team upload.
  * New upstream version 9.0.62.
  * Drop 0027-java11-compilation.patch because it is apparently no longer
    required.
  * Refresh disable-jacoco.patch for new release.
  * Depend on java11-runtime-headless because Java 8 is no longer supported.
    Thanks to Per Lundberg for the report. (Closes: #1006647)

 -- Markus Koschany <apo@debian.org>  Fri, 29 Apr 2022 23:10:59 +0200

tomcat9 (9.0.58-1) unstable; urgency=medium

  * Team upload.
  * New upstream version 9.0.58.
  * Add disable-jacoco.patch and remove the dependency on jacoco when running
    the test suite.

 -- Markus Koschany <apo@debian.org>  Wed, 09 Feb 2022 15:51:20 +0100

tomcat9 (9.0.55-1) unstable; urgency=medium

  * Team upload.
  * New upstream version 9.0.55.

 -- Markus Koschany <apo@debian.org>  Mon, 15 Nov 2021 22:12:42 +0100

tomcat9 (9.0.54-1) unstable; urgency=medium

  * Team upload.
  * New upstream version 9.0.54.
    - Fix CVE-2021-42340:
      The fix for bug 63362 introduced a memory leak. The object introduced to
      collect metrics for HTTP upgrade connections was not released for
      WebSocket connections once the connection was closed. This created a
      memory leak that, over time, could lead to a denial of service via an
      OutOfMemoryError.
  * Update 0010-debianize-build-xml.patch and depend on the setup-bnd task to
    prevent a FTBFS when building the tests. This replaces the workaround by
    setting addOSGi to false.
    Thanks to Aurimas Fišeras for the report.

 -- Markus Koschany <apo@debian.org>  Fri, 22 Oct 2021 21:59:08 +0200

tomcat9 (9.0.53-1) unstable; urgency=medium

  * Team upload.
  * New upstream version 9.0.53.
    - Drop security patches. Fixed upstream.
    - Fix CVE-2021-41079:
      Apache Tomcat did not properly validate incoming TLS packets. When Tomcat
      was configured to use NIO+OpenSSL or NIO2+OpenSSL for TLS, a specially
      crafted packet could be used to trigger an infinite loop resulting in a
      denial of service.
  * Declare compliance with Debian Policy 4.6.0.
  * Set the fileOwner of catalina.out to tomcat explicitly.
    Thanks to Adam Cecile for the report. (Closes: #987179)
  * Refresh 0021-dont-test-unsupported-ciphers.patch
  * tomcat9.cron.daily: Set maxdepth to 1 so that log files of custom
    applications in subdirectories of /var/log/tomcat9 are not compressed.
    Thanks to Ludovic Pouzenc for the report. (Closes: #982961)
  * Exclude TestJNDIRealmIntegration because of missing dependencies.

 -- Markus Koschany <apo@debian.org>  Fri, 24 Sep 2021 15:37:51 +0200

tomcat9 (9.0.43-3) unstable; urgency=medium

  * Team upload.
  * CVE-2021-30640: Fix NullPointerException.
    If no userRoleAttribute is specified in the user's Realm configuration its
    default value will be null. This will cause a NPE in the methods
    doFilterEscaping and doAttributeValueEscaping. This is upstream bug
    https://bz.apache.org/bugzilla/show_bug.cgi?id=65308

 -- Markus Koschany <apo@debian.org>  Tue, 10 Aug 2021 17:17:56 +0200

tomcat9 (9.0.43-2) unstable; urgency=medium

  * Team upload.

  [ mirabilos ]
  * fix /var/log/tomcat9 permissions
    fixup for commit 51128fe9fb2d4d0b56be675d845cf92e4301a6c3

  [ Markus Koschany ]
  * Fix CVE-2021-30640:
    A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to
    authenticate using variations of a valid user name and/or to bypass some of
    the protection provided by the LockOut Realm.
  * Fix CVE-2021-33037:
    Apache Tomcat did not correctly parse the HTTP transfer-encoding request
    header in some circumstances leading to the possibility to request
    smuggling when used with a reverse proxy. Specifically: - Tomcat
    incorrectly ignored the transfer encoding header if the client declared it
    would only accept an HTTP/1.0 response; - Tomcat honoured the identify
    encoding; and - Tomcat did not ensure that, if present, the chunked
    encoding was the final encoding.
    (Closes: #991046)

 -- Markus Koschany <apo@debian.org>  Sat, 07 Aug 2021 00:11:43 +0200

tomcat9 (9.0.43-1) unstable; urgency=medium

  * New upstream release
    - Refreshed the patches
  * Rotate the catalina.out log file with the tomcat user (Closes: #971583)
  * Switch to debhelper level 13

 -- Emmanuel Bourg <ebourg@apache.org>  Tue, 02 Feb 2021 20:23:51 +0100

tomcat9 (9.0.41-1) unstable; urgency=medium

  * New upstream release
    - Refreshed the patches
  * Standards-Version updated to 4.5.1

 -- Emmanuel Bourg <ebourg@apache.org>  Wed, 09 Dec 2020 16:03:00 +0100

tomcat9 (9.0.40-1) unstable; urgency=medium

  [ Emmanuel Bourg ]
  * New upstream release
    - Refreshed the patches
  * Changed the home directory of the tomcat user to /var/lib/tomcat
    (Closes: #926338)

  [ Vincent McIntyre ]
  * Automatically export the JAVA_HOME environment variable when the value
    is defined in /etc/defaults/tomcat9 (Closes: #966338)

 -- Emmanuel Bourg <ebourg@apache.org>  Tue, 24 Nov 2020 08:21:29 +0100

tomcat9 (9.0.39-1) unstable; urgency=medium

  * New upstream release
    - Refreshed the patches
  * tomcat9-user now depends on netcat-openbsd instead of netcat
    (Closes: #966158)

 -- Emmanuel Bourg <ebourg@apache.org>  Mon, 12 Oct 2020 17:16:57 +0200

tomcat9 (9.0.38-1) unstable; urgency=medium

  * New upstream release
    - Refreshed the patches

 -- Emmanuel Bourg <ebourg@apache.org>  Wed, 16 Sep 2020 16:04:03 +0200

tomcat9 (9.0.37-3) unstable; urgency=medium

  * control: Bump build-dep on bnd, drop bnd compat and re-export patches.
    (Closes: #964433)

 -- Timo Aaltonen <tjaalton@debian.org>  Thu, 06 Aug 2020 18:59:11 +0300

tomcat9 (9.0.37-2) unstable; urgency=medium

  * d/p/0029-fix-regression-in-bz64540.patch: Re-export util.net.jsse
    and util.modeler.modules. (Closes: #964433)

 -- Timo Aaltonen <tjaalton@debian.org>  Tue, 28 Jul 2020 14:09:13 +0300

tomcat9 (9.0.37-1) unstable; urgency=medium

  * New upstream release
    - Refreshed the patches
    - Fixed the compatibility with the version of bnd in Debian
  * Restored execute permission on /var/log/tomcat9 to the adm group

 -- Emmanuel Bourg <ebourg@apache.org>  Mon, 06 Jul 2020 22:39:32 +0200

tomcat9 (9.0.36-1) unstable; urgency=medium

  * New upstream release
    - Refreshed the patches
  * Grant write access on /var/log/tomcat9 to the adm group (LP: #1861881)

 -- Emmanuel Bourg <ebourg@apache.org>  Tue, 23 Jun 2020 11:47:47 +0200

tomcat9 (9.0.35-1) unstable; urgency=medium

  * New upstream release
    - Fixes CVE-2020-9484: Remote Code Execution via session persistence (Closes: #961209)
    - Refreshed the patches

 -- Emmanuel Bourg <ebourg@apache.org>  Thu, 21 May 2020 15:50:03 +0200

tomcat9 (9.0.34-1) unstable; urgency=medium

  * New upstream release
    - Refreshed the patches
  * Depend on libeclipse-jdt-core-java (>= 3.18.0)
  * Switch to debhelper level 12

 -- Emmanuel Bourg <ebourg@apache.org>  Mon, 27 Apr 2020 00:36:59 +0200

tomcat9 (9.0.31-1) unstable; urgency=medium

  * New upstream release
    - Fixes CVE-2019-10072: Denial of Service (Closes: #930872)
    - Fixes CVE-2019-12418: Local Privilege Escalation
    - Fixes CVE-2019-17563: Session fixation attack
    - Fixes CVE-2019-17569: HTTP Request Smuggling
    - Fixes CVE-2020-1935: HTTP Request Smuggling
    - Fixes CVE-2020-1938: AJP Request Injection (Closes: #952437)
    - Fixes CATALINA_PID handling in catalina.sh (Closes: #948553)
    - Refreshed the patches
    - Fixed the compilation with Java 11
  * Moved the RequiresMountsFor directive in the service file
    to the Unit section (Closes: #942316)
  * Tightened the dependency on systemd (Closes: #931997)
  * Standards-Version updated to 4.5.0

 -- Emmanuel Bourg <ebourg@apache.org>  Mon, 24 Feb 2020 23:37:00 +0100

tomcat9 (9.0.27-1) unstable; urgency=medium

  * New upstream release
    - Refreshed the patches
  * Standards-Version updated to 4.4.1

 -- Emmanuel Bourg <ebourg@apache.org>  Mon, 14 Oct 2019 11:31:50 +0200

tomcat9 (9.0.24-1) unstable; urgency=medium

  * New upstream release
    - Refreshed the patches

 -- Emmanuel Bourg <ebourg@apache.org>  Thu, 22 Aug 2019 13:55:14 +0200

tomcat9 (9.0.22-1) unstable; urgency=medium

  * New upstream release
    - Refreshed the patches
  * Track and download the new releases from GitHub
  * Standards-Version updated to 4.4.0

 -- Emmanuel Bourg <ebourg@apache.org>  Fri, 12 Jul 2019 15:01:28 +0200

tomcat9 (9.0.16-4) unstable; urgency=medium

  * Team upload.

