Changelog for
tomcat6-webapps-6.0.32-42.1.noarch.rpm :
* Tue Aug 27 2013 lijewski.stefanAATTgmail.com- tomcat-CVE-2013-2067.patch (bnc#831117)- tomcat-CVE-2012-3544.patch (bnc#831119)- use chown --no-dereference to prevent symlink attacks on log (bnc#822177#c7/prevents CVE-2013-1976)
* Tue Jan 08 2013 lijewski.stefanAATTgmail.com- fix bnc#794548 - denial of service (CVE-2012-4534)
* apache-tomcat-CVE-2012-4534.patch fixes apache#53138, apache#52858 http://svn.apache.org/viewvc?view=rev&rev=1372035- fix a minor issue in apache-tomcat-CVE-2012-4431.patch use the already initialized session variable instead of an another call req.getSesssion()
* Wed Dec 19 2012 lijewski.stefanAATTgmail.com- fix bnc#793394 - bypass of security constraints (CVE-2012-3546)
* apache-tomcat-CVE-2012-3546.patch http://svn.apache.org/viewvc?view=revision&revision=1381035- fix bnc#793391 - bypass of CSRF prevention filter (CVE-2012-4431)
* apache-tomcat-CVE-2012-4431.patch http://svn.apache.org/viewvc?view=revision&revision=1394456- document how to protect against slowloris DoS (CVE-2012-5568/bnc#791679) in README.SUSE- fixes bnc#791423 - cnonce tracking weakness (CVE-2012-5885) bnc#791424 - authentication caching weakness (CVE-2012-5886) bnc#791426 - stale nonce weakness (CVE-2012-5887)
* apache-tomcat-CVE-2009-2693-CVE-2009-2901-CVE-2009-2902.patch http://svn.apache.org/viewvc?view=revision&revision=1380829- fix bnc#789406 - HTTP NIO connector OOM DoS via a request with large headers (CVE-2012-2733)
* http://svn.apache.org/viewvc?view=revision&revision=1356208
* Mon Feb 06 2012 mvyskocilAATTsuse.cz- fix bnc#742477 - iManager throws exception in its basic functionalities
* http://svn.apache.org/viewvc?view=revision&revision=1206324
* http://svn.apache.org/viewvc?view=revision&revision=1229027- fix bnc#735343 - VUL-1: tomcat: Multiple weaknesses in HTTP DIGEST
* http://svn.apache.org/viewvc?view=revision&revision=1158180 fixes CVE-2011-5062, CVE-2011-5063, CVE-2011-5064 and CVE-2011-1184- fix bnc#743055 - VUL-1: CVE-2011-3375: tomcat: information disclosure due to improper response and request object recycling
* Thu Jan 05 2012 mvyskocilAATTsuse.cz- fix bnc#727543 - VUL-0: Apache tomcat vulnerable to hash collision attack backport upstream changes:
* add getCharset method for B2Converter http://svn.apache.org/viewvc?view=revision&revision=1140904
* add isConfigProblemFatal method http://svn.apache.org/viewvc?view=revision&revision=1199122
* GET POST parameter processing performance. Adds maximum number of parameters per request (defaults to 10000) and new FailedRequestFilter for rejecting requests with excessive number of parameters http://svn.apache.org/viewvc?view=revision&revision=1200601- fix bnc#712784 - tomcat6: add missing Requires on java >= 1.6.0
* add recommends on java >= 1.6.0 and java-devel >= 1.6.0
* Thu Sep 15 2011 mvyskocilAATTsuse.cz- fix bnc#715991 - VUL-0: tomcat authentication bypass and information disclosure (CVE-2011-3190)
* http://svn.apache.org/viewvc?view=revision&revision=1162959
* Mon Aug 15 2011 mvyskocilAATTsuse.cz- fix bnc#706404 - VUL-0: tomcat user password information leak (CVE-2011-2204)
* http://svn.apache.org/viewvc?view=revision&revision=1140071- fix bnc#706382 - VUL-0: tomcat information leak and DoS (CVE-2011-2526)
* http://svn.apache.org/viewvc?view=revision&revision=1146703- fix bnc#702289 - suse manager pam ldap authentication fails
* source CATALINA_HOME/bin/setenv.sh if exists
* Fri Feb 11 2011 mvyskocilAATTsuse.cz- update to latest upstream version 6.0.32 (bugfix release)- obsolete CVE-2010-4172 patch- fixes bnc#669897 (CVE-2010-3718), bnc#669926 (CVE-2010-4476), bnc#669928 (CVE-2011-0013) and bnc#669930 (CVE-2011-0534)
