------------------------------------------------------------------- Tue Apr 20 10:54:25 UTC 2021 - Abid Mehmood - Fixed CVE-2021-25329 with apache-tomcat-6.0.53-CVE-2021-25329.patch (bsc#1182909) ------------------------------------------------------------------- Tue Apr 20 09:19:09 UTC 2021 - Abid Mehmood - Fixed CVE-2021-24122 with apache-tomcat-6.0.53-CVE-2021-24122.patch (bsc#1180947) ------------------------------------------------------------------- Tue Apr 20 08:01:09 UTC 2021 - Abid Mehmood - Fixed CVE-2017-12617 with apache-tomcat-6.0.53-CVE-2017-12617.patch (bsc#1059554) ------------------------------------------------------------------- Thu May 21 10:04:21 UTC 2020 - Matei Albu - Fixed CVEs: * CVE-2020-9484 (bsc#1171928) * CVE-2019-12418 (bsc#1159723) * CVE-2019-0221 (bsc#1136085) - Added patches: * apache-tomcat-6.0.53-CVE-2020-9484.patch * apache-tomcat-6.0.53-CVE-2019-12418.patch * apache-tomcat-6.0.53-CVE-2019-0221.patch - Rebased patches: * apache-tomcat-6.0.45-patch-javadocs-old-ant.patch * apache-tomcat-6.0.53-CVE-2018-11784.patch * apache-tomcat-6.0.53-CVE-2020-1938.patch ------------------------------------------------------------------- Thu Mar 12 22:32:19 UTC 2020 - Matei Albu - Fixed CVE-2020-1938 with apache-tomcat-6.0.53-CVE-2020-1938.patch (bsc#1164692) ------------------------------------------------------------------- Fri Nov 9 22:05:29 UTC 2018 - malbu@suse.com - Fixed CVE-2018-11784 with apache-tomcat-6.0.53-CVE-2018-11784.patch (bsc#1110850) ------------------------------------------------------------------- Thu Jun 21 22:17:43 UTC 2018 - malbu@suse.com - Fixed CVE-2018-1304 with apache-tomcat-6.0.53-CVE-2018-1304.patch (bsc#1082480) ------------------------------------------------------------------- Sat Jun 9 20:36:43 UTC 2018 - malbu@suse.com - Fixed CVE-2017-5664 with apache-tomcat-6.0.53-CVE-2017-5664.patch (bsc#1042910) - Changed IA64 to build using Java 1.5 ------------------------------------------------------------------- Tue May 23 15:18:37 UTC 2017 - malbu@suse.com - Version update to 6.0.53: * Another bugfix release, for full details see: http://tomcat.apache.org/tomcat-6.0-doc/changelog.html * Fixed CVEs: - CVE-2017-5647 (bsc#1036642) - CVE-2016-8745 - CVE-2016-8735 - CVE-2016-6816 - CVE-2016-6797 - CVE-2016-6796 - CVE-2016-6794 - CVE-2016-5018 - CVE-2016-0762 - CVE-2016-5388 - Removed security patch: * apache-tomcat-6.0.45-CVE-2016-5388.patch ------------------------------------------------------------------- Fri Jul 15 13:54:43 UTC 2016 - bmaryniuk@suse.com - Added CVE-2016-5388 fix with apache-tomcat-6.0.45-CVE-2016-5388.patch (bnc#988489) ------------------------------------------------------------------- Wed Feb 24 16:09:02 UTC 2016 - dmacvicar@suse.de - rebase to 6.0.45 - Removed security patches for * CVE-2014-0230 - fixed in 6.0.44 * CVE-2014-7810 - fixed in 6.0.44 * CVE-2014-0227 - fixed in 6.0.43 - fixes CVEs * CVE-2015-5174 (bnc#967967) * CVE-2015-5345 (bnc#967965) * CVE-2016-0706 (bnc#967815) * CVE-2016-0714 (bnc#967964) - Remove renamed patches * apache-tomcat-6.0.41-bootstrap-MANIFEST.MF.patch * apache-tomcat-6.0.41-patch-javadocs-old-ant.patch * apache-tomcat-6.0.41-bnc844689-classpath.patch - New renamed patches * apache-tomcat-6.0.45-bootstrap-MANIFEST.MF.patch * apache-tomcat-6.0.45-patch-javadocs-old-ant.patch * apache-tomcat-6.0.45-bnc844689-classpath.patch - Dropped patches * apache-tomcat-6.0.41-pr56600.patch (already in 6.0.45) ------------------------------------------------------------------- Mon Jun 22 14:22:58 UTC 2015 - bmaryniuk@suse.com - Fix rights of all files within /usr/share/tomcat6/bin (bnc#906152) ------------------------------------------------------------------- Thu Jun 18 13:59:53 UTC 2015 - bmaryniuk@suse.com - Added CVE-2014-0227 fix from 6.0.43 with