  [ Emmanuel Bourg ]
  * Fixed CVE-2019-0221: The SSI printenv command echoes user provided data
    without escaping and is, therefore, vulnerable to XSS. SSI is disabled
    by default (Closes: #929895)

  [ Thorsten Glaser ]
  * Remove -XX:+UseG1GC from standard JAVA_OPTS; the JRE chooses
    a suitable GC automatically anyway (Closes: #925928)
  * Correct the ownership and permissions on the log directory:
    group adm and setgid (Closes: #925929)
  * Make the startup script honour the (renamed) $SECURITY_MANAGER
  * debian/libexec/tomcat-locate-java.sh: Remove shebang and make
    not executable as this is only ever sourced (makes no sense otherwise)

  [ Christian Hänsel ]
  * Restored the variable expansion in /etc/default/tomcat9 (Closes: #926319)

 -- Emmanuel Bourg <ebourg@apache.org>  Thu, 13 Jun 2019 23:26:12 +0200

tomcat9 (9.0.16-3) unstable; urgency=medium

  * Removed read/write access to /var/lib/solr (Closes: #923299)
  * Removed the broken catalina-ws.jar and catalina-jmx-remote.jar
    symlinks in /usr/share/tomcat9/lib/

 -- Emmanuel Bourg <ebourg@apache.org>  Tue, 26 Feb 2019 09:31:13 +0100

tomcat9 (9.0.16-2) unstable; urgency=medium

  * Team upload.
  * tomcat9.service: Permit read and write access to /var/lib/solr too.
    (Closes: #919638)

 -- Markus Koschany <apo@debian.org>  Mon, 18 Feb 2019 20:58:51 +0100

tomcat9 (9.0.16-1) unstable; urgency=medium

  * New upstream release
    - Refreshed the patches
    - Install the new Chinese, Czech, German, Korean and Portuguese translations
    - No longer build the extra WS and JMX jars
  * Standards-Version updated to 4.3.0

 -- Emmanuel Bourg <ebourg@apache.org>  Fri, 08 Feb 2019 08:26:48 +0100

tomcat9 (9.0.14-1) unstable; urgency=medium

  * New upstream release
    - Refreshed the patches
  * Create the /var/log/tomcat9/ and /var/cache/tomcat9/ directories
    at install time (Closes: #915791)
  * Tightened the dependency on systemd

 -- Emmanuel Bourg <ebourg@apache.org>  Wed, 12 Dec 2018 13:45:52 +0100

tomcat9 (9.0.13-2) unstable; urgency=medium

  * Install the tomcat-embed-* artifacts with the 9.x version (Closes: #915578)
  * Modified the dependencies required for creating the tomcat user
    (adduser is replaced by systemd) (Closes: #915586)
  * Fixed the tomcat-jasper pom to reference the ECJ dependency
    from libeclipse-jdt-core-java
  * Removed the redundant ReadWritePaths options in the service file for the log
    and cache directories (Thanks to Lennart Poettering for the suggestion)

 -- Emmanuel Bourg <ebourg@apache.org>  Wed, 05 Dec 2018 10:04:52 +0100

tomcat9 (9.0.13-1) unstable; urgency=medium

  * New upstream release
    - Refreshed the patches
    - Renamed the package to tomcat9
    - Removed the libservlet3.1-java package. From now on the Servlet API
      is packaged in a separate package independent from Tomcat.
    - Depend on libeclipse-jdt-core-java (>= 3.14.0) instead of libecj-java
    - Updated the policy files in /etc/tomcat8/policy.d/
    - Use the OSGi metadata generated by the upstream build
    - Deploy the Tomcat artifacts in the Maven repository with the 9.x version
    - Updated the README file
  * Removed the SysV init script
  * Restart the server automatically on failures
  * Use a fixed non-configurable user 'tomcat' to run the server
  * Removed the debconf integration. The user being now unmodifiable,
    the remaining configuration parameter JAVA_OPTS can be edited in
    /etc/default/tomcat9
  * No longer add the 'common', 'server' and 'shared' directories under
    CATALINA_HOME and CATALINA_BASE to the classpath. Extra jar files should go
    to the 'lib' directory.
  * Let Tomcat handle the rotation of its log files with the maxDays parameter
    of the valves and log handlers instead of relying on a cron job
  * Renamed the TOMCAT_SECURITY parameter to SECURITY_MANAGER in the service
    configuration file
  * Simplified the postinst script by using systemd-sysusers to create
    the 'tomcat' user
  * No longer create the /etc/tomcat9/Catalina/localhost directory at install
    time and let Tomcat create it automatically
  * Let systemd automatically create /var/log/tomcat9 and /var/cache/tomcat9
  * Prevent Tomcat from writing outside of /var/log/tomcat9, /var/cache/tomcat9,
    /var/lib/tomcat9/webapps and /etc/tomcat9/Catalina by default. This can be
    overridden (see the README file).
  * Build and install the extra jar catalina-ws.jar
  * No longer recommend libcommons-pool-java and libcommons-dbcp-java since
    Tomcat already embeds its own version of these libraries
  * Support three-way merge when upgrading the configuration files
  * Use the G1 garbage collector by default instead of Concurrent Mark Sweep
  * The setenv.sh script in tomcat9-user and the service startup script now
    share the same JDK detection logic

 -- Emmanuel Bourg <ebourg@apache.org>  Wed, 28 Nov 2018 15:06:00 +0100

tomcat8 (8.5.35-3) UNRELEASED; urgency=medium

  * Team upload.
  * Updated the version required for libtcnative-1 (>= 1.2.18)
  * Install the Russian translation added in Tomcat 8.5.33

 -- Emmanuel Bourg <ebourg@apache.org>  Tue, 20 Nov 2018 14:38:01 +0100

tomcat8 (8.5.35-2) unstable; urgency=medium

  * Team upload.
  * Fixed the build failure with Easymock 4 (Closes: #913402)

 -- Emmanuel Bourg <ebourg@apache.org>  Mon, 12 Nov 2018 10:52:08 +0100

tomcat8 (8.5.35-1) unstable; urgency=medium

  * Team upload.

