Changelog for
tomcat-el-2.2-api-7.0.76-15.el7.noarch.rpm :
Fri Jul 17 14:00:00 2020 Coty Sutherland
0:7.0.76-15
- Resolves: CVE-2020-13935 tomcat: multiple requests with invalid payload length in a WebSocket frame could lead to DoS
Thu May 21 14:00:00 2020 Coty Sutherland 0:7.0.76-14
- Revert rhbz#1814315 because it caused other issues with ipa-server, see rhbz#1831127
- Resolves: CVE-2020-9484 tomcat: Apache Tomcat Remote Code Execution via session persistence
Wed May 6 14:00:00 2020 Coty Sutherland 0:7.0.76-13
- Revert rhbz#1367492 because it caused issues with ipa-server, see rhbz#1831127
Fri Apr 24 14:00:00 2020 Coty Sutherland 0:7.0.76-12
- Resolves: rhbz#1367492 harden package permissions
- Resolves: rhbz#1523112 tomcat systemd does not cope with - in service names
- Resolves: rhbz#1629162 tomcat-dbcp.jar is missing from tomcat package
- Resolves: rhbz#1822453 Tomcat parses a request having an absolute URI path incorrectly and returns 404 Not Found
- Resolves: rhbz#1795645 connection leak with StatementCache, SlowQueryReport or StatementDecoratorInterceptor
- Resolves: CVE-2019-17563 tomcat: session fixation when using FORM authentication
Tue Mar 3 13:00:00 2020 Coty Sutherland 0:7.0.76-11
- CVE-2020-1938 tomcat: Apache Tomcat AJP File Read/Inclusion Vulnerability
Tue Sep 3 14:00:00 2019 Coty Sutherland 0:7.0.76-10
- Resolves: rhbz#1748541 Bump tomcat release number
Tue Feb 12 13:00:00 2019 Coty Sutherland 0:7.0.76-9
- Resolves: rhbz#1641873 CVE-2018-11784 tomcat: Open redirect in default servlet
- Resolves: rhbz#1552375 CVE-2018-1304 tomcat: Incorrect handling of empty string URL in security constraints can lead to unintended exposure of resources
- Resolves: rhbz#1552374 CVE-2018-1305 tomcat: Late application of security constraints can lead to resource exposure for unauthorised users
- Resolves: rhbz#1590182 CVE-2018-8014 tomcat: Insecure defaults in CORS filter enable \'supportsCredentials\' for all origins
- Resolves: rhbz#1608609 CVE-2018-8034 tomcat: host name verification missing in WebSocket client
- Resolves: rhbz#1588703 Backport of Negative maxCookieCount value causes exception for Tomcat
- Resolves: rhbz#1472950 shutdown_wait option is not working for Tomcat
- Resolves: rhbz#1455483 Add support for characters \"<\" and \">\" to the possible whitelist values
Fri Oct 12 14:00:00 2018 Coty Sutherland 0:7.0.76-8
- Resolves: rhbz#1608607 CVE-2018-1336 tomcat: A bug in the UTF 8 decoder can lead to DoS
Tue Jul 24 14:00:00 2018 Jean-Frederic Clere 0:7.0.76-7
- Resolves: rhbz#1602060 Deadlock occurs while sending to a closing session
Wed Nov 8 13:00:00 2017 Coty Sutherland 0:7.0.76-6
- Related: rhbz#1505762 Remove erroneous useradd
Tue Nov 7 13:00:00 2017 Coty Sutherland 0:7.0.76-5
- Resolves: rhbz#1485453 man page uid and gid mismatch for service accounts
- Resolves: rhbz#1505762 Problem to start tomcat with a user whose group has a name different to the user
Mon Nov 6 13:00:00 2017 Coty Sutherland 0:7.0.76-3
- Resolves: rhbz#1498343 CVE-2017-12615 CVE-2017-12617 tomcat: various flaws
- Resolves: rhbz#1495655 CVE-2017-7674 tomcat: Vary header not added by CORS filter leading to cache poisoning
- Resolves: rhbz#1470597 CVE-2017-5647 Add follow up revision
Thu Jun 8 14:00:00 2017 Coty Sutherland 0:7.0.76-2
- Resolves: rhbz#1459747 CVE-2017-5664 tomcat: Security constrained bypass in error page mechanism
- Resolves: rhbz#1441481 CVE-2017-5647 tomcat: Incorrect handling of pipelined requests when send file was used
Wed Mar 29 14:00:00 2017 Coty Sutherland - 0:7.0.76-1
- Resolves: rhbz#1414895 Rebase tomcat to the current release
Thu Aug 25 14:00:00 2016 Coty Sutherland - 0:7.0.69-10
- Related: rhbz#1368122
Tue Aug 23 14:00:00 2016 Coty Sutherland - 0:7.0.69-9
- Resolves: rhbz#1362213 Tomcat: CGI sets environmental variable based on user supplied Proxy request header
- Resolves: rhbz#1368122
Wed Aug 3 14:00:00 2016 Coty Sutherland - 0:7.0.69-7
- Resolves: rhbz#1362545
Fri Jul 8 14:00:00 2016 Coty Sutherland - 0:7.0.69-6
- Related: rhbz#1201409 Added /etc/sysconfig/tomcat to the systemd unit for tomcat-jsvc.service
Fri Jul 1 14:00:00 2016 Coty Sutherland - 0:7.0.69-5
- Resolves: rhbz#1347860 The systemd service unit does not allow tomcat to shut down gracefully
Mon Jun 27 14:00:00 2016 Coty Sutherland - 0:7.0.69-4
- Resolves: rhbz#1350438 CVE-2016-3092 tomcat: Usage of vulnerable FileUpload package can result in denial of service
Fri Jun 17 14:00:00 2016 Coty Sutherland - 0:7.0.69-3
- Resolves: rhbz#1347774 The security manager doesn\'t work correctly (JSPs cannot be compiled)
Tue Jun 7 14:00:00 2016 Coty Sutherland - 0:7.0.69-2
- Rebase Resolves: rhbz#1311622 Getting NoSuchElementException while handling attributes with empty string value in tomcat
- Rebase Resolves: rhbz#1320853 Add HSTS support
- Rebase Resolves: rhbz#1293292 CVE-2014-7810 tomcat: Tomcat/JBossWeb: security manager bypass via EL expressions
- Rebase Resolves: rhbz#1347144 CVE-2016-0706 tomcat: security manager bypass via StatusManagerServlet
- Rebase Resolves: rhbz#1347139 CVE-2015-5346 tomcat: Session fixation
- Rebase Resolves: rhbz#1347136 CVE-2015-5345 tomcat: directory disclosure
- Rebase Resolves: rhbz#1347129 CVE-2015-5174 tomcat: URL Normalization issue
- Rebase Resolves: rhbz#1347146 CVE-2016-0763 tomcat: security manager bypass via setGlobalContext()
- Rebase Resolves: rhbz#1347142 CVE-2016-0714 tomcat: Security Manager bypass via persistence mechanisms
- Rebase Resolves: rhbz#1347133 CVE-2015-5351 tomcat: CSRF token leak
Mon Jun 6 14:00:00 2016 Coty Sutherland - 0:7.0.69-1
- Resolves: rhbz#1287928 Rebase to tomcat 7.0.69
- Resolves: rhbz#1327326 rpm -V tomcat fails on /var/log/tomcat/catalina.out
- Resolves: rhbz#1277197 tomcat user has non-existing default shell set
- Resolves: rhbz#1240279 The command tomcat-digest doesn\'t work with RHEL 7
- Resolves: rhbz#1229476 Tomcat startup ONLY options
- Resolves: rhbz#1133070 Need to include full implementation of tomcat-juli.jar and tomcat-juli-adapters.jar
- Resolves: rhbz#1201409 Fix the broken tomcat-jsvc service unit
- Resolves: rhbz#1221896 tomcat.service loads /etc/sysconfig/tomcat without shell expansion
- Resolves: rhbz#1208402 Mark web.xml in tomcat-admin-webapps as config file
Tue Mar 24 13:00:00 2015 David Knox - 0:7.0.54-2
- Resolves: CVE-2014-0227
Wed Sep 17 14:00:00 2014 David Knox - 0:7.0.54-1
- Resolves: rhbz#1141372 - Remove systemv artifacts. Add new systemd
- artifacts. Rebase on 7.0.54.
Wed Jun 18 14:00:00 2014 David Knox - 0:7.0.43-6
- Resolves: CVE-2014-0099
- Resolves: CVE-2014-0096
- Resolves: CVE-2014-0075
Wed Apr 16 14:00:00 2014 David Knox - 0:7.0.42-5
- Related: CVE-2013-4286
- Related: CVE-2013-4322
- Related: CVE-2014-0050
- revisit patches for above.
Thu Mar 20 13:00:00 2014 David Knox - 0:7.0.42-4
- Related: rhbz#1056696 correct packaging for sbin tomcat
Thu Mar 20 13:00:00 2014 David Knox - 0:7.0.42-3
- Related: CVE-2013-4286. increment build number. missed doing
- it.
- Resolves: rhbz#1038183 remove BR for ant-nodeps. it\'s
- no long used.
Wed Jan 22 13:00:00 2014 David Knox - 0:7.0.42-2
- Resolves: rhbz#1056673 Invocation of useradd with shell
- other than sbin nologin
- Resolves: rhbz#1056677 preun systemv scriptlet unconditionally
- stops service
- Resolves: rhbz#1056696 init.d tomcat does not conform to RHEL7
- systemd rules. systemv subpackage is removed.
- Resolves: CVE-2013-4286
- Resolves: CVE-2013-4322
- Resolves: CVE-2014-0050
- Built for rhel-7 RC
Tue Jan 21 13:00:00 2014 David Knox - 0:7.0.42-1
- Resolves: rhbz#1051657 update to 7.0.42. Ant-nodeps is
- deprecated.
Fri Dec 27 13:00:00 2013 Daniel Mach - 07.0.40-3
- Mass rebuild 2013-12-27
Sat May 11 14:00:00 2013 Ivan Afonichev 0:7.0.40-1
- Updated to 7.0.40
- Resolves: rhbz 956569 added missing commons-pool link
Mon Mar 4 13:00:00 2013 Mikolaj Izdebski - 0:7.0.37-2
- Add depmaps for org.eclipse.jetty.orbit
- Resolves: rhbz#917626
Wed Feb 20 13:00:00 2013 Ivan Afonichev 0:7.0.39-1
- Updated to 7.0.39
Wed Feb 20 13:00:00 2013 Ivan Afonichev 0:7.0.37-1
- Updated to 7.0.37
Mon Feb 4 13:00:00 2013 Ivan Afonichev 0:7.0.35-1
- Updated to 7.0.35
- systemd SuccessExitStatus=143 for proper stop exit code processing
Mon Dec 24 13:00:00 2012 Ivan Afonichev 0:7.0.34-1
- Updated to 7.0.34
- ecj >= 4.2.1 now required
- Resolves: rhbz 889395 concat classpath correctly; chdir to $CATALINA_HOME
Fri Dec 7 13:00:00 2012 Ivan Afonichev 0:7.0.33-2
- Resolves: rhbz 883806 refix logdir ownership
Sun Dec 2 13:00:00 2012 Ivan Afonichev 0:7.0.33-1
- Updated to 7.0.33
- Resolves: rhbz 873620 need chkconfig for update-alternatives
Wed Oct 17 14:00:00 2012 Ivan Afonichev 0:7.0.32-1
- Updated to 7.0.32
- Resolves: rhbz 842620 symlinks to taglibs
Fri Aug 24 14:00:00 2012 Ivan Afonichev 0:7.0.29-1
- Updated to 7.0.29
- Add pidfile as tmpfile
- Use systemd for running as unprivileged user
- Resolves: rhbz 847751 upgrade path was broken
- Resolves: rhbz 850343 use new systemd-rpm macros
Sat Jul 21 14:00:00 2012 Fedora Release Engineering - 0:7.0.28-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
Mon Jul 2 14:00:00 2012 Ivan Afonichev 0:7.0.28-1
- Updated to 7.0.28
- Resolves: rhbz 820119 Remove bundled apache-commons-dbcp
- Resolves: rhbz 814900 Added tomcat-coyote POM
- Resolves: rhbz 810775 Remove systemv stuff from %post scriptlet
- Remove redhat-lsb R
Mon Apr 9 14:00:00 2012 Ivan Afonichev 0:7.0.27-2
- Fixed native download hack
Sat Apr 7 14:00:00 2012 Ivan Afonichev 0:7.0.27-1
- Updated to 7.0.27
- Fixed jakarta-taglibs-standard BR and R
Wed Mar 21 13:00:00 2012 Stanislav Ochotnicky - 0:7.0.26-2
- Add more depmaps to J2EE apis to help jetty/glassfish updates
Wed Mar 14 13:00:00 2012 Juan Hernandez 0:7.0.26-2
- Added the POM files for tomcat-api and tomcat-util (#803495)
Wed Feb 22 13:00:00 2012 Ivan Afonichev 0:7.0.26-1
- Updated to 7.0.26
- Bug 790334: Change ownership of logdir for logrotate
Thu Feb 16 13:00:00 2012 Krzysztof Daniel 0:7.0.25-4
- Bug 790694: Priorities of jsp, servlet and el packages updated.
