This is an automated email from the git hooks/post-receive script. apo pushed a commit to branch jessie in repository tomcat8.
commit 168a13c9b05a2d5e7d16b30e2f7a84a9f9306e47 Author: Emmanuel Bourg <[email protected]> Date: Thu Jun 23 00:27:20 2016 +0200 Imported Debian patch 8.0.14-1+deb8u2 --- debian/changelog | 7 ++- debian/patches/CVE-2015-5174.patch | 108 +++++--------------------------- debian/patches/CVE-2015-5345.patch | 122 +++++++++---------------------------- debian/patches/CVE-2015-5346.patch | 58 +++++++----------- debian/patches/CVE-2015-5351.patch | 38 +++--------- debian/patches/CVE-2016-0706.patch | 23 +++---- debian/patches/CVE-2016-0714.patch | 98 +++++++++-------------------- debian/patches/CVE-2016-0763.patch | 26 +++----- debian/patches/CVE-2016-3092.patch | 29 +++++++++ debian/patches/series | 5 +- 10 files changed, 156 insertions(+), 358 deletions(-) diff --git a/debian/changelog b/debian/changelog index b05f5b7..b73673e 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,6 +1,11 @@ tomcat8 (8.0.14-1+deb8u2) jessie-security; urgency=high * Team upload. + + [ Emmanuel Bourg ] + * Fix CVE-2016-3092: Denial-of-Service vulnerability with file uploads + + [ Markus Koschany ] * Fix CVE-2015-5174: Directory traversal vulnerability in RequestUtil.java allows remote authenticated users to bypass intended SecurityManager restrictions and @@ -43,7 +48,7 @@ tomcat8 (8.0.14-1+deb8u2) jessie-security; urgency=high data, or cause a denial of service (application disruption), via a web application that sets a crafted global context. - -- Markus Koschany <[email protected]> Sun, 29 May 2016 23:11:52 +0200 + -- Emmanuel Bourg <[email protected]> Thu, 23 Jun 2016 00:27:20 +0200 tomcat8 (8.0.14-1+deb8u1) jessie-security; urgency=medium diff --git a/debian/patches/CVE-2015-5174.patch b/debian/patches/CVE-2015-5174.patch index 19ffa3b..5c927a4 100644 --- a/debian/patches/CVE-2015-5174.patch +++ b/debian/patches/CVE-2015-5174.patch @@ -1,47 +1,14 @@ -From: Markus Koschany <[email protected]> -Date: Sat, 28 May 2016 01:54:08 +0000 -Subject: CVE-2015-5174 - -Origin: https://svn.apache.org/viewvc?view=revision&revision=1696281 -Origin: https://svn.apache.org/viewvc?view=revision&revision=1700897 ---- - java/org/apache/tomcat/util/http/RequestUtil.java | 45 ++++++---- - .../apache/tomcat/util/http/TestRequestUtil.java | 100 +++++++++++++++++++-- - webapps/docs/changelog.xml | 11 +++ - 3 files changed, 135 insertions(+), 21 deletions(-) - -diff --git a/java/org/apache/tomcat/util/http/RequestUtil.java b/java/org/apache/tomcat/util/http/RequestUtil.java -index ebe4f34..1ee4bca 100644 +Description: Fixes CVE-2015-5174: Directory traversal vulnerability in RequestUtil + allows remote authenticated users to bypass intended SecurityManager restrictions + and list a parent directory via a /.. (slash dot dot) in a pathname used by a + web application in a getResource, getResourceAsStream, or getResourcePaths call, + as demonstrated by the $CATALINA_BASE/webapps directory. +Author: Markus Koschany <[email protected]> +Origin: backport, https://svn.apache.org/r1696281 + https://svn.apache.org/r1700897 --- a/java/org/apache/tomcat/util/http/RequestUtil.java +++ b/java/org/apache/tomcat/util/http/RequestUtil.java -@@ -30,6 +30,9 @@ public class RequestUtil { - * try to perform security checks for malicious input. - * - * @param path Relative path to be normalized -+ * -+ * @return The normalized path or <code>null</code> of the path cannot be -+ * normalized - */ - public static String normalize(String path) { - return normalize(path, true); -@@ -44,11 +47,15 @@ public class RequestUtil { - * - * @param path Relative path to be normalized - * @param replaceBackSlash Should '\\' be replaced with '/' -+ * -+ * @return The normalized path or <code>null</code> of the path cannot be -+ * normalized - */ - public static String normalize(String path, boolean replaceBackSlash) { - -- if (path == null) -+ if (path == null) { - return null; -+ } - - // Create a place for the normalized path - String normalized = path; -@@ -56,9 +63,6 @@ public class RequestUtil { +@@ -56,9 +56,6 @@ if (replaceBackSlash && normalized.indexOf('\\') >= 0) normalized = normalized.replace('\\', '/'); @@ -51,67 +18,24 @@ index ebe4f34..1ee4bca 100644 // Add a leading "/" if necessary if (!normalized.startsWith("/")) normalized = "/" + normalized; -@@ -66,34 +70,43 @@ public class RequestUtil { - // Resolve occurrences of "//" in the normalized path - while (true) { - int index = normalized.indexOf("//"); -- if (index < 0) -+ if (index < 0) { - break; -- normalized = normalized.substring(0, index) + -- normalized.substring(index + 1); -+ } -+ normalized = normalized.substring(0, index) + normalized.substring(index + 1); +@@ -93,6 +90,14 @@ + normalized.substring(index + 3); } - // Resolve occurrences of "/./" in the normalized path - while (true) { - int index = normalized.indexOf("/./"); -- if (index < 0) -+ if (index < 0) { - break; -- normalized = normalized.substring(0, index) + -- normalized.substring(index + 2); -+ } -+ normalized = normalized.substring(0, index) + normalized.substring(index + 2); - } - - // Resolve occurrences of "/../" in the normalized path - while (true) { - int index = normalized.indexOf("/../"); -- if (index < 0) -+ if (index < 0) { - break; -- if (index == 0) -- return (null); // Trying to go outside our context -+ } -+ if (index == 0) { -+ return null; // Trying to go outside our context -+ } - int index2 = normalized.lastIndexOf('/', index - 1); -- normalized = normalized.substring(0, index2) + -- normalized.substring(index + 3); -+ normalized = normalized.substring(0, index2) + normalized.substring(index + 3); -+ } -+ + if (normalized.equals("/.")) { + return "/"; + } + + if (normalized.equals("/..")) { + return null; // Trying to go outside our context - } - ++ } ++ // Return the normalized path that we have completed -- return (normalized); -+ return normalized; + return (normalized); } - } -diff --git a/test/org/apache/tomcat/util/http/TestRequestUtil.java b/test/org/apache/tomcat/util/http/TestRequestUtil.java -index fe3115f..f50098c 100644 --- a/test/org/apache/tomcat/util/http/TestRequestUtil.java +++ b/test/org/apache/tomcat/util/http/TestRequestUtil.java -@@ -23,11 +23,101 @@ import org.junit.Test; +@@ -23,11 +23,101 @@ public class TestRequestUtil { @Test @@ -218,8 +142,6 @@ index fe3115f..f50098c 100644 + assertEquals(expected,RequestUtil.normalize(input)); + } } -diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml -index a89b75e..f552c88 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -1857,6 +1857,10 @@ diff --git a/debian/patches/CVE-2015-5345.patch b/debian/patches/CVE-2015-5345.patch index dc39b90..32904fe 100644 --- a/debian/patches/CVE-2015-5345.patch +++ b/debian/patches/CVE-2015-5345.patch @@ -1,30 +1,13 @@ -From: Markus Koschany <[email protected]> -Date: Sun, 29 May 2016 18:09:44 +0200 -Subject: CVE-2015-5345 - -Origin: https://svn.apache.org/viewvc?view=revision&revision=1715207 -Origin: https://svn.apache.org/viewvc?view=revision&revision=1717209 ---- - java/org/apache/catalina/Context.java | 40 ++++++++++++++ - .../catalina/authenticator/FormAuthenticator.java | 14 +++++ - java/org/apache/catalina/core/StandardContext.java | 35 ++++++++++++ - .../apache/catalina/core/mbeans-descriptors.xml | 8 +++ - java/org/apache/catalina/mapper/Mapper.java | 31 ++++++----- - .../apache/catalina/servlets/DefaultServlet.java | 28 +++++++++- - .../apache/catalina/servlets/WebdavServlet.java | 5 ++ - .../org/apache/catalina/startup/FailedContext.java | 19 ++++++- - test/org/apache/catalina/core/TesterContext.java | 17 ++++++ - .../apache/catalina/mapper/TestMapperWebapps.java | 64 ++++++++++++++++++++++ - .../apache/catalina/startup/TomcatBaseTest.java | 3 +- - webapps/docs/changelog.xml | 15 +++++ - webapps/docs/config/context.xml | 16 ++++++ - 13 files changed, 276 insertions(+), 19 deletions(-) - -diff --git a/java/org/apache/catalina/Context.java b/java/org/apache/catalina/Context.java -index a871b99..84c2a60 100644 +Description: Fixes CVE-2015-5345: The Mapper component in Apache Tomcat processes + redirects before considering security constraints and Filters, which allows + remote attackers to determine the existence of a directory via a URL that lacks + a trailing / (slash) character. +Author: Markus Koschany <[email protected]> +Origin: backport, https://svn.apache.org/r1715207 + https://svn.apache.org/r1717209 --- a/java/org/apache/catalina/Context.java +++ b/java/org/apache/catalina/Context.java -@@ -1674,4 +1674,44 @@ public interface Context extends Container { +@@ -1674,4 +1674,44 @@ * processing cookies using the RFC6265 based cookie parser. */ public Charset getCookieEncodingCharset(); @@ -69,11 +52,9 @@ index a871b99..84c2a60 100644 + */ + public boolean getMapperDirectoryRedirectEnabled(); } -diff --git a/java/org/apache/catalina/authenticator/FormAuthenticator.java b/java/org/apache/catalina/authenticator/FormAuthenticator.java -index 57a3cd7..4933d03 100644 --- a/java/org/apache/catalina/authenticator/FormAuthenticator.java +++ b/java/org/apache/catalina/authenticator/FormAuthenticator.java -@@ -241,6 +241,20 @@ public class FormAuthenticator +@@ -241,6 +241,20 @@ // No -- Save this request and redirect to the form login page if (!loginAction) { @@ -94,11 +75,9 @@ index 57a3cd7..4933d03 100644 session = request.getSessionInternal(true); if (log.isDebugEnabled()) { log.debug("Save request in session '" + session.getIdInternal() + "'"); -diff --git a/java/org/apache/catalina/core/StandardContext.java b/java/org/apache/catalina/core/StandardContext.java -index f47dd3f..0615e26 100644 --- a/java/org/apache/catalina/core/StandardContext.java +++ b/java/org/apache/catalina/core/StandardContext.java -@@ -828,9 +828,44 @@ public class StandardContext extends ContainerBase +@@ -828,9 +828,44 @@ private boolean useRfc6265 = false; private Charset cookieEncoding = StandardCharsets.UTF_8; @@ -143,8 +122,6 @@ index f47dd3f..0615e26 100644 @Override public void setUseRfc6265(boolean useRfc6265) { -diff --git a/java/org/apache/catalina/core/mbeans-descriptors.xml b/java/org/apache/catalina/core/mbeans-descriptors.xml -index 64fe285..27847bf 100644 --- a/java/org/apache/catalina/core/mbeans-descriptors.xml +++ b/java/org/apache/catalina/core/mbeans-descriptors.xml @@ -181,6 +181,14 @@ @@ -162,11 +139,9 @@ index 64fe285..27847bf 100644 <attribute name="namingContextListener" description="Associated naming context listener." type="org.apache.catalina.core.NamingContextListener" /> -diff --git a/java/org/apache/catalina/mapper/Mapper.java b/java/org/apache/catalina/mapper/Mapper.java -index a40b257..0c57145 100644 --- a/java/org/apache/catalina/mapper/Mapper.java +++ b/java/org/apache/catalina/mapper/Mapper.java -@@ -830,20 +830,13 @@ public final class Mapper { +@@ -830,20 +830,13 @@ int pathOffset = path.getOffset(); int pathEnd = path.getEnd(); @@ -189,7 +164,7 @@ index a40b257..0c57145 100644 path.setOffset(servletPath); // Rule 1 -- Exact Match -@@ -878,10 +871,13 @@ public final class Mapper { +@@ -878,8 +871,11 @@ } } @@ -200,12 +175,9 @@ index a40b257..0c57145 100644 + path.append('/'); + pathEnd = path.getEnd(); mappingData.redirectPath.setChars -- (path.getBuffer(), pathOffset, pathEnd-pathOffset); -+ (path.getBuffer(), pathOffset, pathEnd - pathOffset); + (path.getBuffer(), pathOffset, pathEnd-pathOffset); path.setEnd(pathEnd - 1); - return; - } -@@ -996,9 +992,15 @@ public final class Mapper { +@@ -996,9 +992,15 @@ char[] buf = path.getBuffer(); if (contextVersion.resources != null && buf[pathEnd -1 ] != '/') { String pathStr = path.toString(); @@ -224,19 +196,9 @@ index a40b257..0c57145 100644 // Note: this mutates the path: do not do any processing // after this (since we set the redirectPath, there // shouldn't be any) -@@ -1015,7 +1017,6 @@ public final class Mapper { - - path.setOffset(pathOffset); - path.setEnd(pathEnd); -- - } - - -diff --git a/java/org/apache/catalina/servlets/DefaultServlet.java b/java/org/apache/catalina/servlets/DefaultServlet.java -index cbf65b6..021425c 100644 --- a/java/org/apache/catalina/servlets/DefaultServlet.java +++ b/java/org/apache/catalina/servlets/DefaultServlet.java -@@ -342,6 +342,10 @@ public class DefaultServlet extends HttpServlet { +@@ -342,6 +342,10 @@ * @param request The servlet request we are processing */ protected String getRelativePath(HttpServletRequest request) { @@ -247,7 +209,7 @@ index cbf65b6..021425c 100644 // IMPORTANT: DefaultServlet can be mapped to '/' or '/path/*' but always // serves resources from the web app root with context rooted paths. // i.e. it can not be used to mount the web app root under a sub-path -@@ -703,7 +707,8 @@ public class DefaultServlet extends HttpServlet { +@@ -703,7 +707,8 @@ boolean serveContent = content; // Identify the requested resource path @@ -257,7 +219,7 @@ index cbf65b6..021425c 100644 if (debug > 0) { if (serveContent) log("DefaultServlet.serveResource: Serving resource '" + -@@ -713,6 +718,12 @@ public class DefaultServlet extends HttpServlet { +@@ -713,6 +718,12 @@ path + "' headers only"); } @@ -270,7 +232,7 @@ index cbf65b6..021425c 100644 WebResource resource = resources.getResource(path); if (!resource.exists()) { -@@ -827,6 +838,11 @@ public class DefaultServlet extends HttpServlet { +@@ -827,6 +838,11 @@ long contentLength = -1L; if (resource.isDirectory()) { @@ -282,7 +244,7 @@ index cbf65b6..021425c 100644 // Skip directory listings if we have been configured to // suppress them if (!listings) { -@@ -1032,6 +1048,16 @@ public class DefaultServlet extends HttpServlet { +@@ -1032,6 +1048,16 @@ } } @@ -299,11 +261,9 @@ index cbf65b6..021425c 100644 /** * Parse the content-range header. -diff --git a/java/org/apache/catalina/servlets/WebdavServlet.java b/java/org/apache/catalina/servlets/WebdavServlet.java -index 7bccf76..1303d99 100644 --- a/java/org/apache/catalina/servlets/WebdavServlet.java +++ b/java/org/apache/catalina/servlets/WebdavServlet.java -@@ -375,6 +375,11 @@ public class WebdavServlet +@@ -375,6 +375,11 @@ */ @Override protected String getRelativePath(HttpServletRequest request) { @@ -315,11 +275,9 @@ index 7bccf76..1303d99 100644 // Are we being processed by a RequestDispatcher.include()? if (request.getAttribute( RequestDispatcher.INCLUDE_REQUEST_URI) != null) { -diff --git a/java/org/apache/catalina/startup/FailedContext.java b/java/org/apache/catalina/startup/FailedContext.java -index 73c6bf4..166ab45 100644 --- a/java/org/apache/catalina/startup/FailedContext.java +++ b/java/org/apache/catalina/startup/FailedContext.java -@@ -771,4 +771,21 @@ public class FailedContext extends LifecycleMBeanBase implements Context { +@@ -771,4 +771,21 @@ @Override public Charset getCookieEncodingCharset() { return StandardCharsets.UTF_8; } @@ -343,11 +301,9 @@ index 73c6bf4..166ab45 100644 + public boolean getMapperDirectoryRedirectEnabled() { return false; } + +} -diff --git a/test/org/apache/catalina/core/TesterContext.java b/test/org/apache/catalina/core/TesterContext.java -index ac4d945..36bfdfe 100644 --- a/test/org/apache/catalina/core/TesterContext.java +++ b/test/org/apache/catalina/core/TesterContext.java -@@ -1238,4 +1238,21 @@ public class TesterContext implements Context { +@@ -1238,4 +1238,21 @@ @Override public Charset getCookieEncodingCharset() { return StandardCharsets.UTF_8; } @@ -369,11 +325,9 @@ index ac4d945..36bfdfe 100644 + public boolean getMapperDirectoryRedirectEnabled() { return false; } + } -diff --git a/test/org/apache/catalina/mapper/TestMapperWebapps.java b/test/org/apache/catalina/mapper/TestMapperWebapps.java -index 9014efd..3778fdf 100644 --- a/test/org/apache/catalina/mapper/TestMapperWebapps.java +++ b/test/org/apache/catalina/mapper/TestMapperWebapps.java -@@ -18,6 +18,7 @@ package org.apache.catalina.mapper; +@@ -18,6 +18,7 @@ import java.io.File; import java.io.IOException; @@ -381,7 +335,7 @@ index 9014efd..3778fdf 100644 import java.util.HashMap; import java.util.List; -@@ -33,7 +34,10 @@ import org.apache.catalina.Context; +@@ -33,7 +34,10 @@ import org.apache.catalina.core.StandardContext; import org.apache.catalina.startup.Tomcat; import