  [ Thomas Opfer ]
  * Removed old version requirement for package ant-optional that is not
    required any more.

  [ Emmanuel Bourg ]
  * New upstream release
    - Refreshed the patches

 -- Emmanuel Bourg <ebourg@apache.org>  Thu, 08 Nov 2018 23:40:00 +0100

tomcat8 (8.5.34-1) unstable; urgency=medium

  * Team upload.
  * New upstream release
    - Refreshed the patches

 -- Emmanuel Bourg <ebourg@apache.org>  Mon, 10 Sep 2018 14:31:03 +0200

tomcat8 (8.5.33-1) unstable; urgency=medium

  * Team upload.
  * New upstream version 8.5.33.
    - Tomcat compiles to Java 7 bytecode and passes release=7 to javac now.
      This ensures backwards compatibility with older JREs. (Closes: #906447)
  * Declare compliance with Debian Policy 4.2.1.
  * Refresh 0025-invalid-configuration-exit-status.patch.

 -- Markus Koschany <apo@debian.org>  Mon, 27 Aug 2018 13:41:16 +0200

tomcat8 (8.5.32-2) unstable; urgency=medium

  * Team upload.
  * Added a systemd service file (Closes: #832151, #817909)
  * Look for the Java runtime in the paths used by java-package >= 0.61
    (/usr/lib/jvm/oracle-java<n>-{jre,jdk}-*) (Closes: #894318)
  * Install catalina.policy in the tomcat8-user package to be able to run
    custom instances with a security manager (Closes: #736321)
  * Disabled the shutdown port (8005) by default
  * Updated the policy files in /etc/tomcat8/policy.d/
  * Added the missing Maven rules to use the 8.x generic version for
    tomcat-jaspic-api, tomcat-storeconfig and tomcat-util-scan
  * Set the gecos field when creating the tomcat8 user
  * No longer set JSSE_HOME in the init script (JSSE is enabled by default)
  * Standards-Version updated to 4.2.0

 -- Emmanuel Bourg <ebourg@apache.org>  Thu, 09 Aug 2018 17:53:44 +0200

tomcat8 (8.5.32-1) unstable; urgency=medium

  * Team upload.
  * New upstream release
    - Refreshed the patches

 -- Emmanuel Bourg <ebourg@apache.org>  Mon, 25 Jun 2018 14:51:50 +0200

tomcat8 (8.5.31-1) unstable; urgency=medium

  * Team upload.
  * New upstream release
  * Build with ant/1.10.3-2 and the automatic 'release' attribute restoring
    the backward compatibility with Java 7 (Closes: #895866)
  * Search for Java 10 and 11 runtimes
  * Don't follow the symlinks when setting the owner of the /var/log/tomcat8
    and /var/cache/tomcat8 directories in the postinst script
  * Use salsa.debian.org Vcs-* URLs

 -- Emmanuel Bourg <ebourg@apache.org>  Thu, 14 Jun 2018 13:32:46 +0200

tomcat8 (8.5.30-1) unstable; urgency=medium

  * Team upload.
  * New upstream release
    - Refreshed the patches
  * Standards-Version updated to 4.1.4

 -- Emmanuel Bourg <ebourg@apache.org>  Thu, 12 Apr 2018 09:49:28 +0200

tomcat8 (8.5.29-1) unstable; urgency=medium

  * Team upload.
  * New upstream release
    - Refreshed the patches

 -- Emmanuel Bourg <ebourg@apache.org>  Mon, 12 Mar 2018 16:43:57 +0100

tomcat8 (8.5.28-1) unstable; urgency=medium

  * New upstream release
    - Refreshed the patches
    - Disabled the tests checking the ARIA cipher since it isn't enabled
      by default in OpenSSL
  * Standards-Version updated to 4.1.3
  * Switch to debhelper level 11
  * Use a secure URL for checking and downloading the new releases
  * No longer parse dpkg-parsechangelog in debian/rules

 -- Emmanuel Bourg <ebourg@apache.org>  Fri, 16 Feb 2018 13:43:01 +0100

tomcat8 (8.5.24-2) unstable; urgency=medium

  * Team upload.
  * Removed the setDefaultAsyncSendTimeout method mistakenly added to
    javax.websocket.WebSocketContainer in the version 8.5.24 (Closes: #884046)

 -- Emmanuel Bourg <ebourg@apache.org>  Thu, 14 Dec 2017 12:35:33 +0100

tomcat8 (8.5.24-1) unstable; urgency=medium

  * Team upload.
  * New upstream release
    - Refreshed the patches
  * Standards-Version updated to 4.1.2

 -- Emmanuel Bourg <ebourg@apache.org>  Fri, 01 Dec 2017 09:20:18 +0100

tomcat8 (8.5.23-1) unstable; urgency=medium

  * Team upload.
  * New upstream release
  * Standards-Version updated to 4.1.1

 -- Emmanuel Bourg <ebourg@apache.org>  Fri, 13 Oct 2017 00:01:48 +0200

tomcat8 (8.5.21-1) unstable; urgency=medium

  * Team upload.