Wed Feb 8 13:00:00 2012 Krzysztof Daniel 0:7.0.25-3
- Dropped indirect dependecy to tomcat 5
Sun Jan 22 13:00:00 2012 Ivan Afonichev 0:7.0.25-2
- Added hack for maven depmap of tomcat-juli absolute link [ -f ] pass correctly
Sat Jan 21 13:00:00 2012 Ivan Afonichev 0:7.0.25-1
- Updated to 7.0.25
- Removed EntityResolver patch (changes already in upstream sources)
- Place poms and depmaps in the same package as jars
- Added javax.servlet.descriptor to export-package of servlet-api
- Move several chkconfig actions and reqs to systemv subpackage
- New maven depmaps generation method
- Add patch to support java7. (patch sent upstream).
- Require java >= 1:1.6.0
Fri Jan 13 13:00:00 2012 Krzysztof Daniel 0:7.0.23-5
- Exported javax.servlet.
* packages in version 3.0 as 2.6 to make
servlet-api compatible with Eclipse.
Thu Jan 12 13:00:00 2012 Ivan Afonichev 0:7.0.23-4
- Move jsvc support to subpackage
Wed Jan 11 13:00:00 2012 Alexander Kurtakov 0:7.0.23-2
- Add EntityResolver setter patch to jasper for jetty\'s need. (patch sent upstream).
Mon Dec 12 13:00:00 2011 Joseph D. Wagner 0:7.0.23-3
- Added support to /usr/sbin/tomcat-sysd and /usr/sbin/tomcat for
starting tomcat with jsvc, which allows tomcat to perform some
privileged operations (e.g. bind to a port < 1024) and then switch
identity to a non-privileged user. Must add USE_JSVC=\"true\" to
/etc/tomcat/tomcat.conf or /etc/sysconfig/tomcat.
Mon Nov 28 13:00:00 2011 Ivan Afonichev 0:7.0.23-1
- Updated to 7.0.23
Fri Nov 11 13:00:00 2011 Ivan Afonichev 0:7.0.22-2
- Move tomcat-juli.jar to lib package
- Drop %update_maven_depmap as in tomcat6
- Provide native systemd unit file ported from tomcat6
Thu Oct 6 14:00:00 2011 Ivan Afonichev 0:7.0.22-1
- Updated to 7.0.22
Mon Oct 3 14:00:00 2011 Rex Dieter - 0:7.0.21-3.1
- rebuild (java), rel-eng#4932
Mon Sep 26 14:00:00 2011 Ivan Afonichev 0:7.0.21-3
- Fix basedir mode
Tue Sep 20 14:00:00 2011 Roland Grunberg 0:7.0.21-2
- Add manifests for el-api, jasper-el, jasper, tomcat, and tomcat-juli.
Thu Sep 8 14:00:00 2011 Ivan Afonichev 0:7.0.21-1
- Updated to 7.0.21
Mon Aug 15 14:00:00 2011 Ivan Afonichev 0:7.0.20-3
- Require java = 1:1.6.0
Mon Aug 15 14:00:00 2011 Ivan Afonichev 0:7.0.20-2
- Require java < 1.7.0
Mon Aug 15 14:00:00 2011 Ivan Afonichev 0:7.0.20-1
- Updated to 7.0.20
Tue Jul 26 14:00:00 2011 Ivan Afonichev 0:7.0.19-1
- Updated to 7.0.19
Tue Jun 21 14:00:00 2011 Ivan Afonichev 0:7.0.16-1
- Updated to 7.0.16
Mon Jun 6 14:00:00 2011 Ivan Afonichev 0:7.0.14-3
- Added initial systemd service
- Fix some paths
Sat May 21 14:00:00 2011 Ivan Afonichev 0:7.0.14-2
- Fixed http source link
- Securify some permissions
- Added licenses for el-api and servlet-api
- Added dependency on jpackage-utils for the javadoc subpackage
Sat May 14 14:00:00 2011 Ivan Afonichev 0:7.0.14-1
- Updated to 7.0.14
Thu May 5 14:00:00 2011 Ivan Afonichev 0:7.0.12-4
- Provided local paths for libs
- Fixed dependencies
- Fixed update temp/work cleanup
Mon May 2 14:00:00 2011 Ivan Afonichev 0:7.0.12-3
- Fixed package groups
- Fixed some permissions
- Fixed some links
- Removed old tomcat6 crap
Thu Apr 28 14:00:00 2011 Ivan Afonichev 0:7.0.12-2
- Package now named just tomcat instead of tomcat7
- Removed Provides: tomcat-log4j
- Switched to apache-commons-
* names instead of jakarta-commons-
* .
- Remove the old changelog
- BR/R java >= 1:1.6.0 , same for java-devel
- Removed old tomcat6 crap
Wed Apr 27 14:00:00 2011 Ivan Afonichev 0:7.0.12-1
- Tomcat7