org.apache.catalina.startup.TomcatBaseTest; @@ -392,7 +346,7 @@ index 9014efd..3778fdf 100644 import org.apache.tomcat.websocket.server.WsContextListener; /** -@@ -226,6 +230,66 @@ public class TestMapperWebapps extends TomcatBaseTest{ +@@ -226,6 +230,66 @@ Assert.assertEquals(HttpServletResponse.SC_NOT_FOUND, rc); } @@ -459,27 +413,11 @@ index 9014efd..3778fdf 100644 /** * Prepare a string to search in messages that contain a timestamp, when it * is known that the timestamp was printed between {@code timeA} and -diff --git a/test/org/apache/catalina/startup/TomcatBaseTest.java b/test/org/apache/catalina/startup/TomcatBaseTest.java -index 2808317..0856ea6 100644 ---- a/test/org/apache/catalina/startup/TomcatBaseTest.java -+++ b/test/org/apache/catalina/startup/TomcatBaseTest.java -@@ -233,8 +233,7 @@ public abstract class TomcatBaseTest extends LoggingBaseTest { - String method) throws IOException { - - URL url = new URL(path); -- HttpURLConnection connection = -- (HttpURLConnection) url.openConnection(); -+ HttpURLConnection connection = (HttpURLConnection) url.openConnection(); - connection.setUseCaches(false); - connection.setReadTimeout(readTimeout); - connection.setRequestMethod(method); -diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml -index a0b4788..02762a0 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml -@@ -188,6 +188,16 @@ - <bug>58809</bug>: Correctly recycle cookies when mapping requests for - parallel deployment. (markt) +@@ -184,6 +184,16 @@ + Reduce duplicated code. All AJP connectors use common method to + configuration of processor. (kfujino) </fix> + <add> + Move the functionality that provides redirects for context roots and @@ -494,7 +432,7 @@ index a0b4788..02762a0 100644 </changelog> </subsection> <subsection name="Jasper"> -@@ -279,6 +289,11 @@ +@@ -275,6 +285,11 @@ leak fixes and support for application provided eviction policies. (markt) </fix> @@ -506,8 +444,6 @@ index a0b4788..02762a0 100644 </changelog> </subsection> </section> -diff --git a/webapps/docs/config/context.xml b/webapps/docs/config/context.xml -index 41e66ae..91634f0 100644 --- a/webapps/docs/config/context.xml +++ b/webapps/docs/config/context.xml @@ -367,6 +367,22 @@ diff --git a/debian/patches/CVE-2015-5346.patch b/debian/patches/CVE-2015-5346.patch index 95f08bc..d13aa24 100644 --- a/debian/patches/CVE-2015-5346.patch +++ b/debian/patches/CVE-2015-5346.patch @@ -1,20 +1,14 @@ -From: Markus Koschany <[email protected]> -Date: Sat, 28 May 2016 03:11:58 +0000 -Subject: CVE-2015-5346 - -Origin: https://svn.apache.org/viewvc?view=revision&revision=1713185 -Origin: https://svn.apache.org/viewvc?view=revision&revision=1723506 ---- - .../apache/catalina/connector/CoyoteAdapter.java | 8 ++-- - java/org/apache/catalina/connector/Request.java | 52 ++++++++++++++-------- - webapps/docs/changelog.xml | 8 ++++ - 3 files changed, 46 insertions(+), 22 deletions(-) - -diff --git a/java/org/apache/catalina/connector/CoyoteAdapter.java b/java/org/apache/catalina/connector/CoyoteAdapter.java -index e3ff219..775862d 100644 +Description: Fixes CVE-2015-5346: Session fixation vulnerability in Apache Tomcat + when different session settings are used for deployments of multiple versions + of the same web application, might allow remote attackers to hijack web sessions + by leveraging use of a requestedSessionSSL field for an unintended request, + related to CoyoteAdapter.java and Request.java. +Author: Markus Koschany <[email protected]> +Origin: backport, https://svn.apache.org/r1713185 + https://svn.apache.org/r1723506 --- a/java/org/apache/catalina/connector/CoyoteAdapter.java +++ b/java/org/apache/catalina/connector/CoyoteAdapter.java -@@ -941,9 +941,11 @@ public class CoyoteAdapter implements Adapter { +@@ -941,9 +941,11 @@ // Reset mapping request.getMappingData().recycle(); mapRequired = true; @@ -29,11 +23,9 @@ index e3ff219..775862d 100644 } break; } -diff --git a/java/org/apache/catalina/connector/Request.java b/java/org/apache/catalina/connector/Request.java -index 2d24ba4..55682be 100644 --- a/java/org/apache/catalina/connector/Request.java +++ b/java/org/apache/catalina/connector/Request.java -@@ -287,6 +287,11 @@ public class Request +@@ -287,6 +287,11 @@ */ protected boolean cookiesParsed = false; @@ -45,7 +37,7 @@ index 2d24ba4..55682be 100644 /** * Secure flag. -@@ -461,7 +466,6 @@ public class Request +@@ -461,7 +466,6 @@ parts = null; } partsParseException = null; @@ -53,7 +45,7 @@ index 2d24ba4..55682be 100644 locales.clear(); localesParsed = false; secure = false; -@@ -475,20 +479,9 @@ public class Request +@@ -475,20 +479,9 @@ attributes.clear(); sslAttributesParsed = false; notes.clear(); @@ -76,15 +68,10 @@ index 2d24ba4..55682be 100644 if (Globals.IS_SECURITY_ENABLED || Connector.RECYCLE_FACADES) { parameterMap = new ParameterMap<>(); -@@ -531,11 +524,32 @@ public class Request +@@ -531,6 +524,31 @@ } -- /** -- * Clear cached encoders (to save memory for Comet requests). -- */ -- public boolean read() -- throws IOException { + protected void recycleSessionInfo() { + if (session != null) { + try { @@ -110,17 +97,14 @@ index 2d24ba4..55682be 100644 + } + } + -+ public boolean read() throws IOException { - return (inputBuffer.realReadBytes(null, 0, 0) > 0); - } - -diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml -index f552c88..cb4c914 100644 + /** + * Clear cached encoders (to save memory for