apache-tomcat-6.0.41-CVE-2014-0227.patch (bnc#917127) - Consequentially to above, recreated the fix for CVE-2014-0230 as apache-tomcat-6.0.41-CVE-2014-0230.patch (bnc#926762) ------------------------------------------------------------------- Mon Jun 15 08:39:03 UTC 2015 - bmaryniuk@suse.com - Fix for tomcat6-6.0.init (bnc#934219) ------------------------------------------------------------------- Thu Jun 11 09:54:28 UTC 2015 - bmaryniuk@suse.com - Fix for CVE-2014-0230 apache-tomcat-6.0.41-bnc926762.patch (bnc#926762) - Fix for tomcat6-6.0.init (bnc#932698) ------------------------------------------------------------------- Wed Jun 3 12:40:17 UTC 2015 - bmaryniuk@suse.com - Fix for CVE-2014-7810 apache-tomcat-6.0.41-bnc931442.patch (bnc#931442) ------------------------------------------------------------------- Tue Jun 3 13:30:41 UTC 2014 - dmacvicar@suse.de - rebase to 6.0.41 - Removed security patches for * CVE-2009-0033 - fixed in 6.0.20 * CVE-2009-0580 - fixed in 6.0.20 * CVE-2009-0783 - fixed in 6.0.20 * CVE-2008-5515 - fixed in 6.0.20 * CVE-2009-0781 - fixed in 6.0.20 * CVE-2009-2693 - fixed in 6.0.24 * CVE-2009-2901 - fixed in 6.0.24 * CVE-2009-2902 - fixed in 6.0.24 * CVE-2010-1157 - fixed in 6.0.28 * CVE-2010-2227 - fixed in 6.0.28 * CVE-2010-4172 - fixed in 6.0.30 * CVE-2010-3718 - fixed in 6.0.30 * CVE-2011-0013 - fixed in 6.0.30 * CVE-2011-0534 - fixed in 6.0.32 * CVE-2011-2204 - fixed in 6.0.33 * CVE-2011-2526 - fixed in 6.0.33 * CVE-2011-1184 - fixed in 6.0.33 * CVE-2011-3190 - fixed in 6.0.35 * CVE-2012-2733 - fixed in 6.0.36 * CVE-2012-5885 - fixed in 6.0.36 (as CVE-2012-3439) * CVE-2012-5886 - fixed in 6.0.36 (as CVE-2012-3439) * CVE-2012-5887 - fixed in 6.0.36 (as CVE-2012-3439) * CVE-2012-3546 - fixed in 6.0.36 * CVE-2012-4431 - fixed in 6.0.36 * CVE-2012-4534 - fixed in 6.0.36 * CVE-2012-3544 - fixed in 6.0.37 and 6.0.39 * CVE-2014-0119 - fixed in 6.0.41 - removed patches for: * bnc#681914, apache#45648, apache#45511 (fixed in 6.0.19) * backported code from 6.0.x branch to support upstream patches - fixes bnc#865746 and fate#317673 - Recommend tcnative >= 1.1.30, provided by libtcnative-1-0 1.3.3 on SLE-11 (APR version schema) - patches readded from PTFs * readded patch for bnc#844689 (classpath for org/apache/juli/logging/LogFactory) * added /usr/lib64 in commented JAVA_OPT in tomcat6-6.0.conf to find libtcnative - removed patches for PTFs (no longer needed) * apache#43327 (bnc#881700) Socket bind fails on tomcat startup when using apr (IPV6) - fixes CVEs * CVE-2014-0096 (bnc#880346) * CVE-2014-0099 (bnc#880347) * CVE-2014-0119 (bnc#880348) ------------------------------------------------------------------- Fri Jul 26 10:17:30 UTC 2013 - mvyskocil@suse.com - apache-tomcat-CVE-2012-3544.patch (bnc#831119) - use chown --no-dereference to prevent symlink attacks on log (bnc#822177#c7/prevents CVE-2013-1976) - Fix tomcat init scripts generating malformed classpath (http://youtrack.jetbrains.com/issue/JT-18545) bnc#804992 (patch from m407) - fix a typo in initscript (bnc#768772 ) - copy all shell scripts (bnc#818948) ------------------------------------------------------------------- Wed Jan 2 14:45:27 UTC 2013 - mvyskocil@suse.com - fix bnc#794548 - denial of service (CVE-2012-4534) * apache-tomcat-CVE-2012-4534.patch fixes apache#53138, apache#52858 http://svn.apache.org/viewvc?view=rev&rev=1372035 - fix a minor issue in apache-tomcat-CVE-2012-4431.patch use the already initialized session variable instead of an another call req.getSesssion() ------------------------------------------------------------------- Mon Dec 10 10:04:58 UTC 2012 - mvyskocil@suse.com - fix bnc#793394 - bypass of security constraints (CVE-2012-3546) * apache-tomcat-CVE-2012-3546.patch http://svn.apache.org/viewvc?view=revision&revision=1381035 - fix bnc#793391 - bypass of CSRF prevention filter (CVE-2012-4431) * apache-tomcat-CVE-2012-4431.patch http://svn.apache.org/viewvc?view=revision&revision=1394456 ------------------------------------------------------------------- Fri Dec 7 12:22:01 UTC 2012 - mvyskocil@suse.com - document how to protect against slowloris DoS (CVE-2012-5568/bnc#791679) in README.SUSE ------------------------------------------------------------------- Mon Dec 3 15:02:04 UTC 2012 - mvyskocil@suse.com - fixes bnc#791423 - cnonce tracking weakness (CVE-2012-5885) bnc#791424 - authentication caching weakness (CVE-2012-5886) bnc#791426 - stale nonce weakness (CVE-2012-5887) * apache-tomcat-CVE-2009-2693-CVE-2009-2901-CVE-2009-2902.patch http://svn.apache.org/viewvc?view=revision&revision=1380829 ------------------------------------------------------------------- Fri Nov 23 12:45:31 UTC 2012 - mvyskocil@suse.com - fix bnc#789406 - HTTP NIO connector OOM DoS via a request with large headers (CVE-2012-2733) * apache-tomcat-CVE-2012-2733.patch http://svn.apache.org/viewvc?view=revision&revision=1356208 ------------------------------------------------------------------- Mon Feb 6 09:24:52 UTC 2012 - mvyskocil@suse.cz - fix bnc#742477 - iManager throws exception in its basic functionalities (CVE-2012-0022) * http://svn.apache.org/viewvc?view=revision&revision=1206324 * http://svn.apache.org/viewvc?view=revision&revision=1229027 - fix bnc#735343 - VUL-1: tomcat: Multiple weaknesses in HTTP DIGEST * http://svn.apache.org/viewvc?view=revision&revision=1158180 fixes CVE-2011-5062, CVE-2011-5063, CVE-2011-5064 and CVE-2011-1184 ------------------------------------------------------------------- Fri Jan 6 09:53:22 UTC 2012 - mvyskocil@suse.cz - fix bnc#727543 - VUL-0: Apache tomcat vulnerable to hash collision attack backport upstream changes: * generic CSRF protection layer (to have FilterBase needed for FailedRequestFilter) http://svn.apache.org/viewvc?view=revision&revision=1030547 * add getCharset method for B2Converter http://svn.apache.org/viewvc?view=revision&revision=1140904 * add isConfigProblemFatal method http://svn.apache.org/viewvc?view=revision&revision=1199122 * add readChunkedPostBody method http://svn.apache.org/viewvc?view=revision&revision=788097 * GET POST parameter processing performance (CVE-2012-0022) http://svn.apache.org/viewvc?view=revision&revision=1200601 - fix bnc#712784 - tomcat6: add missing Requires on java >= 1.6.0 * add recommends on java >= 1.6.0 and java-devel >= 1.6.0 - with CSRF protection layer manager and host-manager now supports new roles, documentatin is in tomcat6-doc-webapp: * /srv/tomcat6/webapps/docs/manager-howto.html * /srv/tomcat6/webapps/manager/WEB-INF/web.xml * /srv/tomcat6/webapps/host-manager/WEB-INF/web.xml ------------------------------------------------------------------- Wed Nov 2 11:55:45 CET 2011 - jrenner@suse.de - fix warning: User database is not persistable (bnc#726307) ------------------------------------------------------------------- Thu Sep 15 12:56:37 UTC 2011 - mvyskocil@suse.cz - fix bnc#715991 - VUL-0: tomcat authentication bypass and information disclosure (CVE-2011-3190) * http://svn.apache.org/viewvc?view=revision&revision=1162959 ------------------------------------------------------------------- Mon Aug 15 13:14:03 UTC 2011 - mvyskocil@suse.cz - fix bnc#706404 - VUL-0: tomcat user password information leak (CVE-2011-2204) * http://svn.apache.org/viewvc?view=revision&revision=1140071 - fix bnc#706382 - VUL-0: tomcat information leak and DoS (CVE-2011-2526) * http://svn.apache.org/viewvc?view=revision&revision=1146703 - fix bnc#702289 - suse manager pam ldap authentication fails * source CATALINA_HOME/bin/setenv.sh if exists ------------------------------------------------------------------- Tue Apr 12 08:42:44 UTC 2011 - mvyskocil@suse.cz - fix bnc#681914: Expression Language parser whitespace problem * apache#45511 whitespace problem * apache#45648 eats the last char in namespace * add lookaheads to EL pasing ------------------------------------------------------------------- Fri Feb 11 09:11:18 UTC 2011 - mvyskocil@suse.cz - fix bnc#669897 - VUL-0: tomcat6: Apache Tomcat Local bypass of security manger file permissions (CVE-2010-3718) * http://svn.apache.org/viewvc?view=revision&revision=1022560 - fix bnc#669929 - VUL-0: tomcat6: Apache Tomcat Manager XSS vulnerability (CVE-2011-0013) * cherry-picked: http://svn.apache.org/viewvc?view=revision&revision=739524 this closes apache bug#46261 * real fix: http://svn.apache.org/viewvc?view=revision&revision=1057270 - fix bnc#669930 - VUL-0: tomcat6: Apache Tomcat DoS vulnerability (CVE-2011-0534) * http://svn.apache.org/viewvc?view=revision&revision=1066313 ------------------------------------------------------------------- Mon Jan 17 16:11:39 CET 2011 - mvyskocil@suse.cz - fix bnc#655440#c14 - clean workdir of tomcat6's webapps ------------------------------------------------------------------- Thu Nov 25 10:46:08 UTC 2010 - mvyskocil@suse.cz - fix bnc#655440 - VUL-0: tomcat6: Apache Tomcat Manager application XSS vulnerability (CVE-2010-4172) http://svn.apache.org/viewvc?view=revision&revision=1037779 - fix bnc#653586 - spacewalk 1.2 requires jasper 5.5 * add offline jasper compiler /usr/bin/jspc ------------------------------------------------------------------- Thu Jul 15 13:21:59 UTC 2010 - mvyskocil@suse.cz - fix bnc#599554: VUL-1: tomcat information disclosure (CVE-2010-1157) * http://svn.apache.org/viewvc?view=revision&revision=936540 - fix bnc#622188: VUL-0: tomcat: remote DoS / information disclosure (CVE-2010-2227) * http://svn.apache.org/viewvc?view=revision&revision=958977 - link dtomcat6 to CATALINA_HOME/bin/catalina.sh ------------------------------------------------------------------- Thu Feb 4 12:39:29 UTC 2010 - mvyskocil@suse.cz - fixed bnc#575083 - VUL-0: tomcat directoy traversal bugs CVE-2009-2693, CVE-2009-2901, CVE-2009-2902 * http://svn.apache.org/viewvc?view=revision&revision=892815 ------------------------------------------------------------------- Wed Jun 10 14:12:22 CEST 2009 - mvyskocil@suse.cz - fixed bnc#509839: CVE-2009-0781 * http://svn.apache.org/viewvc?view=rev&revision=750924 CVE-2009-0783 * http://svn.apache.org/viewvc?view=rev&revision=739522 CVE-2008-5515 * http://svn.apache.org/viewvc?view=rev&revision=739532 ------------------------------------------------------------------- Mon Jun 8 15:33:07 CEST 2009 - mvyskocil@suse.cz - fixed bnc#509839: CVE-2009-0580 * http://svn.apache.org/viewvc?view=rev&revision=747840 - fixed bnc#509840: CVE-2009-0033 * http://svn.apache.org/viewvc?view=rev&revision=781362 - fixed bnc#485933: cumulative fix for tomcat6: * bnc#418664 - added /etc/ant.d/catalina-ant * bnc#424675 - link $CATALINA_BASE/conf/Catalina -> /var/cache/tomcat6/Catalina/ * bnc#433852 - rctomcat symlink * bnc#446598 - dtomcat6 reads the tomcat6.conf again, better comment in config file ------------------------------------------------------------------- Wed Feb 25 14:34:12 CET 2009 - mvyskocil@suse.cz - fixed bnc#471301: tomcat6 doesn't want to be started when sun java 1.5 is selected - built with -target 1.5 ------------------------------------------------------------------- Mon Feb 9 17:01:30 CET 2009 - mvyskocil@suse.cz - Fixed bnc#471639 - tomcat does not start/work - fill up a default JVM in sysconfig ------------------------------------------------------------------- Mon Nov 24 14:05:10 CET 2008 - mvyskocil@suse.cz - Fixed bnc#446598 - Tomcat6: tomcat6.conf overwrites sysconfig/tomcat6 values ------------------------------------------------------------------- Fri Sep 12 09:28:26 CEST 2008 - mvyskocil@suse.cz - Update to 6.0.18. This obsoletes patches: apache-tomcat-CVE-2008-1232 apache-tomcat-CVE-2008-1947 apache-tomcat-CVE-2008-2370 apache-tomcat-CVE-2008-2938 ------------------------------------------------------------------- Tue Aug 19 13:16:48 CEST 2008 - mvyskocil@suse.cz - fix CVE-2008-2938: VUL-0: tomcat5: directory traversal ------------------------------------------------------------------- Wed Aug 6 11:11:58 CEST 2008 - mvyskocil@suse.cz - fix CVE-2008-1232 and CVE-2008-2370: VUL-0: Apache Tomcat Cross-Site Scripting and Security Bypass [bnc#414657] ------------------------------------------------------------------- Mon Jul 21 15:45:27 CEST 2008 - mvyskocil@suse.cz - fixed [bnc#394503]: tomcat6 is missing rctomcat6 link - add a /usr/sbin/rctomcat6 symlink - and heavy rewrite and improve of original jpackage tomcat6 init script - add Should-Start and Should-Stop section and values for Default-Start and Default-Stop - removed the echo_success and echo_failure functions and usage - include a /etc/rc.status and use a rc_XXXXX functions instead of echo and return. Plus add a comments with error codes explanations - merge the start/stop/status messages from previous version - use `ps' command instead of pgrep - changes in commands: added a try-restart|force-reload|reload|probe and removed the version|conrestart - fixed [bnc#394499]: add a PreReq to jpackage-utils - fixed [bnc#408253]: tomcat6 fails because if missing commons-xxxx jars - add a removed dependencies to the jakarta-commons-*-tomcat5 packages - fixed a proper link creation in post/n scripts - fixed a build cycle, jakarta-commons-dbcp-tomcat5 needs the tomcat6-lib for build, but the tomcat6-lib has this package in Requires(post). The %post scripplet is non-fatal if the jars cannot be found (but this would not happens in a production state). ------------------------------------------------------------------- Fri Jun 27 14:47:03 CEST 2008 - mvyskocil@suse.cz - fixed [bnc#396962]: VUL-0: tomcat5: [SECURITY] CVE-2008-1947: Tomcat host-manager XSS vulnerability - fixed [bnc#403310]: Tomcat startup script uses wrong java.io.tmpdir - the temp directory is in /var/cache/tomcat6/temp ------------------------------------------------------------------- Tue May 6 10:12:07 CEST 2008 - mvyskocil@suse.cz - fixed a [bnc#383331] - Tomcat cannot compile JSPs - add a ecj requires for tomcat6-lib - create a symlink of ecj.jar to tomcat6 libdir - add a jakarta-taglibs-standard to BuildRequires - use a fdupes to avoid a file duplication waste in /srv - replace a %{_jvmdir}/jre to /etc/alternatives/jre in JAVAHOME in default tomcat6.conf (this path is architecture independent) - add a %stop_on_removal to %preun, %restart_on_update and %insserv_cleanup to %postun to fix some rpmlint warnings - add a $remote_fs dependency to init script ------------------------------------------------------------------- Wed Feb 27 10:53:38 CET 2008 - mvyskocil@suse.cz - update to 6.0.16 ------------------------------------------------------------------- Fri Jan 25 18:26:09 CET 2008 - coolo@suse.de - don't require the old package names ------------------------------------------------------------------- Fri Jan 25 15:42:30 CET 2008 - ro@suse.de - don't use dots in package names ------------------------------------------------------------------- Tue Jan 22 12:22:00 CET 2008 - anosek@suse.cz - don't use macros in package names (the %package lines) which does not work with autobuild. ------------------------------------------------------------------- Thu Dec 20 08:36:29 CET 2007 - anosek@suse.cz - don't use static uid/gid for tomcat user and tomcat group ------------------------------------------------------------------- Tue Dec 4 10:00:49 CET 2007 - anosek@suse.cz - initial version of tomcat6 package - based on work by jpackage project