  [ Emmanuel Bourg ]
  * New upstream release
    - Refreshed the patches
    - Disabled Checkstyle
  * Changed the Class-Path manifest entry of tomcat8-jasper.jar to use
    the specification jars from libtomcat8-java instead of libservlet3.1-java
    (Closes: #867247)

  [ Miguel Landaeta ]
  * Remove myself from uploaders. (Closes: #871892)
  * Update copyright info.

 -- Emmanuel Bourg <ebourg@apache.org>  Wed, 20 Sep 2017 10:06:56 +0200

tomcat8 (8.5.16-1) unstable; urgency=medium

  * Team upload.
  * New upstream release
    - Refreshed the patches
  * Standards-Version updated to 4.0.0

 -- Emmanuel Bourg <ebourg@apache.org>  Mon, 26 Jun 2017 16:03:53 +0200

tomcat8 (8.5.15-1) unstable; urgency=medium

  * Team upload.
  * New upstream release
    - Refreshed the patches

 -- Emmanuel Bourg <ebourg@apache.org>  Wed, 21 Jun 2017 13:00:44 +0200

tomcat8 (8.5.14-2) unstable; urgency=high

  * Team upload.
  * Fixed CVE-2017-5664: Static error pages can be overwritten if the
    DefaultServlet is configured to permit writes (Closes: #864447)

 -- Emmanuel Bourg <ebourg@apache.org>  Thu, 08 Jun 2017 12:28:34 +0200

tomcat8 (8.5.14-1) unstable; urgency=medium

  * Team upload.
  * New upstream release
    - Removed the CVE patches (fixed in this release)

 -- Emmanuel Bourg <ebourg@apache.org>  Mon, 08 May 2017 00:17:52 +0200

tomcat8 (8.5.12-1) unstable; urgency=medium

  * Team upload.
  * New upstream release
    - Refreshed the patches

 -- Emmanuel Bourg <ebourg@apache.org>  Tue, 18 Apr 2017 09:53:23 +0200

tomcat8 (8.5.11-2) unstable; urgency=medium

  * Team upload.
  * Fix the following security vulnerabilities (Closes: #860068):
    Thanks to Salvatore Bonaccorso for the report.
   - CVE-2017-5647:
     A bug in the handling of the pipelined requests when send file was used
     resulted in the pipelined request being lost when send file processing of
     the previous request completed. This could result in responses appearing
     to be sent for the wrong request. For example, a user agent that sent
     requests A, B and C could see the correct response for request A, the
     response for request C for request B and no response for request C.
   - CVE-2017-5648:
     It was noticed that some calls to application listeners did not use the
     appropriate facade object. When running an untrusted application under a
     SecurityManager, it was therefore possible for that untrusted application
     to retain a reference to the request or response object and thereby access
     and/or modify information associated with another web application.
   - CVE-2017-5650:
     The handling of an HTTP/2 GOAWAY frame for a connection did not close
     streams associated with that connection that were currently waiting for a
     WINDOW_UPDATE before allowing the application to write more data. These
     waiting streams each consumed a thread. A malicious client could therefore
     construct a series of HTTP/2 requests that would consume all available
     processing threads.
   - CVE-2017-5651:
     The refactoring of the HTTP connectors for 8.5.x onwards, introduced a
     regression in the send file processing. If the send file processing
     completed quickly, it was possible for the Processor to be added to the
     processor cache twice. This could result in the same Processor being used
     for multiple requests which in turn could lead to unexpected errors and/or
     response mix-up.
  *  debian/control: tomcat8: Fix Lintian error and depend on lsb-base.

 -- Markus Koschany <apo@debian.org>  Wed, 12 Apr 2017 09:58:46 +0200

tomcat8 (8.5.11-1) unstable; urgency=medium

  * Team upload.
  * New upstream release
    - Refreshed the patches
  * Recommend Java 8 in /etc/default/tomcat8

 -- Emmanuel Bourg <ebourg@apache.org>  Tue, 17 Jan 2017 15:09:30 +0100

tomcat8 (8.5.9-2) unstable; urgency=medium

  * Team upload.
  * Require Java 8 or higher (Closes: #848612)

 -- Emmanuel Bourg <ebourg@apache.org>  Mon, 19 Dec 2016 15:35:19 +0100

tomcat8 (8.5.9-1) unstable; urgency=medium

  * Team upload.
  * New upstream release
    - Refreshed the patches
  * Restored the classloading from the common, server and shared directories
    under CATALINA_BASE (Closes: #847137)
  * Fixed the installation error when JAVA_OPTS in /etc/default/tomcat8
    contains the '%' character (Closes: #770911)

 -- Emmanuel Bourg <ebourg@apache.org>  Thu, 08 Dec 2016 22:26:36 +0100

tomcat8 (8.5.8-2) unstable; urgency=medium

  * Team upload.
  * Upload to unstable.
  * No longer make /etc/tomcat8/Catalina/localhost writable by the tomcat8 user
    in the postinst script (Closes: #845393)
  * The tomcat8 user is no longer removed when the package is purged
    (Closes: #845385)
  * Compress and remove the access log files with a .txt extension
    (Closes: #845661)
  * Added the delaycompress option to the logrotate configuration
    of catalina.out (Closes: #843135)
  * Changed the home directory for the tomcat8 user from /usr/share/tomcat8
    to /var/lib/tomcat8 (Closes: #833261)
  * Aligned the logging configuration with the upstream one
  * Set the proper permissions for /etc/tomcat8/jaspic-providers.xml
  * Install the new library jaspic-api.jar
  * Install the Maven artifacts for tomcat-storeconfig
  * Simplified debian/rules

 -- Emmanuel Bourg <ebourg@apache.org>  Thu, 01 Dec 2016 18:41:14 +0100

tomcat8 (8.5.8-1) experimental; urgency=medium

  * Team upload.
  * New upstream release
    - Refreshed the patches
    - Tomcat no longer builds tomcat-embed-logging-juli.jar
    - Updated the policy files
    - Added a NEWS file detailing the major changes in Tomcat 8.5.x
  * Enabled the APR library loading by default (required for HTTP/2 support)
  * Promoted libtcnative-1 from suggested to recommended dependency
  * Enabled the APR tests
  * Fixed the test failure with TestStandardContextAliases
  * Added a link to the Tomcat 8.5 migration guide in README.Debian
  * Adapted debian/orig-tar.sh to download the 8.5.x releases

 -- Emmanuel Bourg <ebourg@apache.org>  Thu, 17 Nov 2016 23:54:35 +0100

tomcat8 (8.0.39-1) unstable; urgency=medium

  * Team upload.
  * New upstream release
    - Refreshed the patches

 -- Emmanuel Bourg <ebourg@apache.org>  Tue, 15 Nov 2016 15:37:48 +0100

tomcat8 (8.0.38-2) unstable; urgency=high

  * Team upload.
  * CVE-2016-1240 follow-up:
    - The previous init.d fix was vulnerable to a race condition that could
      be exploited to make any existing file writable by the tomcat user.
      Thanks to Paul Szabo for the report and the fix.
    - The catalina.policy file generated on startup was affected by a similar
      vulnerability that could be exploited to overwrite any file on the system.
      Thanks to Paul Szabo for the report.
  * Install the extra jar catalina-jmx-remote.jar (Closes: #762916)
  * Added the new libtomcat8-embed-java package containing the libraries
    for embedding Tomcat into other applications.
  * Switch to debhelper level 10

 -- Emmanuel Bourg <ebourg@apache.org>  Fri, 28 Oct 2016 01:17:23 +0200

tomcat8 (8.0.38-1) unstable; urgency=medium

  * Team upload.
  * New upstream release
    - Refreshed the patches
  * Hardened the init.d script, thanks to Paul Szabo (Closes: #840685)
  * Fixed the OSGi metadata for tomcat8-jasper.jar and tomcat8-jasper-el.jar
  * Depend on libcglib-nodep-java instead of libcglib3-java
  * Removed the unused Lintian overrides

 -- Emmanuel Bourg <ebourg@apache.org>  Wed, 19 Oct 2016 11:01:03 +0200

tomcat8 (8.0.37-1) unstable; urgency=medium

  * Team upload.
  * New upstream release
  * Removed 0001-set-UTF-8-as-default-character-encoding.patch (fixed upstream)

 -- Emmanuel Bourg <ebourg@apache.org>  Mon, 19 Sep 2016 09:37:33 +0200

tomcat8 (8.0.36-3) unstable; urgency=high

  * Team upload.
  * Fixed CVE-2016-1240: A flaw in the init.d startup script allows local
    attackers who have gained access to the server in the context of the
    tomcat user through a vulnerability in a web application to replace
    the catalina.out file with a symlink to an arbitrary file on the system,
    potentially leading to a root privilege escalation.
    Thanks to Dawid Golunski for the report.
  * Removed the default 128M heap limit (LP: #568823)
  * Depend on taglibs-standard instead of jakarta-taglibs-standard

 -- Emmanuel Bourg <ebourg@apache.org>  Wed, 14 Sep 2016 10:20:28 +0200

tomcat8 (8.0.36-2) unstable; urgency=medium

  * Team upload.
  * Do not unconditionally overwrite files in /etc/tomcat8 anymore.
    (Closes: #825786)
  * Change file permissions to 640 for Debian files in /etc/tomcat8.