Comet requests). + */ --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml -@@ -184,6 +184,10 @@ - Reduce duplicated code. All AJP connectors use common method to - configuration of processor. (kfujino) +@@ -168,6 +168,10 @@ + <bug>57011</bug>: Ensure that the request and response are correctly + recycled when processing errors during async processing. (markt) </fix> + <fix> + <bug>58809</bug>: Correctly recycle cookies when mapping requests for @@ -128,8 +112,8 @@ index f552c88..cb4c914 100644 + </fix> </changelog> </subsection> - <subsection name="Jasper"> -@@ -318,6 +322,10 @@ + <subsection name="Coyote"> +@@ -333,6 +337,10 @@ page that has the <code>isErrorPage</code> page directive set to <code>true</code>. (markt) </fix> diff --git a/debian/patches/CVE-2015-5351.patch b/debian/patches/CVE-2015-5351.patch index 88b34d0..df65650 100644 --- a/debian/patches/CVE-2015-5351.patch +++ b/debian/patches/CVE-2015-5351.patch @@ -1,24 +1,12 @@ -From: Markus Koschany <[email protected]> -Date: Sat, 28 May 2016 03:13:41 +0000 -Subject: CVE-2015-5351 - -Origin: https://svn.apache.org/viewvc?view=revision&revision=1720658 -Origin: https://svn.apache.org/viewvc?view=revision&revision=1720660 ---- - webapps/docs/changelog.xml | 7 +++++++ - webapps/host-manager/WEB-INF/jsp/401.jsp | 1 + - webapps/host-manager/WEB-INF/jsp/403.jsp | 1 + - webapps/host-manager/WEB-INF/jsp/404.jsp | 3 ++- - webapps/host-manager/index.jsp | 4 ++-- - webapps/manager/WEB-INF/web.xml | 1 - - webapps/manager/index.jsp | 4 ++-- - 7 files changed, 15 insertions(+), 6 deletions(-) - -diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml -index cb4c914..92d5b3c 100644 +Description: Fixes CVE-2015-5351: The Manager and Host Manager applications establish + sessions and send CSRF tokens for arbitrary new requests, which allows remote attackers + to bypass a CSRF protection mechanism by using a token. +Author: Markus Koschany <[email protected]> +Origin: backport, https://svn.apache.org/r1720658 + https://svn.apache.org/r1720660 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml -@@ -326,6 +326,13 @@ +@@ -341,6 +341,13 @@ Handle the unlikely case where different versions of a web application are deployed with different session settings. (markt) </fix> @@ -32,8 +20,6 @@ index cb4c914..92d5b3c 100644 </changelog> </subsection> <subsection name="WebSocket"> -diff --git a/webapps/host-manager/WEB-INF/jsp/401.jsp b/webapps/host-manager/WEB-INF/jsp/401.jsp -index 83c8c6f..047766b 100644 --- a/webapps/host-manager/WEB-INF/jsp/401.jsp +++ b/webapps/host-manager/WEB-INF/jsp/401.jsp @@ -14,6 +14,7 @@ @@ -44,8 +30,6 @@ index 83c8c6f..047766b 100644 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd";> <html> <head> -diff --git a/webapps/host-manager/WEB-INF/jsp/403.jsp b/webapps/host-manager/WEB-INF/jsp/403.jsp -index 2dbb448..5eff6f0 100644 --- a/webapps/host-manager/WEB-INF/jsp/403.jsp +++ b/webapps/host-manager/WEB-INF/jsp/403.jsp @@ -14,6 +14,7 @@ @@ -56,8 +40,6 @@ index 2dbb448..5eff6f0 100644 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd";> <html> <head> -diff --git a/webapps/host-manager/WEB-INF/jsp/404.jsp b/webapps/host-manager/WEB-INF/jsp/404.jsp -index d1b5b0b..9816df5 100644 --- a/webapps/host-manager/WEB-INF/jsp/404.jsp +++ b/webapps/host-manager/WEB-INF/jsp/404.jsp @@ -14,7 +14,8 @@ @@ -70,8 +52,6 @@ index d1b5b0b..9816df5 100644 <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01//EN" "http://www.w3.org/TR/html4/strict.dtd";> <html> <head> -diff --git a/webapps/host-manager/index.jsp b/webapps/host-manager/index.jsp -index d4816e5..2806b76 100644 --- a/webapps/host-manager/index.jsp +++ b/webapps/host-manager/index.jsp @@ -14,5 +14,5 @@ @@ -84,8 +64,6 @@ index d4816e5..2806b76 100644 +<%@ page session="false" trimDirectiveWhitespaces="true" %> +<% response.sendRedirect(request.getContextPath() + "/html"); %> \ No newline at end of file -diff --git a/webapps/manager/WEB-INF/web.xml b/webapps/manager/WEB-INF/web.xml -index 230199e..ef917e6 100644 --- a/webapps/manager/WEB-INF/web.xml +++ b/webapps/manager/WEB-INF/web.xml @@ -115,7 +115,6 @@ @@ -96,8 +74,6 @@ index 230199e..ef917e6 100644 </filter-mapping> <!-- Define a Security Constraint on this Application --> -diff --git a/webapps/manager/index.jsp b/webapps/manager/index.jsp -index d4816e5..ff4f47b 100644 --- a/webapps/manager/index.jsp +++ b/webapps/manager/index.jsp @@ -14,5 +14,5 @@ diff --git a/debian/patches/CVE-2016-0706.patch b/debian/patches/CVE-2016-0706.patch index 4f497d4..c896c24 100644 --- a/debian/patches/CVE-2016-0706.patch +++ b/debian/patches/CVE-2016-0706.patch @@ -1,15 +1,10 @@ -From: Markus Koschany <[email protected]> -Date: Sat, 28 May 2016 13:15:51 +0000 -Subject: CVE-2016-0706 - -Origin: https://svn.apache.org/viewvc?view=revision&revision=1722800 ---- - java/org/apache/catalina/core/RestrictedServlets.properties | 1 + - webapps/docs/changelog.xml | 4 ++++ - 2 files changed, 5 insertions(+) - -diff --git a/java/org/apache/catalina/core/RestrictedServlets.properties b/java/org/apache/catalina/core/RestrictedServlets.properties -index d336968..cefa249 100644 +Description: Fixes CVE-2016-0706: Apache Tomcat does not place StatusManagerServlet + on the RestrictedServlets.properties list, which allows remote authenticated + users to bypass intended SecurityManager restrictions and read arbitrary HTTP + requests, and consequently discover session ID values, via a crafted web + application. +Author: Markus Koschany <[email protected]> +Origin: backport, https://svn.apache.org/r1722800 --- a/java/org/apache/catalina/core/RestrictedServlets.properties +++ b/java/org/apache/catalina/core/RestrictedServlets.properties @@ -16,3 +16,4 @@ @@ -17,11 +12,9 @@ index d336968..cefa249 100644 org.apache.catalina.servlets.CGIServlet=restricted org.apache.catalina.manager.JMXProxyServlet=restricted +org.apache.catalina.manager.StatusManagerServlet=restricted -diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml -index 92d5b3c..f075094 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml -@@ -333,6 +333,10 @@ +@@ -348,6 +348,10 @@ Don't create sessions unnecessarily in the Host Manager application. (markt) </fix> diff --git a/debian/patches/CVE-2016-0714.patch b/debian/patches/CVE-2016-0714.patch index cb5434c..d587408 100644 --- a/debian/patches/CVE-2016-0714.patch +++ b/debian/patches/CVE-2016-0714.patch @@ -1,28 +1,13 @@ -From: Markus Koschany <[email protected]> -Date: Sun, 29 May 2016 15:11:37 +0200 -Subject: CVE-2016-0714 - -Origin: https://svn.apache.org/viewvc?view=revision&revision=1726196 -Origin: https://svn.apache.org/viewvc?view=revision&revision=1726203 ---- - .../catalina/ha/session/ClusterManagerBase.java | 3 + - .../catalina/ha/session/mbeans-descriptors.xml | 24 +++ - .../catalina/session/LocalStrings.properties | 2 + - java/org/apache/catalina/session/ManagerBase.java | 172 ++++++++++++++++++++- - .../apache/catalina/session/StandardManager.java | 9 +- - .../apache/catalina/session/mbeans-descriptors.xml | 20 +++ - .../catalina/util/CustomObjectInputStream.java | 89 ++++++++++- - .../apache/catalina/util/LocalStrings.properties | 2 + - webapps/docs/changelog.xml | 8 + - webapps/docs/config/cluster-manager.xml | 71 +++++++++ - webapps/docs/config/manager.xml | 69 +++++++++ - 11 files changed, 463 insertions(+), 6 deletions(-) - -diff --git a/java/org/apache/catalina/ha/session/ClusterManagerBase.java b/java/org/apache/catalina/ha/session/ClusterManagerBase.java -index 8eb284d..ee601a8 100644 +Description: Fixes CVE-2016-0714: The session-persistence implementation mishandles + session attributes, which allows remote authenticated users to bypass intended + SecurityManager restrictions and execute arbitrary code in a privileged context + via a web application that places a crafted object in a session. +Author: Markus Koschany <[email protected]> +Origin: backport, https://svn.apache.org/r1726196 + https://svn.apache.org/r1726203 --- a/java/org/apache/catalina/ha/session/ClusterManagerBase.java +++ b/java/org/apache/catalina/ha/session/ClusterManagerBase.java -@@ -196,6 +196,9 @@ public abstract class ClusterManagerBase extends ManagerBase implements ClusterM +@@ -196,6 +196,9 @@ copy.setProcessExpiresFrequency(getProcessExpiresFrequency()); copy.setNotifyListenersOnReplication(isNotifyListenersOnReplication()); copy.setSessionAttributeFilter(getSessionAttributeFilter()); @@ -32,8 +17,6 @@ index 8eb284d..ee601a8 100644 copy.setSecureRandomClass(getSecureRandomClass()); copy.setSecureRandomProvider(getSecureRandomProvider()); copy.setSecureRandomAlgorithm(getSecureRandomAlgorithm()); -diff --git a/java/org/apache/catalina/ha/session/mbeans-descriptors.xml b/java/org/apache/catalina/ha/session/mbeans-descriptors.xml -index 76a689e..feff5cc 100644 --- a/java/org/apache/catalina/ha/session/mbeans-descriptors.xml +++ b/java/org/apache/catalina/ha/session/mbeans-descriptors.xml @@ -309,6 +309,18 @@ @@ -74,11 +57,9 @@ index 76a689e..feff5cc 100644 <operation name="expireSession" description="Expired the given session" -diff --git a/java/org/apache/catalina/session/LocalStrings.properties b/java/org/apache/catalina/session/LocalStrings.properties -index 7b00a4c..67eb04e 100644 --- a/java/org/apache/catalina/session/LocalStrings.properties +++ b/java/org/apache/catalina/session/LocalStrings.properties -@@ -32,6 +32,8 @@ JDBCStore.missingDataSourceName=No valid JNDI name was given. +@@ -32,6 +32,8 @@ JDBCStore.commitSQLException=SQLException committing connection before closing managerBase.container.noop=Managers added to containers other than Contexts will never be used managerBase.createSession.ise=createSession: Too many active sessions @@ -87,11 +68,9 @@ index 7b00a4c..67eb04e 100644 managerBase.sessionTimeout=Invalid session timeout setting {0} standardManager.loading=Loading persisted sessions from {0} standardManager.loading.exception=Exception while loading persisted sessions -diff --git a/java/org/apache/catalina/session/ManagerBase.java b/java/org/apache/catalina/session/ManagerBase.java -index b09348a..ada88f1 100644 --- a/java/org/apache/catalina/session/ManagerBase.java +++ b/java/org/apache/catalina/session/ManagerBase.java -@@ -32,10 +32,13 @@ import java.util.List; +@@ -32,10 +32,13 @@ import java.util.Map; import java.util.concurrent.ConcurrentHashMap; import java.util.concurrent.atomic.AtomicLong; @@ -105,7 +84,7 @@ index b09348a..ada88f1 100644 import org.apache.catalina.LifecycleException; import org.apache.catalina.Manager; import org.apache.catalina.Session; -@@ -210,8 +213,57 @@ public abstract class ManagerBase extends LifecycleMBeanBase +@@ -210,8 +213,57 @@ protected final PropertyChangeSupport support = new PropertyChangeSupport(this); @@ -164,7 +143,7 @@ index b09348a..ada88f1 100644 @Override @Deprecated -@@ -220,6 +272,86 @@ public abstract class ManagerBase extends LifecycleMBeanBase +@@ -220,6 +272,86 @@ } @@ -251,7 +230,7 @@ index b09348a..ada88f1 100644 @Override @Deprecated public void setContainer(Container container) { -@@ -839,6 +971,44 @@ public abstract class ManagerBase extends LifecycleMBeanBase +@@ -839,6 +971,44 @@ notifySessionListeners, notifyContainerListeners); } @@ -296,11 +275,9 @@ index b09348a..ada88f1 100644 // ------------------------------------------------------ Protected Methods -diff --git a/java/org/apache/catalina/session/StandardManager.java b/java/org/apache/catalina/session/StandardManager.java -index b1eb80b..a63ae7e 100644 --- a/java/org/apache/catalina/session/StandardManager.java +++ b/java/org/apache/catalina/session/StandardManager.java -@@ -208,19 +208,24 @@ public class StandardManager extends ManagerBase { +@@ -208,19 +208,24 @@ BufferedInputStream bis = null; ObjectInputStream ois = null; Loader loader = null; @@ -327,8 +304,6 @@ index b1eb80b..a63ae7e 100644 } else { if (log.isDebugEnabled()) log.debug("Creating standard object input stream"); -diff --git a/java/org/apache/catalina/session/mbeans-descriptors.xml b/java/org/apache/catalina/session/mbeans-descriptors.xml -index 4f9b01e..4edf79b 100644 --- a/java/org/apache/catalina/session/mbeans-descriptors.xml +++ b/java/org/apache/catalina/session/mbeans-descriptors.xml @@ -132,6 +132,15 @@ @@ -365,11 +340,9 @@ index 4f9b01e..4edf79b 100644 <operation name="backgroundProcess" description="Invalidate all sessions that have expired." impact="ACTION" -diff --git a/java/org/apache/catalina/util/CustomObjectInputStream.java b/java/org/apache/catalina/util/CustomObjectInputStream.java -index f63d777..25793e4 100644 --- a/java/org/apache/catalina/util/CustomObjectInputStream.java +++ b/java/org/apache/catalina/util/CustomObjectInputStream.java -@@ -19,9 +19,18 @@ package org.apache.catalina.util; +@@ -19,9 +19,18 @@ import java.io.IOException; import java.io.InputStream; @@ -388,7 +361,7 @@ index f63d777..25793e4 100644 /** * Custom subclass of <code>ObjectInputStream</code> that loads from the -@@ -35,14 +44,26 @@ public final class CustomObjectInputStream +@@ -35,14 +44,26 @@ extends ObjectInputStream { @@ -416,7 +389,7 @@ index f63d777..25793e4 100644 * * @param stream The input stream we will read from * @param classLoader The class loader used to instantiate objects -@@ -53,10 +74,56 @@ public final class CustomObjectInputStream +@@ -53,11 +74,57 @@ ClassLoader classLoader) throws IOException { @@ -451,7 +424,6 @@ index f63d777..25793e4 100644 + sm.getString("customObjectInputStream.logRequired")); + } this.classLoader = classLoader; -- } + this.log = log; + this.allowedClassNamePattern = allowedClassNamePattern; + if (allowedClassNamePattern == null) { @@ -460,7 +432,7 @@ index f63d777..25793e4 100644 + this.allowedClassNameFilter = allowedClassNamePattern.toString(); + } + this.warnOnFailure = warnOnFailure; - ++ + Set<String> reportedClasses; + synchronized (reportedClassCache) { + reportedClasses = reportedClassCache.get(classLoader); @@ -470,11 +442,13 @@ index f63d777..25793e4 100644 + } + } + this.reportedClasses = reportedClasses; -+ } + } +- /** * Load the local class equivalent of the specified stream class -@@ -70,8 +137,24 @@ public final class CustomObjectInputStream + * description, by using the class loader assigned to this Context. +@@ -70,8 +137,24 @@ @Override public Class<?> resolveClass(ObjectStreamClass classDesc) throws ClassNotFoundException, IOException { @@ -500,11 +474,9 @@ index f63d777..25793e4 100644 } catch (ClassNotFoundException e) { try { // Try also the superclass because of primitive types -diff --git a/java/org/apache/catalina/util/LocalStrings.properties b/java/org/apache/catalina/util/LocalStrings.properties -index 55dea98..6aeb973 100644 --- a/java/org/apache/catalina/util/LocalStrings.properties +++ b/java/org/apache/catalina/util/LocalStrings.properties -@@ -17,6 +17,8 @@ parameterMap.locked=No modifications are allowed to a locked ParameterMap +@@ -17,6 +17,8 @@ resourceSet.locked=No modifications are allowed to a locked ResourceSet hexUtil.bad=Bad hexadecimal digit hexUtil.odd=Odd number of hexadecimal digits @@ -513,11 +485,9 @@ index 55dea98..6aeb973 100644 #Default Messages Utilized by the ExtensionValidator extensionValidator.web-application-manifest=Web Application Manifest extensionValidator.extension-not-found-error=ExtensionValidator[{0}][{1}]: Required extension [{2}] not found. -diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml -index d18692c..a0b4788 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml -@@ -308,6 +308,14 @@ +@@ -323,6 +323,14 @@ Add support for the EECDH alias when using the OpenSSL cipher syntax to define JSSE ciphers. (markt) </add> @@ -532,19 +502,9 @@ index d18692c..a0b4788 100644 </changelog> </subsection> <subsection name="Jasper"> -diff --git a/webapps/docs/config/cluster-manager.xml b/webapps/docs/config/cluster-manager.xml -index 377884a..4958a39 100644 --- a/webapps/docs/config/cluster-manager.xml +++ b/webapps/docs/config/cluster-manager.xml -@@ -97,6 +97,7 @@ - varied by a servlet via the - <code>setMaxInactiveInterval</code> method of the <code>HttpSession</code> object.</p> - </attribute> -+ - <attribute name="sessionIdLength" required="false"> - <p>The length of session ids created by this Manager, measured in bytes, - excluding subsequent conversion to a hexadecimal string and -@@ -182,6 +183,30 @@ +@@ -182,6 +182,30 @@ effective only when <code>sendAllSessions</code> is <code>false</code>. Default is <code>2000</code> milliseconds. </attribute> @@ -575,7 +535,7 @@ index 377884a..4958a39 100644 <attribute name="stateTimestampDrop" required="false"> When this node sends a <code>GET_ALL_SESSIONS</code> message to other node, all session messages that are received as a response are queued. -@@ -193,6 +218,17 @@ +@@ -193,6 +217,17 @@ If set to <code>false</code>, all queued session messages are handled. Default is <code>true</code>. </attribute> @@ -593,7 +553,7 @@ index 377884a..4958a39 100644 </attributes> </subsection> <subsection name="org.apache.catalina.ha.session.BackupManager Attributes"> -@@ -216,6 +252,30 @@ +@@ -216,6 +251,30 @@ another map. Default value is <code>15000</code> milliseconds. </attribute> @@ -624,7 +584,7 @@ index 377884a..4958a39 100644 <attribute name="terminateOnStartFailure" required="false"> Set to true if you wish to terminate replication map when replication map fails to start. If replication map is terminated, associated context -@@ -223,6 +283,17 @@ +@@ -223,6 +282,17 @@ does not end. It will try to join the map membership in the heartbeat. Default value is <code>false</code> . </attribute> @@ -642,8 +602,6 @@ index 377884a..4958a39 100644 </attributes> </subsection> </section> -diff --git a/webapps/docs/config/manager.xml b/webapps/docs/config/manager.xml -index 3ab728b..3726fe5 100644 --- a/webapps/docs/config/manager.xml +++ b/webapps/docs/config/manager.xml @@ -175,6 +175,40 @@ diff --git a/debian/patches/CVE-2016-0763.patch b/debian/patches/CVE-2016-0763.patch index 1e8e34e..39f5785 100644 --- a/debian/patches/CVE-2016-0763.patch +++ b/debian/patches/CVE-2016-0763.patch @@ -1,18 +1,14 @@ -From: Markus Koschany <[email protected]> -Date: Sat, 28 May 2016 15:46:37 +0200 -Subject: CVE-2016-0763 - -Origin: https://svn.apache.org/viewvc?view=revision&revision=1725929 ---- - java/org/apache/naming/factory/ResourceLinkFactory.java | 5 +++++ - webapps/docs/changelog.xml | 4 ++++ - 2 files changed, 9 insertions(+) - -diff --git a/java/org/apache/naming/factory/ResourceLinkFactory.java b/java/org/apache/naming/factory/ResourceLinkFactory.java -index 808192c..8a43e74 100644 +Description: Fixes CVE-2016-0763: The setGlobalContext method in ResourceLinkFactory + in Apache Tomcat does not consider whether ResourceLinkFactory.setGlobalContext + callers are authorized, which allows remote authenticated users to bypass intended + SecurityManager restrictions and read or write to arbitrary application data, + or cause a denial of service (application disruption), via a web application + that sets a crafted global context. +Author: Markus Koschany <[email protected]> +Origin: backport, https://svn.apache.org/r1725929 --- a/java/org/apache/naming/factory/ResourceLinkFactory.java +++ b/java/org/apache/naming/factory/ResourceLinkFactory.java -@@ -60,6 +60,11 @@ public class ResourceLinkFactory +@@ -60,6 +60,11 @@ * @param newGlobalContext new global context value */ public static void setGlobalContext(Context newGlobalContext) { @@ -24,11 +20,9 @@ index 808192c..8a43e74 100644 globalContext = newGlobalContext; } -diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml -index f075094..d18692c 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml -@@ -337,6 +337,10 @@ +@@ -360,6 +360,10 @@ Add the <code>StatusManagerServlet</code> to the list of Servlets that can only be loaded by privileged applications. (markt) </fix> diff --git a/debian/patches/CVE-2016-3092.patch b/debian/patches/CVE-2016-3092.patch new file mode 100644 index 0000000..09f88c1 --- /dev/null +++ b/debian/patches/CVE-2016-3092.patch @@ -0,0 +1,29 @@ +Description: Fixes CVE-2016-3092: Denial-of-Service vulnerability +Origin: backport, https://svn.apache.org/r1743480 +--- a/java/org/apache/tomcat/util/http/fileupload/MultipartStream.java ++++ b/java/org/apache/tomcat/util/http/fileupload/MultipartStream.java +@@ -289,11 +289,6 @@ + throw new IllegalArgumentException("boundary may not be null"); + } + +- this.input = input; +- this.bufSize = bufSize; +- this.buffer = new byte[bufSize]; +- this.notifier = pNotifier; +- + // We prepend CR/LF to the boundary to chop trailing CR/LF from + // body-data tokens. + this.boundaryLength = boundary.length + BOUNDARY_PREFIX.length; +@@ -301,6 +296,12 @@ + throw new IllegalArgumentException( + "The buffer size specified for the MultipartStream is too small"); + } ++ ++ this.input = input; ++ this.bufSize = Math.max(bufSize, boundaryLength*2); ++ this.buffer = new byte[this.bufSize]; ++ this.notifier = pNotifier; ++ + this.boundary = new byte[this.boundaryLength]; + this.keepRegion = this.boundary.length; + diff --git a/debian/patches/series b/debian/patches/series index 3b86510..d69cdee 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -14,9 +14,10 @@ #0020-disable-java8-support-with-jdtcompiler.patch CVE-2014-7810.patch CVE-2015-5174.patch +CVE-2015-5345.patch CVE-2015-5346.patch CVE-2015-5351.patch CVE-2016-0706.patch -CVE-2016-0763.patch CVE-2016-0714.patch -CVE-2015-5345.patch +CVE-2016-0763.patch +CVE-2016-3092.patch -- Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/tomcat8.git _______________________________________________ pkg-java-commits mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-commits
