pkgsrc-Changes archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

CVS commit: [pkgsrc-2013Q1] pkgsrc/www/apache-tomcat6



Module Name:    pkgsrc
Committed By:   tron
Date:           Fri May 31 06:17:05 UTC 2013

Modified Files:
        pkgsrc/www/apache-tomcat6 [pkgsrc-2013Q1]: Makefile PLIST distinfo

Log Message:
Pullup ticket #4143 - requested by spz
www/apache-tomcat6: security update

Revisions pulled up:
- www/apache-tomcat6/Makefile                                   1.12
- www/apache-tomcat6/PLIST                                      1.8
- www/apache-tomcat6/distinfo                                   1.9

---
   Module Name: pkgsrc
   Committed By:        spz
   Date:                Sat May 18 15:19:15 UTC 2013

   Modified Files:
        pkgsrc/www/apache-tomcat6: Makefile PLIST distinfo

   Log Message:
   security update:

   Important: Session fixation CVE-2013-2067

   FORM authentication associates the most recent request requiring
   authentication with the current session. By repeatedly sending
   a request for an authenticated resource while the victim is
   completing the login form, an attacker could inject a request
   that would be executed using the victim's credentials.

   Note that the option to change session ID on authentication was
   added in Tomcat 6.0.21. In earlier 6.0.x releases, prevention of
   session fixation was an application responsibility.
   This vulnerability represents a bug in Tomcat's session fixation
   protection that was added in 6.0.21. Hence, only versions 6.0.21
   onwards are listed as vulnerable.

   This was fixed in revision 1417891.

   This issue was identified by the Tomcat security team on
   15 Oct 2012 and made public on 10 May 2013.

   Affects: 6.0.21-6.0.36

   Important: Denial of service CVE-2012-3544

   When processing a request submitted using the chunked transfer
   encoding, Tomcat ignored but did not limit any extensions that
   were included. This allows a client to perform a limited DOS
   by streaming an unlimited amount of data to the server.

   This was fixed in revision 1476592.

   This issue was reported to the Tomcat security team on
   10 November 2011 and made public on 10 May 2013.

   Affects: 6.0.0-6.0.36

   ChangeLog:
   ++++++++++
   Catalina

   fix  52055: Ensure that filters are recycled. (markt/kkolinko)
   fix  52184: Reduce log level for invalid cookies. (markt)
   fix  53481: Added support for SSLHonorCipherOrder to allow the
        server to impose its cipher order on the client. Based on
        a patch provided by Marcel Šebek. (schultz)
   fix  54044: Correct bug in timestamp cache used by logging
        (including the access log valve) that meant entries could
        be made with an earlier timestamp than the true timestamp. (markt)
   fix  In FormAuthenticator: If it is configured to change
        Session IDs, do the change before displaying the login
        form. (kkolinko)
   fix  54054: Do not share shell environment variables between
        multiple instances of the CGI servlet. (markt)
   fix  54087: Correctly handle (ignore) invalid If-Modified-Since
        header rather than throwing an exception. (markt/kkolinko)
   fix  54220: Ensure the ErrorReportValve only generates an error
        report if the error flag on the response has been set. (markt)
   fix  Fix memory leak of servlet instances when running with
        a SecurityManager and either init() or destroy() methods
        fail or the servlet is a SingleThreadModel one, and of
        filter instances if their destroy() method fails with an
        Error. (kkolinko)
   fix  54382: Fix NPE when SSI processing is enabled and an empty
        SSI directive is present. (markt)
   fix  54483: Correct one of the Spanish translations. Based on
        a suggestion from adinamita. (kkolinko)
   update       54527: Synchronize conf/web.xml mime mapping with Tomcat 7. 
(markt)

   Coyote

   fix  54248: Ensure that byte order marks are swallowed when
        using a Reader to read a request body with a BOM for those
        encodings that require byte order marks. (markt)
   fix  54324: Allow APR connector to disable TLS compression
        if OpenSSL supports it. (schultz)
   fix  54456: Ensure that if a client aborts a request when
        sending a chunked request body that this is communicated
        correctly to the client reading the request body. (markt)
   update       Update the native component of the APR/native connector
        to 1.1.27 and make that version the recommended minimum
        version. (kkolinko)

   Jasper

   fix  54615: Tomcat 6 doesn't build against ecj 4.x (kkolinko)

   Cluster

   fix  54045: Make sure getMembers() returns available member
        when TcpFailureDetector works in static cluster. (kfujino)

   Web applications

   update       22278: Add a commented out sample configuration of
        RemoteAddrValve to META-INF/context.xml files of the
        Manager and Host Manager applications. (kkolinko)
   fix  54080: Clarify documentation for initial value of
        internalProxies attribute of RemoteIpValve. (schultz/kkolinko)
   fix  54198: Clarify that HttpServletResponse.sendError(int)
        results in an HTML response by default. (markt)
   fix  54207: Correct JNDI factory package name in Javadoc for
        org.apache.naming.java.javaURLContextFactory. (markt)

   Other

   update       Add sample Apache Commons Daemon JSVC wrapper script
        bin/daemon.sh that can be used with /etc/init.d. (kkolinko)
   update       In the build configuration: introduce property
        "tomcat.output" that is used to specify location of the
        build output directory. This simplifies configuration if
        someone wants to move the output directory elsewhere
        (e.g. out of the source tree). (kkolinko)
   fix  54390: Use 'java_home' on Mac OS X to auto-detect
        JAVA_HOME. (schultz)
   update       54601: Change catalina.sh to consistently use
        LOGGING_MANAGER variable to configure logging, instead
        of modifying JAVA_OPTS one. (kkolinko)
   update       54890: Update to Apache Commons Daemon 1.0.15. (mturk)


To generate a diff of this commit:
cvs rdiff -u -r1.11 -r1.11.4.1 pkgsrc/www/apache-tomcat6/Makefile
cvs rdiff -u -r1.7 -r1.7.4.1 pkgsrc/www/apache-tomcat6/PLIST
cvs rdiff -u -r1.8 -r1.8.4.1 pkgsrc/www/apache-tomcat6/distinfo

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.




Home | Main Index | Thread Index | Old Index