 -- Markus Koschany <apo@debian.org>  Tue, 02 Aug 2016 10:50:42 +0200

tomcat8 (8.0.36-1) unstable; urgency=medium

  * Team upload.
  * New upstream release
    - Refreshed the patches
    - Depend on libecj-java (>= 3.11.0)
  * Standards-Version updated to 3.9.8 (no changes)
  * Use a secure Vcs-Git URL

 -- Emmanuel Bourg <ebourg@apache.org>  Tue, 14 Jun 2016 14:34:46 +0200

tomcat8 (8.0.32-1) unstable; urgency=medium

  * Team upload.
  * New upstream release
  * Fixed a warning in catalina.out caused by an incorrect path
    for the root context (Closes: #808378)
  * Standards-Version updated to 3.9.7 (no changes)

 -- Emmanuel Bourg <ebourg@apache.org>  Mon, 21 Dec 2015 11:20:10 +0100

tomcat8 (8.0.30-1) unstable; urgency=medium

  * Team upload.
  * New upstream release
    - Refreshed the patches
  * Use LC_ALL instead of LANG to format the date and make the documentation
    reproducible on the builders

 -- Emmanuel Bourg <ebourg@apache.org>  Fri, 18 Dec 2015 11:44:06 +0100

tomcat8 (8.0.28-1) unstable; urgency=medium

  * Team upload.
  * New upstream release
    - Refreshed the patches
  * Fixed a localized date in the documentation to improve the reproducibility

 -- Emmanuel Bourg <ebourg@apache.org>  Mon, 19 Oct 2015 11:12:07 +0200

tomcat8 (8.0.26-1) unstable; urgency=medium

  * Team upload.
  * New upstream release
    - Refreshed the patches
  * Changed the authbind configuration to allow IPv6 connections (LP: #1443041)
  * Fixed an upgrade error when /etc/tomcat8/tomcat-users.xml is removed
    (LP: #1010791)
  * Fixed a minor HTML error in the default index.html file (LP: #1236132)

 -- Emmanuel Bourg <ebourg@apache.org>  Mon, 24 Aug 2015 00:30:40 +0200

tomcat8 (8.0.24-1) unstable; urgency=medium

  * Team upload.
  * New upstream release
    - Refreshed the patches
  * debian/rules: Use an english locale when generating the documentation
    to improve the reproducibility

 -- Emmanuel Bourg <ebourg@apache.org>  Wed, 08 Jul 2015 17:42:14 +0200

tomcat8 (8.0.23-1) unstable; urgency=medium

  * New upstream release
  * debian/rules: Set the 'year' and 'today-iso-8601' build variables
    to improve the reproducibility

 -- Emmanuel Bourg <ebourg@apache.org>  Tue, 26 May 2015 16:04:01 +0200

tomcat8 (8.0.22-2) unstable; urgency=medium

  * Replaced the date in ServerInfo.properties with the latest date
    in debian/changelog to make the build reproducible
  * debian/rules:
    - Modified to use the dh sequencer
    - Simplified the ant invocation and moved some properties
      to debian/ant.properties
    - Do not set the version.* properties already defined
      in build.properties.default
    - Renamed T_VER to VERSION
    - Removed the RWFILES and RWLOC variables
    - Merged the ANT_ARGS and ANT_INVOKE variables
    - No longer remove the long gone .svn directories under
      /usr/share/tomcat8/webapps/default_root
    - Let dh_fixperms set the permissions instead of calling chmod +x
    - Use debian/tomcat8-user.manpages instead of calling dh_installman
    - Updated the copyright year in the Javadoc
    - Simplified the call to mh_install

 -- Emmanuel Bourg <ebourg@apache.org>  Thu, 07 May 2015 14:13:30 +0200

tomcat8 (8.0.22-1) unstable; urgency=medium

  * New upstream release
    - Refreshed the patches
    - No longer install tomcat-spdy.jar (removed upstream)
  * Removed the timestamp from the Javadoc of the Servlet API
    to make the build reproducible

 -- Emmanuel Bourg <ebourg@apache.org>  Wed, 06 May 2015 09:30:38 +0200

tomcat8 (8.0.21-2) unstable; urgency=medium

  * Upload to unstable.

 -- Miguel Landaeta <nomadium@debian.org>  Fri, 01 May 2015 12:41:13 -0300

tomcat8 (8.0.21-1) experimental; urgency=medium

  * New upstream release
    - Refreshed the patches
  * debian/orig-tar.sh: Exclude the taglibs-standard-*.jar files
    from the upstream tarball
  * Support the JVMs installed by the older versions of java-package (<< 0.52)
    and the oracle-java<n>-installer packages from webupd8 (Closes: #769166)

 -- Emmanuel Bourg <ebourg@apache.org>  Mon, 30 Mar 2015 19:40:22 +0200

tomcat8 (8.0.18-1) experimental; urgency=medium

  * New upstream release
    - Refreshed the patches

 -- Emmanuel Bourg <ebourg@apache.org>  Tue, 27 Jan 2015 22:54:00 +0100

tomcat8 (8.0.17-1) experimental; urgency=medium

  * New upstream release
    - Refreshed the patches

 -- Emmanuel Bourg <ebourg@apache.org>  Mon, 19 Jan 2015 09:58:16 +0100

tomcat8 (8.0.15-1) experimental; urgency=medium

  * New upstream release
    - Refreshed the patches

 -- Emmanuel Bourg <ebourg@apache.org>  Mon, 08 Dec 2014 23:59:10 +0100

tomcat8 (8.0.14-1) unstable; urgency=medium

  * New upstream release
    - Refreshed the patches
  * Build depend on libcglib3-java instead of libcglib-java
  * Standards-Version updated to 3.9.6 (no changes)

 -- Emmanuel Bourg <ebourg@apache.org>  Mon, 29 Sep 2014 13:23:43 +0200

tomcat8 (8.0.12-1) unstable; urgency=medium

  * New upstream release
    - Refreshed the patches
  * Fixed the tomcat8-examples configuration (Closes: #753372)
  * No longer create the common/server/shared directories under
    /var/lib/tomcat8, and use a unique lib directory as documented
    upstream since Tomcat 6. The old directories are still supported
    if inherited from a previous installation (Closes: #754386)
  * Depend on libecj-java >= 3.10.0 to support the new Java 8 syntax in JSPs
  * Install the missing tomcat-dbcp.jar in libtomcat8-java and use it as
    the default JDBC pool implementation instead of Commons DBCP.
  * Removed the obsolete patch 0012-java7-compat.patch
  * Tightened the build dependency on junit4 (>= 4.11)
  * Build the Javadoc with the JDK specified by the JAVA_HOME variable
    instead of the default JDK (this fixes a build failure when backporting
    to Wheezy)
  * Removed the note about the authbind IPv6 incompatibility
    in /etc/defaults/tomcat8

 -- Emmanuel Bourg <ebourg@apache.org>  Wed, 17 Sep 2014 16:23:52 +0200

tomcat8 (8.0.9-1) unstable; urgency=medium

  [ Emmanuel Bourg ]
  * New upstream release
    - Refreshed the patches
  * Search for OpenJDK 8 and Oracle JDKs when starting the server
  * Removed the dependency on the non existent java-7-runtime package
  * Fixed a link still pointing to the Tomcat 7 documentation in README.Debian
  * Updated the version required for libtcnative-1 (>= 1.1.30)

  [ tony mancill ]
  * Update README.Debian with information about migration guides.

 -- Emmanuel Bourg <ebourg@apache.org>  Tue, 24 Jun 2014 21:28:37 +0200

tomcat8 (8.0.8-1) unstable; urgency=medium

  * New upstream release
    - Refreshed the patches

 -- Emmanuel Bourg <ebourg@apache.org>  Thu, 22 May 2014 13:01:55 +0200

tomcat8 (8.0.5-1) unstable; urgency=medium

  * New upstream release
    - Refreshed the patches
    - Disabled Java 8 support in JSPs (requires an Eclipse compiler update)
  * Fixed the name of the doc-base file for libservlet3.1-java (Closes: #746338)
  * Update email addresses of maintainers.

 -- Emmanuel Bourg <ebourg@apache.org>  Tue, 29 Apr 2014 10:22:45 +0200

tomcat8 (8.0.3-1) unstable; urgency=medium

  [ Emmanuel Bourg ]
  * Team upload.
  * New upstream release (Closes: #722675)
    - Updated the version of the Servlet, JSP and EL APIs
    - Switched to Java 7
    - Updated the watch file to match the Tomcat 8 releases
    - Refreshed the patches
    - Updated debian/copyright, documented the xsd files licensed under the CDDL
    - Installed the new jars (spdy, jni, websocket, websocket-api, storeconfig)
    - Updated the artifactId of the specification jars to include
      the new javax prefix
    - Added the javax.websocket-api artifact to libservlet3.1-java
    - New build dependency on cglib, easymock and objenesis
  * Added a patch to include the name of the distribution on the error pages
  * Use XZ compression for the upstream tarball
  * debian/control:
    - Replaced Sun Microsystems with Oracle in the packages descriptions
    - Mentioned 'Apache Tomcat' in the packages descriptions
    - Standards-Version updated to 3.9.5 (no changes)
  * Deploy the Tomcat artifacts in the Maven repository with the 8.x version
    instead of 'debian' to avoid conflicts with other versions of Tomcat.
  * Hard coded the versions in the poms in debian/javaxpoms to fix the version
    of the dependencies for jsp-api
  * Renamed the jars in /usr/share/java to tomcat8-xxx to avoid conflicts
    with other versions of Tomcat
  * Added the missing descriptions to the patches
  * Added a patch to ignore the failing tests
  * Moved the tomcat-{servlet|jsp|el}-api artifacts from libservlet3.1-java
    to libtomcat8-java and changed their versions to the Tomcat version instead
    of the specification version.
  * Removed libservlet3.1-java.links defining the tomcat-* links
    in /usr/share/java with the specifications versions
  * The symlinks to /usr/share/tomcat8/lib are no longer split between the two
    packages libtomcat8-java and tomcat8-common. tomcat8-common assembles all
    the jars required by Tomcat (tomcat jars + dbcp + pool). libtomcat8-java
    deploys only the jars in /usr/share/java and the Maven artifacts in
    /usr/share/maven-repo.
  * Added the EL and WebSocket APIs to libservlet3.1-java-doc
  * Added a Lintian override for the incompatible-java-bytecode-format warning
    since Tomcat requires Java 7
  * Added a Lintian override to clear the codeless-jar warnings
    on the tomcat-i18n jars instead of a patch turning them into zip files.
  * Removed 0011-fix-classpath-lintian-warnings.patch and specified
    the classpath of jasper.jar in libtomcat8-java.manifest instead.

  [ tony mancill ]
  * Include tomcat-util-scan.jar in the libtomcat8-java package.
  * Remove debian/NEWS (inapplicable to this release).
  * Prune debian/changelog to only contain tomcat8 entries.

 -- Emmanuel Bourg <ebourg@apache.org>  Sat, 15 Mar 2014 23:23:14 +0100