* Thu Dec 09 2010 mvyskocilAATTsuse.cz- fix bnc#655440#c14 - clean workdir of tomcat\'s webapps to be sure our fixed jsps will be redeployed on each update
* Thu Nov 25 2010 mvyskocilAATTsuse.cz- fix bnc#655440 - VUL-0: tomcat6: Apache Tomcat Manager application XSS vulnerability (CVE-2010-4172) http://svn.apache.org/viewvc?view=revision&revision=1037779- fix bnc#653586 - spacewalk 1.2 requires jasper 5.5
* add offline jasper compiler /usr/bin/jspc- unpack tarball to apache-tomcat-$VERSION-src directory directly
* Tue Nov 02 2010 mvyskocilAATTsuse.cz- Fix bnc#650130 - Update of tomcat6 not possible (cpio: Is a directory)
* workaround the rpm bug - it cannot update directory to symlink
* make /etc/tomcat6/Catalina/ as ghost file
* create link in %posttrans
* Tue Sep 14 2010 mvyskocilAATTsuse.cz- Update to 6.0.29 (bugfix release)- fix bnc#625415: Tomcat6 does not have permissions to its own directories
* also fix the /etc/tomcat6/Catalina link target- revert a setclasspath.sh changes- disable user/group verification of tomcat owned files and directories to allow easy change of the tomcat user without rpm --verify complaints
* Thu Jul 15 2010 mvyskocilAATTsuse.cz- Update to 6.0.28 (bugfix release)- fix bnc#565901 - missing catalina.sh again
* move catalina.sh to CATALINA_HOME/bin
* add jpackage.org compatible CATALINA_HOME/bin/setclasspath.sh- add missing logrotate requires- install scripts with mode 0755
* Wed Feb 03 2010 mvyskocilAATTsuse.cz- Update to 6.0.24 (bugfix release). This obsoletes patch
* tomcat6-bug47316.patch- Merged with tomcat6-6.0.18-10.jpp6.src.rpm
* return the jpackage.org license header in spec
* polish in spec (use more macros)
* add logrotate support
* add patch to document webapps in %%{_sysconfdir}/%%{name}/tomcat-users.xml
* move %%{_bindir}/d%%{name} to %%{_sbindir}/%%{name} and provide symlink to %%{_sbindir}/d%%{name}
* add digest and tool-wrapper scripts
* explicitly unset CLASSPATH
* explicitly set OPT_JAR_LIST to include ant/ant-trax
* build and install sample webapp
* use copy instead of move to fix short-circuit install build
* version jsp and servlet Provides with their spec versions
* make initscript LSB-complaint
* add el subpackage
* Tue Jan 05 2010 mvyskocilAATTsuse.cz- fixed bnc#565901 - missing catalina.sh
* added catalina.sh (link from dtomcat6) to improve upstream compatibility
* Wed Sep 30 2009 mvyskocilAATTsuse.cz- fixed bnc#542634: Tomcat NPE on start applied patch from upstream bugzilla https://issues.apache.org/bugzilla/show_bug.cgi?id=47316#c3
* Wed Aug 26 2009 mvyskocilAATTsuse.cz- fixed bnc#520532: marked all webapp/ROOT/
* files as config(noreplace)- marked /etc/ant.d/catalina-ant as config(noreplace)
* Mon Jun 15 2009 mvyskocilAATTsuse.cz- added a missing -p1 for %patch0
* Wed Jun 03 2009 mvyskocilAATTsuse.cz- fixed bnc#488061: work directory clean on tomcat stop- update to 6.0.20 - the bugfix release:
* MemoryUserDatabase is read-only by default
* Allow huge request body packets for AJP13
* Never return an empty HTTP status reason phrase
* Prevent double initialisation of JSPs
* A node should ignore its own heartbeat messages
* Prettry error messages (instead of stacktrace) if shutdown port is disabled
* Mon Mar 16 2009 mvyskocilAATTsuse.cz- fixed bnc#418664 - Tomcat6 installation has missing bits - added /etc/ant.d/catalina-ant- another fix for bnc#471639 - tomcat does not start/work
* merged a sysconfig and tomcat6.conf to allow a dtomcat6 start works
* also fixs (bnc#471639)- fixed bnc#424675 - Access rights to /etc/tomcat6 directory not set right
* create a link from /etc/tomcat6/Catalina to /var/cache/tomcat6/Catalina- removed a CATALINA_OPTS from stop in dtcomcat6 (bao#42951)