Update to Tomcat 6.0.18

Bug #260016 reported by Thierry Carrez on 2008-08-21
4
Affects Status Importance Assigned to Milestone
tomcat6 (Ubuntu)
Wishlist
Unassigned

Bug Description

Binary package hint: tomcat6

Tomcat 6.0.18 was released on Jul 31 as a security release to fix CVE-2008-1232, CVE-2008-1947, CVE-2008-2370 and CVE-2008-2938.

There was however significant bugfix work for the (doa) 6.0.17 release. See combined upstream changelog at :
http://tomcat.apache.org/tomcat-6.0-doc/changelog.html

Thierry Carrez (ttx) on 2008-08-21
Changed in tomcat6:
assignee: nobody → tcarrez
importance: Undecided → Wishlist
status: New → In Progress
Thierry Carrez (ttx) on 2008-08-21
description: updated
Thierry Carrez (ttx) wrote :

Consolidated interdiff for simplified review

tomcat6 (6.0.18-0ubuntu1) intrepid; urgency=low

  * New upstream version (LP: #260016)
    - Fixes CVE-2008-2938: Directory traversal vulnerability (LP: #256802)
    - Fixes CVE-2008-2370: Information disclosure vulnerability (LP: #256922)
    - Fixes CVE-2008-1232: XSS through sendError vulnerability (LP: #256926)
  * Dropped CVE-2008-1947.patch (fix is shipped in this upstream release)
  * control: Improve short descriptions for the binary packages
  * copyright: Added link to /usr/share/common-licenses/Apache-2.0

Thierry Carrez (ttx) wrote :

Full interdiff for the sponsors.

Changed in tomcat6:
assignee: tcarrez → nobody
status: In Progress → Confirmed
Thierry Carrez (ttx) wrote :

New consolidated interdiff for simplified review

I added a Depends fix, so here are the new files.

tomcat6 (6.0.18-0ubuntu1) intrepid; urgency=low

  * New upstream version (LP: #260016)
    - Fixes CVE-2008-2938: Directory traversal vulnerability (LP: #256802)
    - Fixes CVE-2008-2370: Information disclosure vulnerability (LP: #256922)
    - Fixes CVE-2008-1232: XSS through sendError vulnerability (LP: #256926)
  * Dropped CVE-2008-1947.patch (fix is shipped in this upstream release)
  * control: Improve short descriptions for the binary packages
  * copyright: Added link to /usr/share/common-licenses/Apache-2.0
  * control: To pull the right JRE, libtomcat6-java now depends on default-jre-headless | java5-runtime-headless

Thierry Carrez (ttx) wrote :

New full interdiff for the sponsors.

Mathias Gug (mathiaz) wrote :

Why have you switched from java6-runtime-headless to java5-runtime-headless as the virtual package dependency ?

Thierry Carrez (ttx) wrote :

According to http://tomcat.apache.org/migration.html : "Tomcat 6.0 requires JRE 5.0". This dependency more accurately describes what is needed to run Tomcat.

However, on a second thought, Tomcat 6 doesn't run with gij (which provides java5-runtime-headless) so I should probably depend on "default-jre-headless | java6-runtime-headless" to make sure to use only compatible JREs.

I'll fix that and post the corresponding full interdiff very soon.

Changed in tomcat6:
assignee: nobody → tcarrez
status: Confirmed → In Progress
Thierry Carrez (ttx) wrote :

Fixed full interdiff with java6-runtime-headless rather than java5-

Changed in tomcat6:
assignee: tcarrez → nobody
status: In Progress → Confirmed
Thierry Carrez (ttx) wrote :

Full diff.gz, per request.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package tomcat6 - 6.0.18-0ubuntu1

---------------
tomcat6 (6.0.18-0ubuntu1) intrepid; urgency=low

  * New upstream version (LP: #260016)
    - Fixes CVE-2008-2938: Directory traversal vulnerability (LP: #256802)
    - Fixes CVE-2008-2370: Information disclosure vulnerability (LP: #256922)
    - Fixes CVE-2008-1232: XSS through sendError vulnerability (LP: #256926)
  * Dropped CVE-2008-1947.patch (fix is shipped in this upstream release)
  * control: Improve short descriptions for the binary packages
  * copyright: Added link to /usr/share/common-licenses/Apache-2.0
  * control: To pull the right JRE, libtomcat6-java now depends on
    default-jre-headless | java6-runtime-headless

 -- Thierry Carrez <email address hidden> Fri, 22 Aug 2008 09:15:11 +0200

Changed in tomcat6:
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers