Ubuntu
tomcat5.5 package

[gutsy] UVFe for tomcat5.5 5.5.25-1

Bug #150755 reported by Philipp Kern
2
Affects Status Importance Assigned to Milestone
tomcat5.5 (Ubuntu)
Fix Released
Medium
Unassigned

Bug Description

Binary package hint: tomcat5.5

Please grant a UVFe for tomcat5.5 5.5.25-1. This would require a merge, which is available on [0]. Please remember that this also requires libcommons-modeler-java 2.0.1-3 to be pulled in (see LP: #150751). This would fix CVE-2007-1355, CVS-2007-2449 and CVE-2007-2450.

The changelog is as follows:

tomcat5.5 (5.5.25-1ubuntu1) gutsy; urgency=low

  * Merged from Debian revision 5.5.25-1; remaining Ubuntu changes:
    - Modified build-deps.
    - Force flag passed to rm to `prune files that should not be
      installed at all'.
  * This fixes CVE-2007-1355, CVS-2007-2449 and CVE-2007-2450.

 -- Philipp Kern <email address hidden> Mon, 08 Oct 2007 23:59:20 +0200

tomcat5.5 (5.5.25-1) unstable; urgency=high

  * New upstream release. Setting usrgency to high.
    - Fixes XSS issues. CVE-2007-1355, CVS-2007-2449 and CVE-2007-2450.
  * debian/policy/04webapps.policy: fix permissions on
    org.apache.tomcat.util.digester package.

 -- Michael Koch <email address hidden> Wed, 03 Oct 2007 20:04:18 +0200

tomcat5.5 (5.5.23-1) unstable; urgency=low

  [ Marcus Better ]
  * New upstream version.
  * Don't include /var/lib/tomcat5.5/conf/catalina.policy since it is
    auto-generated at startup. Thanks to Javier Serrano Polo. (Closes:
    #426761)
  * Make sure files under /var/lib/tomcat5.5/conf are not
    executable. Thanks to Marco Nenciarini. (Closes: #426740)
  * Fixes a failure to start if the temp directory contained too many
    files. Thanks to Maarten van der Hoef (Closes: #427978)
  * tomcat5.5-admin now depends on libcommons-collections3-java and
    libcommons-digester-java.

  [ Michael Koch ]
  * Clean up correctly on (re-)build (Closes: #434617).
  * Replaced obsolete ${Source-Version} by ${source:Version}.
  * Added myself to Uploaders.
  * Updated (Build-)Depends on libcommons-modeler-java to (>= 2.0).
  * Clear up comment in debian/tomcat5.5.default about TOMCAT55_USER.
    (Closes: #425020).
  * Make cron.daily script work when package is removed but not purged
    (Closes: #436020).
  * Applied patch from David Pashley to move configuration from
    /var/lib/tomcat5.5/conf to /etc/tomcat5.5 (Closes: #434728).
  * Use ${catalina.base} instead of ${catalina.home} in
    debian/policy/50user.policy (Closes: #431704).
  * Make tomcat5.5 depend on libecj-java instead of ecj-bootstrap
    (Closes: #396170).
  * Don't make tomcat5.5 on two non-virtual java runtimes. Removed kaffe.
  * Don't let tomcat5.5 suggest libapache-mod-jk. Doesn't exist anymore.
  * Fixed watch file.
  * Set CATALINA_BASE to /var/lib/$NAME in debian/tomcat5.5.init.

[0] http://durotan.0x539.de/~pkern/tomcat5.5/

See original description

CVE References

Philipp Kern (pkern)
description: updated
Revision history for this message
Scott Kitterman (kitterman) wrote :

Ack.

Revision history for this message
Steve Kowalik (stevenk) wrote :

Also an ACK from me.

Revision history for this message
Scott Kitterman (kitterman) wrote :

Approved.

Changed in tomcat5.5:
importance: Undecided → Medium
status: New → Confirmed
Revision history for this message
Philipp Kern (pkern) wrote :

tomcat5.5 (5.5.25-1ubuntu1) gutsy; urgency=low

  * Merged from Debian revision 5.5.25-1; remaining Ubuntu changes:
    - Modified build-deps.
    - Force flag passed to rm to `prune files that should not be
      installed at all'.
  * This fixes CVE-2007-1355, CVS-2007-2449 and CVE-2007-2450
    (LP: #150755).

 -- Philipp Kern <email address hidden> Mon, 08 Oct 2007 23:59:20 +0200

Changed in tomcat5.5:
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.